Feds Warn Healthcare Over Cobalt Strike InfectionsRed-Teaming Tool Poses Ongoing Risks When Used by Hackers, HHS Warns
If every second hack seems to involve malicious use of penetration testing tool Cobalt Strike, it's not just your imagination.
Russian hackers deployed Cobalt Strike's command-and-control function during their attack against SolarWinds' network management software. Hackers who earlier this year got into Cisco corporate IT infrastructure used the tool. The first thing the threat actor behind the Emotet malware does after an initial infection is to download Cobalt Strike onto compromised endpoints.
The number of organizations affected by a hack involving Cobalt Strike now number in the tens of thousands each year, says the Department of Health and Human Services in a warning to the healthcare sector.
The Conti ransomware group values access to Cobalt Strike so much that it paid a legitimate company $30,000 to secretly buy licenses for it, cybersecurity reporter Brian Krebs wrote in March.
The red-teaming application - licenses for which currently run nearly $6,000 per user - wasn't designed for hackers, and malicious activity isn't its purpose (see: Attackers Increasingly Using Cobalt Strike).
The company did not immediately respond to Information Security Media Group's request for comment, but its popularity among hackers is no secret. "Its built-in capabilities enable it to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial resources," said cybersecurity company Proofpoint in a 2021 report.
The penetration testing tool, whose legitimate user base consists of white hat hackers, is being abused "with increasing frequency" against many industries, including the healthcare and public health sector, by ransomware operators and various advanced persistent threat groups, HC3 writes.
"Cobalt Strike is used maliciously by several state-sponsored actors and cybercriminal groups, many of whom pose a significant threat to the health sector," the threat brief says.
Among the governments that the HHS's Health Sector Cybersecurity Coordination Center lists as likely making use of Cobalt Strike for state-sponsored hacking are China, Russia, Iran and Vietnam.
Companies aren't helpless, says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
Cobalt Strike and similar tools are "noisy" within an environment and can be detected by security tools such as anti-malware and intrusion prevention/detection systems, DeGrippo tells ISMG.
Detection should lead to quick action, says Keith Fricke, principal consultant at privacy and security consultancy tw-Security.
Cobalt Strike and other red-teaming tools are '''legitimate' in the sense that they can be used by red teamers, but are offensive security tools," he says.
Should defenders spot them, "they should be very concerned as they are not used for legitimate business purposes outside of security testing."
HHS HC3 recommends entities reduce their attack surfaces against common infection vectors such as phishing, known vulnerabilities and remote access capabilities.