Microsoft, Fortra, and the non-profit organization Health-ISAC are collaborating to tackle providers of illegal Cobalt Strike copies. This is to prevent further misuse of the legitimate tool.
A US judge has granted the tech companies and the American non-profit organization permission to take action. The goal of the action is to track down illegal copies of older versions of the tool worldwide and take them offline. Both Microsoft and Fortra want their security tools and services to be used in a legitimate manner.
Legal Actions
In more detail, the companies and non-profit can now seize domain names and take IP addresses offline from servers hosting the pirated versions. They use detection, analysis, telemetry, and reverse engineering techniques for this, combined with other data and insights.
The organizations will also cooperate with relevant CERTs and internet service providers. The first actions have already begun.
Cobalt Strike
Fortra developed Cobalt Strike in 2012 as a legitimate product for penetration testing. Red teams can use it to scan companies’ infrastructures for vulnerabilities.
The tool is also misused by cybercriminals for scanning networks for vulnerabilities, particularly for more persistent access to affected infrastructures. For example, to ‘harvest’ sensitive data or spread other malware such as ransomware.
State-sponsored cybercriminals also exploit the tool. Malicious use of Cobalt Strike is commonly seen in China, Russia, Vietnam, and Iran.