HC3: Cobalt Strike Penetration Testing Tool Increasingly Abused in Attacks on the Healthcare and Public Health Sector

Cybercriminals and Advanced Persistent Threat (APT) actors are increasingly using Cobalt Strike in attacks on the healthcare and public health (HPH) sector in the United States, warned the HHS’ Health Sector Cybersecurity Coordination Center (HC3) in a recent TLP: WHITE alert.

Cobalt Strike is a legitimate remote access penetration testing/red team tool which is used to simulate cyberattacks and identify vulnerabilities and risks. It was created by Raphael Mudge in 2012 and has extensive capabilities, which are being abused in real-world attacks on the HPH sector and other industries by cybercriminal groups such as FIN12 and nation-state hacking groups.

Malware is typically used in cyberattacks for logging keystrokes, exfiltrating sensitive data, and downloading other malicious payloads, but most malware variants have limited capabilities. Cobalt Strike on the other hand is an entire framework with extensive capabilities that can be used in all stages of a cyberattack such as reconnaissance, covert communications, spear phishing, collaboration, delivering attack packages, post-exploitation, browser pivoting, and reporting and logging.

In the reconnaissance phase of an attack, threat actors gather information about the target infrastructure and identify systems and endpoints of interest. Cobalt Strike makes reconnaissance easier and allows threat actors to concentrate their resources on parts of the infrastructure that are easiest to attack. Cobalt Strike includes a tool called Beacon, which is used to discover client-side applications, and allows attackers to gather information to direct their attacks, stage malware, create loaders, and deliver a full backdoor that runs in the memory.

Cobalt Strike can be used to host a web drive-by attack and transform innocent files into a Trojan horse, as well as for creating convincing, targeted phishing emails. A man-in-the-browser attack can be conducted to hijack a compromised user’s authenticated web sessions, and data can be communicated to the attackers in real-time, giving them command and control of compromised systems.

Cobalt Strike has been abused by threat actors since at least 2016, but the  use of the tool has been increasing in recent years. Cobalt Strike was used in the December 2020 supply chain attack on SolarWinds by the APT group Nobelium, and several cybercriminal groups have used the tool in extortion attacks involving ransomware.

Attacks are difficult to detect and once the tool has been deployed and there is no single effective strategy for containing an attack. It is therefore important to adopt a mindset where it is assumed Cobalt Strike will be used in an attack and to prepare for such an attack and implement strategies to mitigate risk.

One problem in healthcare is the substantial attack surface, so prevention strategies should involve reducing that attack surface and implementing cybersecurity solutions to block key attack vectors such as phishing emails. It is also important to assess methods of remote access and to harden security and monitor remote access sessions.

HC3 has provided detailed information on the capabilities of Cobalt Strike and effective strategies for protection and detection in the threat brief, which is available as a PDF file on this link.