Feds Warn Healthcare Over Cobalt Strike Infections

Red-Teaming Tool Poses Ongoing Risks When Used by Hackers, HHS Warns

The Department of Health and Human Services’ Office of Information Security’s HC3 unit says attackers are weaponizing legitimate security tools.

Russian hackers deployed Cobalt Strike’s command-and-control function during their attack against SolarWinds’ network management software. Hackers who earlier this year got into Cisco corporate IT infrastructure used the tool. The first thing the threat actor behind the Emotet malware does after an initial infection is to download Cobalt Strike onto compromised endpoints.

The number of organizations affected by a hack involving Cobalt Strike now numbers in the tens of thousands each year, says the Department of Health and Human Services in a new warning to the healthcare sector.

The Conti ransomware group values access to Cobalt Strike so much that it paid a legitimate company $30,000 to secretly buy licenses for it, cybersecurity reporter Brian Krebs wrote in March.

The red-teaming application — licenses for which currently run nearly $6,000 per user — wasn’t designed for hackers, and malicious activity isn’t its purpose.

The penetration testing tool, whose legitimate user base consists of white hat hackers, is being abused “with increasing frequency” against many industries, including the healthcare and public health sector, by ransomware operators and various advanced persistent threat groups, HC3 writes.

“Cobalt Strike is used maliciously by several state-sponsored actors and cybercriminal groups, many of whom pose a significant threat to the health sector,” the threat brief says.

Among the governments that the HHS’s Health Sector Cybersecurity Coordination Center lists as likely making use of Cobalt Strike for state-sponsored hacking are China, Russia, Iran and Vietnam.

Companies aren’t helpless. Cobalt Strike and similar tools are “noisy” within an environment and can be detected by security tools such as anti-malware and intrusion prevention/detection systems.

Should defenders spot them, “they should be very concerned as they are not used for legitimate business purposes outside of security testing.”

HHS HC3 recommends entities reduce their attack surfaces against common infection vectors such as phishing, known vulnerabilities and remote access capabilities.

If you have concerns about how the changing cyber-threat landscape could affect your institution, contact ITPAC today.