Malicious use of penetration testing tool Cobalt Strike and other legitimate tools has been significantly curtailed after an “aggressive campaign” by its developer Fortra and Microsoft.
Fortra teamed up with Microsoft’s Digital Crimes Unit (DCU) and the Health Information Sharing and Analysis Center (Health-ISAC) to mitigate the use of unauthorized, legacy copies of Cobalt Strike and compromised Microsoft software in cyber attacks.
Speaking to ITPro, Bob Erdman, associate VP of research and development at Fortra, said Cobalt Strike has been used to devastating effect in a wide range of threat campaigns.
“After reconnaissance and the establishment of an initial foothold, Cobalt Strike could be deployed to maintain persistence and attempt to escalate privileges and move laterally across the environment,” he explained.
“The abuse of Fortra and Microsoft’s software tools laid the groundwork for this collaboration, which, with the assistance of our other public and private partners, has allowed for the disruption of criminal operations around the world.”
The trio launched the initiative in 2023 and leveraged a series of legal, technical, and collaborative efforts to disrupt threat actors’ ability to use legitimate tools in their attacks – many of which have caused significant harm to critical sectors such as the healthcare industry.
Fortra said it was able to seize and sinkhole over 200 malicious domains and revealed the number of unauthorized copies of Cobalt Strike observed in the wild on a daily basis has decreased by 80%.
Moreover, to further disable unauthorized versions of Cobalt Strike, Fortra revealed that it was part of Operation MORPHEUS in July 2024. This was a coordinated global effort to takedown known IP addresses and domain names associated with illegal activity.
In total, 690 IP addresses were flagged to online service providers across 27 countries with 593 of them being taken down.
Hard work to eliminate malicious use of Cobalt Strike
Erdman grouped the firm’s efforts to put an end to its tool being abused into two approaches: preventing the distribution of unauthorized copies of Cobalt Strike, and targeting the infrastructure underpinning illicit systems currently being used in cyber attacks.
“Fortra and our partners have taken two primary paths of disruption. The first is interrupting the proliferation of unauthorized copies of the software circulating on file sharing sites, social media platforms, dark web markets and other areas,” he explained.
“Additionally, Fortra has implemented several new security & licensing controls in the product itself since we have taken ownership of the solution.
“The second is identifying unauthorized Cobalt Strike systems that are deployed and operating and having them taken offline, which may include additional steps such as seizing & sink-holing associated domains being used for illicit activities and involving relevant law enforcement authorities.”
Fortra said its efforts to combat the malicious use of Cobalt Strike is “ongoing and evolving”. As part of this the firm has signed onto the Pall Mall Process, which is an international initiative centered around developing regulations to address the illicit use of legitimate cyber intrusion tools.
Erdman said Fortra will continue to leverage new rules and regulations as they are enacted around the world. He added that the company is confident this legislation, in combination with aggressive action from industry stakeholders, will have a lasting effect.
What next for Cobalt Strike?
Fortra anticipates a significant reduction in the number of cyber attacks leveraging Cobalt Strike, although Erdman noted threat actors will inevitably change their TTPs, such as moving their deployments further afield or using less popular tools.
“We anticipate a lasting effect from these actions, not only because of the current efforts but also because this is a long-term collaboration between Fortra, Microsoft, and our partners,” he said.
“Through ongoing legal and technical activities, we will continue to monitor and disrupt criminal operations. We did anticipate threat actors changing their TTPs, and that has proven to be true.
He added that he expects some of the unauthorized Cobalt Strike deployments to shift to regions where it is harder for them to be targeted by Fortra or law enforcement.
Threat actors may also increase their use of other command & control frameworks in their attacks, Erdman suggested, as well as transitioning to less well-known file sharing and social media platforms.
