Microsoft’s Digital Crimes Unit (DUC), Fortra, and Health Information Sharing and Analysis Center (Health-ISAC) have successfully obtained permission from the US District Court for the Eastern District of New York to seize domain names used by threat actors to store and share malicious versions of Cobalt Strike. The move comes after the three entities filed a complaint against multiple groups known to have used older and altered versions of the tool in dozens of ransomware attacks.
Cobalt Strike is a legitimate post-exploitation tool originally provided by Fortra for adversary simulation. However, despite Fortra’s efforts to prevent abuse, hackers have continued to create cracked versions of older product versions and exploit them. Criminals have used Cobalt Strike to gain backdoor access to targeted systems, steal data, and deploy malware. The tool is frequently used in ransomware attacks, particularly those targeting the healthcare sector, which is why Health ISAC has been involved in the court proceedings.
Under the court order, Microsoft and Fortra have been given the authority to take down IP addresses that are hosting cracked versions of Cobalt Strike and seize the associated domain names. They can also notify ISPs and computer emergency readiness teams (CERTs) to help take the infrastructure offline and cut off connections with victims’ computers.
Fortra has taken steps to slow the abuse of its Cobalt Strike tool, including vetting, but it is difficult to control what miscreants do with older illegal copies of the software. The seizure of these domain names is a significant victory in the ongoing fight against cybercrime and ransomware attacks.
