Microsoft Partnership Reduces Unauthorized Cobalt Strike Usage by 80%
U.S. software firm Fortra has successfully “seized and sinkholed” over 200 malicious domains through its strategic partnership with Microsoft’s Digital Crimes Unit and the Health Information Sharing and Analysis Center (H-ISAC). This collaborative effort has significantly reduced the exploitation of Fortra’s Cobalt Strike penetration testing tool by cybercriminals.
Why Proper Tool Management Matters
Insufficient privilege access management and improper configurations often create vulnerabilities that cybercriminals exploit. By targeting unauthorized copies of Cobalt Strike—a powerful attack platform legitimately used by security professionals—the partnership has begun to show tangible results in reducing cyber threats.
The initiative, which began in April 2023, specifically targeted ransomware groups using illegal legacy copies of Cobalt Strike and compromised Microsoft software to attack healthcare organizations.
Impressive Results After Two Years
As the partnership approaches its second anniversary, Fortra executives Bob Erdman and Peter Ceelen report an 80% decrease in unauthorized Cobalt Strike copies observed in the wild. This dramatic reduction has significantly limited the resources available to cybercriminals targeting healthcare and other sectors.
“This reduction has had a tangible impact, with these tools now being abused far less often,” they noted. The partnership has also reduced average dwell time—the period between initial detection and takedown—to less than one week in the United States and under two weeks worldwide.
Operation MORPHEUS Impact
Fortra has also supported Operation MORPHEUS, a three-year international cyber investigation aimed at disrupting connections to “cracked” copies of Cobalt Strike used in numerous ransomware attacks on healthcare organizations.
This operation identified 690 IP addresses across 27 countries associated with criminal activity, resulting in the successful takedown of 593 addresses. The campaign continues to evolve to combat the malicious use of unauthorized security tools.
Industry Best Practices
Cybercriminal groups like Conti and Rhysida have historically exploited legitimate cybersecurity tools, but organizations can minimize this risk by following industry best practices, including:
- Strengthening access management policies under NIST guidelines
- Adopting Zero Trust principles
- Implementing proper configuration management
The FBI previously warned that threat actors like Conti “weaponize Word documents with embedded PowerShell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware.”
The Value of Collaboration
“Collaboration is essential in advancing cybersecurity overall,” Erdman and Ceelen emphasized. “This not only strengthens the collective defense against cybercriminals, but also ensures that legitimate security tools can continue to be used responsibly and effectively to protect organizations worldwide.”
Discover the latest Provider news updates with a single click. Follow DistilINFO HospitalIT and stay ahead with updates. Join our community today!
Leave a Reply