HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

Share this article on:

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors.

Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector.

Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets.

Cobalt Strike includes a spear phish tool that can be used to create and send fake emails using arbitrary message templates. If a message is imported, Cobalt Strike will replace links/text and create and send convincing phishing emails and track users that click.

The Beacon tool is used to discover client-side applications and versions and allows the loading of malleable command and control profiles, uses HTTP/HTTPS/DNS to egress a network, and named pipes to control Beacons, peer-to-peer, over SMB for covert communications. Beacon can also be used for post-exploitation and can execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other malicious payloads. Cobalt Strike also uses attack packages to allow attacks to progress through their many stages and has the capability to transform innocent files into a Trojan horse.

Cobalt Strike uses browser pivoting, which can be used to bypass 2-factor authentication and access sites as the target. Cookies, authenticated HTTP sessions, and client SSL certifications can be leveraged to hijack a compromised user’s authenticated web sessions. Using the Cobalt Strike team server, attackers can share data, communicate in real-time, and take full control of compromised systems.

Cobalt Strike is a powerful penetration testing tool and since it is an entire framework, it has many more capabilities than most malware variants, which makes it a valuable tool for black hat hackers, and many nation-state hacking groups and cybercriminal organizations have been using Cobalt Strike in attacks on the healthcare sector in the United States.

Given the extent to which the framework is used in cyberattacks, healthcare organizations should work on the assumption that Cobalt Strike will be used in an attack and should therefore focus on prevention and detection strategies and follow the MITRE D3FEND framework.

Cobalt Strike is delivered by many different infection vectors, so defending against attacks can be difficult. There is also no single containment technique that is effective against the framework as a whole.

Cobalt Strike is often delivered via malware downloaders such as BazarLoader, which are often delivered using phishing emails containing malicious Office files. It is therefore important to implement advanced email security defenses that can block phishing threats and provide ongoing security awareness training to the workforce to teach employees to identify malicious messages containing malware downloaders such as BazarLoader.

Threat actors often exploit known vulnerabilities in software and operating systems to gain access to healthcare networks. It is therefore important to ensure a full inventory of devices and software is maintained, and patches or other mitigating measures are implemented to address vulnerabilities promptly. Healthcare organizations should also improve their defenses against attacks abusing their remote access capabilities.

Detecting Cobalt Strike once installed can be a challenge. HC3 recommends using signatures for intrusion detection and endpoint security systems and Yara Rules. Further information can be found in the HC3 Cobalt Strike White Paper.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On