The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat alert for the healthcare sector regarding cyber threat actors using the Cobalt Strike penetration testing tool.
Cobalt Strike is a potent red team tool employed by penetration testers whenever performing risk and vulnerability tests, however, it could likewise be abused. Cyber threat actors are using it more and more in attacks on the medical and public health industry.
Cobalt Strike could be employed for reconnaissance to obtain useful data concerning the target infrastructure to permit threat actors to find out the best usage of time whenever attacking healthcare systems. The system profiler functionality could be employed to find client-side apps utilized by a target and give version details. The system profiler begins a local web server, fingerprints guests, determines internal IP addresses behind a proxy, and gets reconnaissance information from the weblog, apps, and gives data on targets.
Cobalt Strike consists of a spear phish tool that could be utilized to make and send bogus emails utilizing arbitrary message layouts. When a message is brought in, Cobalt Strike will change links/text and make and send persuasive phishing emails and monitor people that click.
The Beacon tool is utilized to find client-side apps and versions and permits the loading of malleable command and control profiles, utilizes HTTP/HTTPS/DNS to egress a system, and named pipes to manage Beacons, peer-to-peer, over SMB for hidden communications. Beacon may likewise be employed for post-exploitation and could execute PowerShell scripts, record keystrokes, get screenshots, spawn other malicious payloads, and download files. Cobalt Strike additionally utilizes attack packages to enable attacks to develop by way of their numerous stages and has got the capacity to change simple files into a Trojan horse.
Cobalt Strike utilizes browser pivoting in order to get around 2-factor authentication and gain access to targeted sites. Cookies, client SSL certifications, and authenticated HTTP sessions can be used to hijack a user’s compromised authenticated online sessions. With the Cobalt Strike team server, it’s possible for attackers to share information, communicate live, and get complete control of breached systems.
Cobalt Strike is a potent penetration testing tool and given that it is a complete framework, there are even more capabilities compared to many malware variants, making it an invaluable tool for black hat hackers. A lot of nation-state hacking groups, as well as cybercriminal agencies, are utilizing Cobalt Strike when attacking the healthcare industry in the U.S.
Considering the degree to which this framework is utilized in cyberattacks, healthcare companies should focus on the idea that Cobalt Strike is going to be applied in an attack and must hence aim to have prevention and recognition techniques and adopt the MITRE D3FEND framework.
A number of infection vectors deliver Cobalt Strike, therefore guarding against attacks may be challenging. There is additionally no solitary containment method that is helpful against the framework in general.
Cobalt Strike is frequently delivered through malware downloaders like BazarLoader, making use of phishing emails that contain malicious Office files. Therefore, it is crucial to use advanced email security protection that can prohibit phishing threats and offer continuous security awareness instruction to the employees teaching them to recognize malicious messages that contain malware downloaders like BazarLoader.
Threat actors usually take advantage of identified vulnerabilities in software programs and operating systems to obtain access to healthcare systems. It is for that reason essential to make sure a complete inventory of gadgets and software is kept, and patches, as well as other mitigating options, are executed to deal with vulnerabilities immediately. Healthcare companies must additionally enhance their protection against attacks harming their remote access features.
Discovering Cobalt Strike as soon as installed may be a problem. HC3 advises utilizing signatures for intrusion recognition and endpoint security systems as well as Yara Rules. More information is available in the HC3 Cobalt Strike White Paper