Abuse of Legitimate Tools Threatens Healthcare Cybersecurity

October 11, 2022 - Threat actors are continuously leveraging legitimate tools such as Cobalt Strike, Mimikatz, and PowerShell to conduct cyberattacks that pose threats to healthcare cybersecurity, the HHS Health Sector Cybersecurity Coordination Council (HC3) warned in a recent brief.

“The same tools used to operate, maintain and secure healthcare systems and networks can also be turned against their own infrastructure,” the brief stated.

HC3 noted that it had no stance on the legitimate use of the tools, and “each should be evaluated based on its own merits and drawbacks.”

“This is also not a condemnation of these tools nor is it a call for healthcare organizations to avoid them. They have value, as evidenced by their popularity,” HC3 stated.

These tools can bring legitimate value to healthcare organizations, and each organization should weigh the risks and benefits accordingly.

Cobalt Strike is a red team framework that allows its users to simulate attacks to assess risk and vulnerabilities. Since it was created in 2012, it has been abused by threat actors such as Ryuk and FIN12.

“Cobalt Strike is capable of emulating one of the most prolific infection vectors – phishing,” the brief also noted.

“This capability is highly customizable and can therefore simulate many environments.”

Cobalt Strike has been used in multiple high-profile cyberattacks, from as early as 2016. In December 2020, threat actors used Cobalt Strike to deploy a large-scale supply chain attack on SolarWinds. In May 2021, Microsoft outlined new email-based Cobalt Strike Beacon activity used by Nobelium threat actors.

Because Cobalt Strike is so versatile, it can be difficult to contain its capabilities and apply risk mitigations. Organizations should attempt to reduce their attack surfaces against common infection vectors such as phishing and known vulnerabilities.

In addition to detailing the risks associated with Cobalt Strike, HC3 described the risks associated with PowerShell, Mimikatz, Sysinternals, AnyDesk, and Brute Ratel. All of the tools mentioned have legitimate uses but could be exploited by threat actors to cause damage to healthcare cybersecurity.

For example, PowerShell cmdlets allow administrators to manage their networks, but may also be leveraged by hackers. Mimikatz can be used to compromise password credentials, and AnyDesk may be used to compromise remote desktop technologies.

The tools mentioned in the brief all have legitimate uses but also present significant security issues, making risk mitigation challenging.

“Mitigating the risk associated with them is not as simple as deploying a patch or reconfiguring an application,” HC3 explained.  

“Several of them are resident on common systems, making them even more challenging to detect when used maliciously.”

HC3 emphasized that healthcare organizations should evaluate the tools against their own security postures and use them accordingly.