A trend that often gets lost in the reporting of cybersecurity incidents is how important mainstream pen testing tools have become to cybercrime.
This is also true in the ransomware sector where popular tools such as Cobalt Strike, Mimikatz, and PsExec are routinely abused for a multitude of tasks including reconnaissance, credential abuse, and post exploitation.
In the right hands these tools are extremely good at their job which is why they’re an essential part of every security researcher and pen tester’s arsenal.
Unfortunately, hackers also use them to do some of the same tasks for an unethical objective. What’s not in doubt is that not having access to these tools and their infrastructure would quickly become a problem for cybercriminals.
It’s an issue that sets the scene for an unusual and potentially important legal action Microsoft’s Digital Crime Unit (DCU) launched in late March in conjunction with software tools company Fortra and healthcare cyber-information sharing nonprofit Health-ISAC.
The trio gained a court order in the Eastern District of New York giving them the legal authority to take down Internet infrastructure being used by criminals to abuse “cracked” legacy versions of Fortra’s Cobalt Strike, probably the most widely abused tool of all.
Targeting cybercrime infrastructure is nothing new, indeed Microsoft’s DCU has long used this type of action to target several large botnets over the last decade. The same principle is now being repurposed to target the infrastructure used by cracked tools.
Will It Work?
Cracked copies of tools are popular because licensing is expensive and not easy to get hold of without going through a verification process. Buying a license also potentially creates a means to track the purchaser. Consequently, older cracked versions have become a backdoor through which the tools can be abused without Fortra being able to stop that happening.
According to Microsoft, cracked copies of Cobalt Strike were abused in at least 68 ransomware attacks on health care organizations alone across 19 countries. This included attacks by ransomware gangs Conti and LockBit.
In reality, this is a vast under-statement; abused pen testing software turns up in the tools, techniques, and procedures (TTP) list of pretty much every attack subjected to forensic examination today. Nevertheless, according to Microsoft:
“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics.”
“While the exact identities of those conducting the criminal operations are currently unknown, we have detected malicious infrastructure across the globe, including in China, the United States, and Russia.”
The attempt to go after infrastructure sounds like a losing battle but the history of botnets offers some crumbs of optimism. In that sector, infrastructure takedowns had a major affect on specific threat actors, forcing criminals to innovate to stay in operation—including by diversifying into ransomware. The bigger issue is that there are a lot of tools for criminals to choose from. Even assuming they could be cut off from a popular tool, this wouldn’t stop them from moving to alternatives. Microsoft will need a lot more court orders to put a serious dent in the problem of tool abuse.