Feds warn health care about infections caused by cobalt strike


Healthcare , Industry specific , Next generation technologies and secure development

Red Teaming tool poses ongoing risks when used by hackers, HHS warns

Marianne Kolbasuk McGee (HealthInfoSec) •
October 10, 2022

The HC3 Unit of the Department of Health and Human Services’ Information Security Office says the attackers are weaponizing legitimate security tools.

If every second hack seems to involve malicious use of the Cobalt Strike penetration testing tool, it’s not just your imagination.

See also: Now on demand | C-Suite Overview: Connecting the Dots Between OT and Identity

Russian hackers deployed Cobalt Strike’s command-and-control feature in their attack on SolarWinds’ network management software. The hackers who earlier this year entered the Cisco enterprise IT infrastructure used the tool. The First thing threat actor behind Emotet malware after first infection is downloading Cobalt Strike to compromised endpoints.

The number of organizations affected by a hack involving Cobalt Strike now numbers in the tens of thousands each year, the Department of Health and Human Services says in a new Attention to the health sector.

The Conti ransomware group values ​​access to Cobalt Strike so much that it paid a legitimate company $30,000 to secretly buy licenses from it, said cybersecurity journalist Brian Krebs. wrote in March.

The Red Teaming app – which currently licenses nearly $6,000 per user – was not designed for hackers and malicious activity is not its goal (see: Attackers are increasingly using Cobalt Strike).

The company did not immediately respond to Information Security Media Group’s request for comment, but its popularity among hackers is no secret. “Its built-in capabilities allow it to be quickly deployed and operationalized regardless of sophistication of actors or access to human or financial resources,” said cybersecurity company ProofPoint in a 2021 report.

The penetration testing tool, whose legitimate user base consists of white hat hackers, is being abused “with increasing frequency” against many industries, including healthcare and public health, by ransomware operators and various advanced persistent threat groups, writes HC3.

“Cobalt Strike is being used maliciously by several state-sponsored actors and cybercriminal groups, many of which pose a significant threat to the healthcare industry,” the threat report states.

Among the governments that the HHS Health Sector Cybersecurity Coordination Center lists as likely to use Cobalt Strike for state-sponsored hacking: China, Russia, Iran, and Vietnam.

Companies are not helpless, says Sherrod DeGrippo, vice president of research and threat detection at Proofpoint.

Cobalt Strike and similar tools are “noisy” in an environment and can be detected by security tools such as antimalware and intrusion prevention/detection systems, DiGrippo told Information Security Media Group.

Detection should lead to quick action, says Keith Fricke, principal consultant at privacy and security consultancy tw-Security.

Cobalt Strike and other red team tools are ‘legit’ in the sense that they can be used by red teams, but they are offensive security tools,” he said.

If defenders spot them, “they should be very concerned because they’re not being used for legitimate business purposes outside of security testing.”

HHS HC3 recommends that entities reduce their attack surfaces against common infection vectors such as phishing, known vulnerabilities, and remote access capabilities.


Comments are closed.