Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra, and non-profit Health Information Sharing and Analysis Center (Health-ISAC) joined forces to obtain a court order to stop cybercriminals from using Fortra and Microsoft software to facilitate malware attacks.
This court order is not the first time Microsoft has sought legal action against threat actors. In 2021, a federal court in Virginia enabled the DCU to seize websites being leveraged by China-based hacking group Nickel. “These court orders disrupt current activity and can provide some relief until these cybercriminals pivot their tactics and infrastructure,” says Paige Peterson Sconzo, director of healthcare services with Redacted, a cybersecurity services company.
This new court order, granted by the US District Court for the Eastern District of New York, will allow the three organizations to disrupt threat actor operations related to Fortra’s Cobalt Strike and Microsoft software development kits and APIs. Cobalt Strike is a post-exploitation tool used to simulate adversary behavior, according to a Microsoft blog post. Cybercriminals use illegal, “cracked” copies of Cobalt Strike, as well as Microsoft software, to launch malicious attacks. Microsoft pointed to attacks against the Costa Rican government and the Irish Health Service Executive as examples.
The scope of this effort is greater than work done by the DCU in the past. “Instead of disrupting the command and control of a malware family, this time, we are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals,” Microsoft writes in its blog post.
How will this new court order be used to disrupt cybercrime, and could more legal action follow?
The Court Order in Action
The court order enables Microsoft and its partners to sever the connection between cybercriminals and infected computers, according to Bob Erdman, associate vice president, research and development at Fortra. “The recent court order will allow Microsoft to take ownership of IP addresses and domains associated with command-and-control servers used by cracked copies of Cobalt Strike and essentially will release the infected systems from control of the cybercriminals,” Errol Weiss, chief security officer of Health-ISAC, elaborates.
This disruption won’t halt cybercriminal operations, but it will put a strain on their resources. There are significant costs to them when faced with disruption efforts like this. “Anything we can do to slow them down or create distrust amongst the cybercriminal network is a good thing,” Weiss explains
Combatting ransomware and the threat actors behind these attacks is an ongoing battle. While this court order will have an impact, cybercriminals will have ways to continue their work. “This action is limited to IP addresses and infrastructure located within the United States. Many threat actors maintain infrastructure that is located in less cooperative countries or in areas that have significantly less restrictions,” Drew Schmitt, ransomware negotiator with cybersecurity consulting services company GuidePoint Security, points out. “Threat actors are likely to continue moving their operations to these locations and/or implement additional proxy capabilities to circumvent being detected communicating through IP addresses geolocated to the United States.”
Peterson Sconzo hopes to see more focus on denying cybercriminals haven in these sanctuary countries, like Russia. “Until this is addressed, the worst of the ransomware gangs will continue to operate with complete impunity, free of any fear of lasting consequence. Any other action taken will produce temporary results at best,” she tells InformationWeek.
In addition to moving their operations, cybercriminals will likely look for ways to make it more difficult to identify abused copies of Cobalt Strike. “With previous source-code exposures for tools like Cobalt Strike, this leaves more opportunity to manipulate the code to make fingerprinting efforts more difficult,” Schmitt says.
While the DCU and its partners have their work cut out for them, this court order does mark an important step forward in the fight against ransomware and cybercriminals. “This court order sets a great precedent for making threat actors’ lives much harder now and in months and years to come,” says Schmitt. “At the bare minimum, this legal maneuver shows that we are really starting to think outside the box, which should hopefully inspire other countries and international entities to think outside the box as well.”
Collaboration in the Fight Against Cybercrime
Widespread, meaningful disruption of cybercriminals is an effort that cannot be undertaken in isolation. It requires collaboration. And this new court order is an example of bringing together multiple players. “We’ve been working in partnership with Microsoft and H-ISAC for months, and this effort has taken a significant amount of targeted hard work and joint investigation,” Erdman says. “Together with Microsoft and H-ISAC, we have also collaborated with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Centre (EC3) on this case.”
Weiss hopes to see more players take up the mantle and contribute to this kind of action against cybercriminals. “It’s a huge effort for Microsoft, not just in terms of staff time, but the significant legal expenses they fund in support of these civil actions. Health-ISAC hopes to do more of these, but we need more leaders like Microsoft DCU,” he explains. “These actions take time, people, and money. With more big tech firms and others contributing to disruption operations like this, the more effect we can have against the malware operators.”
This legal action is just the beginning, according to Erdman. “Additional legal actions will be taken as necessary to disrupt threat actors’ operations going forward,” he says.
As more industry players and law enforcement agencies work together, the more pressure cybercriminals could face. “The more that the cybersecurity community can force threat actors to spend more time, and money, on solutions for penetrating and exploiting victims, the more impact we will have on their ability to generate revenue from ransomware,” Schmitt says.
What to Read Next:
Breach Takes Systems Down Across Western Digital
DC Health Link Breach Exposes Private Information of Lawmakers