A number of cybersecurity businesses, including Microsoft, launched a full-scale legal crackdown on one of the primary hacking tools used by malware criminal groups in their operations.
Microsoft, Fortra, and the Health Information Sharing and Analysis Center (H-ISAC) announced a broad legal strategy to combat malicious versions of Fortra's Cobalt Strike and Microsoft's software development kits.
Cobalt Strike is a popular penetration testing program that allows businesses to evaluate their security defenses prior to an assault. Malicious hackers, on the other hand, have used a hacked version of the tool for years to execute devastating ransomware attacks and other issues.
In November 2021, the Department of Health and Human Services issued a warning to healthcare organizations that both state-backed hackers and cybercriminal groups were using the technique in their attacks. The now-defunct Conti ransomware group sought to utilize Cobalt Strike to implant malware on Ireland's publicly funded healthcare system the same year.
On Friday, the United States District Court for the Eastern District of New York granted the organizations a court order authorizing them to confiscate domain names where hostile actors had been storing and disseminating malicious copies of Cobalt Strike.
The court ruling permits Microsoft, Fortra, and the H-ISAC to automatically inform and deactivate IP addresses in the United States that are hosting tainted versions of these tools. These takedowns will begin immediately, and the court order permits for more takedowns when criminals build new infrastructure.
On Thursday, Microsoft will also alert hosting providers in Latin America and the European Union about domain names suspected of hosting infected copies of Cobalt Strike.
Microsoft and Fortra were also granted a temporary restraining order against anyone who violated their programmes' copyright, making it easier for them to confiscate and shut down rogue versions of the software.
It is uncommon for private corporations to use the judicial system on their own to pursue dangerous hackers. While Microsoft has previously used a court order to take down specific groups, today's steps are the company's first at targeting specific tools used by a diverse spectrum of individuals.
"This is something that we jokingly call an advanced persistent disruption; it is not going to be done on Thursday," Amy Hogan-Burney, general manager and associate general counsel for cybersecurity policy and protection at Microsoft, told Axios.
Cybercriminals are frequently adaptable, and they have been quick to rebuild their networks following past law enforcement crackdowns.
After all of the attention devoted to Cobalt Strike, Microsoft has already begun examining tools that they expect bad actors would turn to next, according to Hogan-Burney.
