Microsoft has announced that its Digital Crimes Unit, the Health Information Sharing and Analysis Center (Health-ISAC), and the cybersecurity firm Fortra are taking action to prevent the legitimate red team post-exploitation tool, Cobalt Strike, from being illegally used by malicious actors for delivering malware and ransomware.

Cobalt Strike is a collection of tools used for adversary simulation that can be used to replicate the tactics and techniques of advanced threat actors in a network and emulate quiet, long-term actors with persistent access to networks. The tool was first developed in 2012 and fast became one of the most widely adopted tools among penetration testers. Cobalt Strike has grown in sophistication over the years, its functionality has been significantly enhanced, and it is part of Fortra’s cybersecurity portfolio.

While the tool is incredibly useful for red team operations, cracked copies of the tool have been circulated within the cybercriminal community and malicious use of the tool by cybercriminals is now increasing. Cobalt Strike is used by multiple ransomware gangs, including Lockbit and Conti, before the group split in 2022. Microsoft reports that Cobalt Strike has been used in more than 68 ransomware attacks on healthcare providers in more than 19 countries around the world. The attacks have prevented access to electronic health records, disrupted critical patient care services, resulted in delays to diagnosis and treatment, and have cost healthcare organizations millions of dollars in recovery and repair costs. The tool was also used in the devastating attack on the Health Service Executive in Ireland and the recent attack on the Government of Costa Rica.

Fortra has taken action to prevent the illegal use of Cobalt Strike, including stringent vetting processes for new customers; however, malicious actors have been using older, cracked versions of the tool to gain backdoor access to machines for distributing malware and accelerating the deployment of ransomware. Microsoft says the exact identities of the malicious actors using the tool are not known, but malicious infrastructure used by those threat actors has been detected in Russia, China, and the United States. In addition to misuse of the tool by financially motivated cybercriminals, advanced persistent threat actors from Russia, China, Vietnam, and Iran are known to have used cracked versions of Cobalt Strike.

Microsoft, Fortra, and Health-ISAC have joined forces to increase efforts to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software. In contrast to Microsoft’s typical efforts to combat cybercrime by disrupting the command-and-control infrastructure of malware families, efforts are being made to remove illegal, legacy copies of Cobalt Strike to prevent further use by malicious actors.

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the infrastructure used by criminals to facilitate attacks in more than 19 countries. Relevant Internet Service Providers (ISPs) will be notified about the malicious use of the tool and computer emergency readiness teams (CERTs) will assist in taking the infrastructure offline and disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software. Microsoft, Fortra, and Health-ISAC will also be collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Centre (EC3) to prevent misuse of Cobalt Strike.

“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics,” explained Microsoft. “Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.”

The post Microsoft, Fortra, and Health-ISAC Join Forces to Disrupt Malicious Use of Cobalt Strike appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about a threat actor that is conducting targeted distributed denial of service (DDoS) attacks on the U.S. healthcare sector. The attacks involve flooding networks and servers with fake Domain Name Server (DNS) requests for non-existent domains (NXDOMAINs), which overloads DNS servers and prevents legitimate DNS requests. These attacks have been conducted since at least November 2022.

DNS servers are used to locate web resources and identify the IP addresses of the requested resources to allow a connection to be made. A DNS Proxy Server will contact the DNS Authoritative Server when a request is received, and if the IP address of that resource is identified, it will be relayed back allowing a connection to be made. In a DNS NXDOMAIN flood DDoS attack, the DNS Proxy Server will be flooded with requests for non-existent domains and the server’s resources will be consumed querying the NXDOMAIN requests with the DNS Authoritative server, and the DNS Authoritative Server will use its resources dealing with the queries.

These requests are usually sent to the DNS Proxy server by a botnet – an army of malware-infected devices under the control of the attacker. Depending on the scale of the attack, legitimate DNS requests will be slowed down or may even be completely prevented, thus stopping legitimate users from accessing a website or web application.

These attacks tend to be relatively short-lived, lasting several hours to a few days. During an attack on a healthcare provider’s domain, patients may be prevented from accessing appointment scheduling applications and patient portals, and a healthcare provider’s website may be rendered inaccessible. Staff may also be prevented from accessing web applications.

These attacks are typified by large amounts of DNS queries for non-existent hostnames under legitimate domains, UDP packets encapsulated in IPv4 and IPv6, widely distributed source IPs, potentially spoofed source IPs, and DNS servers generating lots of NXDOMAIN errors.

Blocking these attacks is difficult as the devices that are part of the botnet are often widely distributed and the botnet may consist of several thousand devices. While it may not be possible to block an attack in progress, there are mitigations that can limit the impact of these attacks. These include blackhole routing/ filtering out suspected domains and servers, implementing DNS Response Rate Limiting, blocking further requests from the client’s IP address for a limited period, ensuring cache refresh takes place, reducing the timeout for recursive name lookup to free up resources in the DNS resolver, increasing the time-to-live (TTL) on existing records, and applying rate limiting on traffic to overwhelmed servers.

While HC3 did not confirm the source of these attacks, the healthcare sector is being targeted by the hacktivist group, Killnet, in response to U.S. Congress’ support for Ukraine. Killnet has been active since at least January 2022, and has stepped up its attacks on the U.S healthcare sector in recent months.

The post HC3 Warns of DNS NXDOMAIN DDoS Attacks on the Healthcare Sector appeared first on HIPAA Journal.