Feds Alert Healthcare Over Cobalt Strike Infections

October 12, 2022 : Russian hackers unleashed Cobalt Strike’s command and control function during their foray against SolarWinds’ network management software. Hackers who reached into Cisco corporate IT infrastructure earlier this year utilized the tool. The first thing the threat actor after the Emotet malware does after primary infection is to download Cobalt Strike onto compromised endpoints.

The amount of organizations impacted by a hack involving Cobalt Strike now results in the tens of thousands each year, says the Department of Health and Human Services in a new warning to the healthcare arena.

Cybersecurity journalist Brian Krebs wrote that the Conti ransomware group values entry to Cobalt Strike so much that it paid a legitimate company $30,000 to purchase licenses for it secretly.

The red teaming application – presently running nearly $6,000 per user – wasn’t created for hackers, and malicious activity isn’t its intent.

The establishment did not immediately respond to Information Security Media Group’s bid for comment, but its popularity among hackers is no secret. “Its built-in abilities enable it to be quickly deployed and operationalized nevertheless of actor sophistication or access to human or financial resources,” stated cybersecurity company ProofPoint in a 2021 statement.

The penetration testing tool, whose legitimate user base consists of white hat hackers, is being manipulated “with increasing frequency” against many enterprises, including the healthcare and public health sector, by ransomware operators and various advanced relentless threat groups, HC3 writes.

“Cobalt Strike is exploited maliciously by several state-sponsored actors and cybercriminal parties, many of whom pose a significant threat to the health sector,” the threat brief declares.

The administrations that the HHS’s Health Sector Cybersecurity Coordination Center documents as likely using Cobalt Strike for state-sponsored hacking: China, Iran, Russia, and Vietnam.

Companies aren’t helpless, tells Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

Cobalt Strike and identical tools are “noisy” within an environment and can be noticed by security tools such as antimalware and intrusion deterrence/detection systems, DiGrippo conveys Information Security Media Group.

Detection should guide to quick action, says Keith Fricke, principal consultant at privacy and security consultancy tw-Security.

Cobalt Strike and other red teaming means are ”’legitimate’ in the sense that they can be employed by red teamers, but are offensive security tools,” he states.

Should defenders identify them, “they should be very concerned as they are not used for legitimate business objectives outside of security testing.”

HHS HC3 recommends entities lessen their attack surfaces against common infection vectors such as phishing, known susceptibilities, and remote access abilities.