Microsoft, Health-ISAC, and Fortra Aim to Thwart Misuse of Cobalt Strike
Microsoft’s Digital Crimes Unit, the Health Information Sharing and Analysis Center (Health-ISAC), and software company Fortra have obtained a court order allowing them to disrupt the infrastructure of cybercriminals who are using the Cobalt Strike penetration testing tool for nefarious purposes. Specifically, the court order allows the organizations to seize domains associated with criminal activity involving Cobalt Strike, which is a Fortra product.
On one level, this is a straightforward issue: since criminals are using “attack tools as a service” platforms to reduce their costs/barriers to entry, they make it easier for such legally authorized disruption efforts. But two complexities: (1) Are the laws and process behind legal authorization modern and transparent? and (2) Should all software vendors be expected, or required to do what Microsoft and Fortra are doing to try to stop malicious use of their products? Getting a yes answer to both those questions is going to be tough.
This is about choosing good partners to effect a change. It can be frustrating when your tool is used for malfeasance, and getting a court order to back actions needed to respond even harder to obtain. Microsoft has size and reputation/legitimacy, Cobalt Strike is getting a bit of a black eye for it being used nefariously - underscoring the problem, and with all the attacks on the healthcare industry, having the Health-ISAC reinforces the need to take action. One hopes that they can make a dent in the problem, and this is a viable model for others to follow.
Almost from the dawn of computing, infrastructure management tools have been used by evil-doers. Today, it’s referred to as living off the land, where adversaries use what’s available to them to enable the attack. Cobalt Strike is but an extension of that concept, where miscreants have manipulated a commercial product for their own purposes. What’s interesting though, is the use of the court to target specific domains where the tools are kept.
We can rely upon the courts to resist over-reach but only if they are consulted. Reference to the courts will offer some protection to those considering such an effort. We can also rely upon the involvement of multiple agencies. In the presence of both of those we should encourage this kind of activity to broadly reduce our collective risk.