HC3 Warns of Cobalt Strike Threat to Healthcare Sector

November 12, 2021 - HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued a brief warning the healthcare sector of the threat of Cobalt Strike, a remote access tool that was originally created to defend against cyberattacks. The tool is meant to simulate network intrusions and assist with penetration testing but has since been abused by actual bad actors.

Cobalt Strike was created in 2012 by Raphael Mudge and was one of the first widely available red team frameworks used for legitimate risk and vulnerability assessments. In recent years, threat actors such as Ryuk and FIN12 have abused the legitimate tool.

“Cobalt Strike is an entire framework, which means it is much more than a typical malware variant,” the brief explained.

“Its capabilities include reconnaissance, spear phishing, covert communication, collaboration, post exploitation, attack packages, browser pivoting, reporting and logging.”

HC3 defines reconnaissance as the attempt to gain as much information about the target infrastructure as possible prior to the attack. Reconnaissance gives threat actors a major advantage and allows them to plan their attacks effectively.

Cobalt Strike also allows bad actors to deploy spear phishing campaigns, which involve the use of phony emails as a means to deliver malware. Compared to traditional phishing attacks, spear phishing emails are carefully crafted to get a single recipient to respond.

Additionally, Cobalt Strike uses a tool called Beacon to discover client-side applications and control and communication with malware deployed to a victim network. Beacon is Cobalt Strike’s default malware payload, and it allows attackers to collect information and manually direct a cyberattack.

Cobalt Strike has been used in multiple high profile cyberattacks, from as early as 2016. In December 2020, threat actors used Cobalt Strike to deploy a large-scale supply chain attack on SolarWinds. In May 2021. Microsoft outlined new email-based Cobalt Strike Beacon activity used by Nobelium threat actors.

Cobalt Strike’s versatility makes it extremely difficult to defend against, since it leverages common and highly effective infection vectors. Cobalt Strike also has a wide range of capabilities, making a single containment technique inadequate for protecting an organization’s entire network. Initial prevention and detection are paramount to mitigating risk.

HC3 recommended applying mitigation techniques and reducing the attack surface by protecting against known vulnerabilities, implementing anti-phishing safeguards, and monitoring remote access capabilities.

“Don’t just prepare for it if you are a healthcare or public health organization,” HC3 cautioned. “Expect it.”

Threat actors have become increasingly emboldened by the chaos of the pandemic, which has allowed them to target overwhelmed organizations across all sectors. Healthcare is particularly vulnerable due to the potential patient safety risks that come along with a cyberattack. Hackers do not need to come up with innovative new ways to attack because the existing methods remain extremely effective. It is vital that organizations implement preventive measures to protect their networks and patients.