![Disrupting Cracked Cobalt Strike [The Microsoft Threat Intelligence Podcast] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F58ab7ae0-def8-11ea-b34c-b35b208b0539%2Fimage%2Fdaily-podcast-cover-art-cw.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
Disrupting Cracked Cobalt Strike: A Comprehensive Takedown Strategy
In the January 1, 2025, episode of the CyberWire Daily podcast titled "Disrupting Cracked Cobalt Strike [The Microsoft Threat Intelligence Podcast]," host Shera de Grippo delves into a groundbreaking operation aimed at dismantling the malicious use of Cobalt Strike—a legitimate cybersecurity tool repurposed by cybercriminals for ransomware attacks. Joined by key industry experts Richard Boscovich (Bosco), Assistant General Counsel at Microsoft; Jason Lyons, Principal Investigator with the DCU at Microsoft; and Bob Erdmund, Associate VP of Research and Development at Fortra, the discussion unveils the strategic, legal, and technical maneuvers that led to a significant reduction in the abuse of Cobalt Strike.
Understanding Cobalt Strike and Its Misuse
Cobalt Strike is an adversary emulation tool widely used by cybersecurity professionals to test and enhance their network defenses. However, its powerful capabilities have made it a favorite among threat actors who illicitly acquire and modify the software—referred to as "cracked Cobalt Strike"—to orchestrate sophisticated cyberattacks.
Bob Erdmund explains, “Cobalt Strike is an adversary emulation or red teaming tool… [it] allows defenders to go in and test the defenses inside of the networks” (04:27). Unfortunately, during the COVID-19 pandemic, there was a notable increase in the proliferation of cracked versions, enabling cybercriminals to execute ransomware attacks more effectively.
The Collaborative Effort: Microsoft and Fortra Unite
The initiative to combat cracked Cobalt Strike began in earnest around 2021, driven by the escalating threat of ransomware. Richard Boscovich shares, “We have a lot of different internal teams inside Microsoft that do a lot of different great work… examining the ransomware ecosystem, there kept being one commonality popping up… the use of cracked legacy Cobalt Strike” (02:01).
Recognizing the need for a unified approach, Microsoft partnered with Fortra, whose team at Bob Erdmund’s helm had been independently tracking the abuse of Cobalt Strike. This collaboration combined Microsoft's extensive threat intelligence with Fortra's specialized knowledge of the tool, creating a formidable alliance against cybercriminals.
Innovative Legal Strategy: Leveraging the DMCA
One of the most pioneering aspects of this operation was the strategic use of the Digital Millennium Copyright Act (DMCA) to take down cracked Cobalt Strike instances. Traditionally, the DMCA has been employed to protect copyrighted material like music, movies, and software from unauthorized distribution. Jason Lyons provides insight into this novel application:
“The DMCA… was originally meant to protect copyrights, copyright holders… what we did at the DCU… was try to expand our tool set from a legal perspective and include the DMCA in a unique way” (04:49).
Building on the precedent set by the Google vs. Oracle case, Lyons and his team determined that the APIs within Cobalt Strike were copyrightable. This legal interpretation allowed them to use the DMCA as a robust mechanism to target and dismantle the distribution networks of cracked Cobalt Strike.
Shera de Grippo aptly summarizes the impact of this strategy: “The DMCA is like a big old ban hammer… it's a door” (09:46), highlighting its effectiveness in swiftly removing infringing content.
Implementation: A Multi-Source and Automated Approach
The operation employed a comprehensive, multi-source approach to identify and verify instances of cracked Cobalt Strike:
-
Data Aggregation: Utilizing tools like Windows Defender, Shodan, RiskIQ, and open-source intelligence to collect data on Cobalt Strike beacons.
-
Watermark Analysis: Conducting frequency analyses of watermarks within the software to distinguish between legitimate and cracked versions.
-
Definitive Identification: Partnering with Fortra to obtain an authoritative list of compromised copies.
-
Automation: Developing automated systems to handle the vast volume of data. Richard Boscovich notes, “We built crawlers and emulators… averaging a couple thousand a day emails going out” (21:16), underscoring the scalability of their approach.
Bob Erdmund adds, “The messaging that's going out is actually targeted by the place that we're seeing the infrastructure” (21:34), indicating tailored DMCA notifications based on geographic and jurisdictional factors.
Significant Impact and Results
The concerted effort led to a dramatic decline in the availability and use of cracked Cobalt Strike:
-
Reduction in Active Servers: From 1,000 to a few hundred daily instances (19:57).
-
Decrease in Distribution: Over a 50% reduction in active systems, with expectations to continue pushing toward zero (18:48).
-
Geographical Consolidation: A shift in the hosting regions made it easier to defend against threats by localizing their origins.
Richard Boscovich emphasizes the operation's scale: “We were not only targeting domains that were hosting crack Cobalt Strike, we were targeting also just pure IP hosting… What we built was huge” (19:57).
Future Directions and Ongoing Efforts
The success against cracked Cobalt Strike sets a precedent for future operations targeting other malicious tools and infrastructures. Bob Erdmund outlines the next steps:
“We work in a lot of areas other than Cobalt Strike… applying these techniques to phishing kits as a service and other larger ecosystems” (24:57).
The team anticipates this to be a multi-year effort, continuously adapting strategies to stay ahead of evolving cyber threats.
Ensuring Internal Security and Clean Infrastructure
Before launching external takedowns, Microsoft ensured that its own infrastructure was free from cracked Cobalt Strike instances. Richard Boscovich explains the internal measures:
“The first operational phase… was to make sure that our own house was clean before we started going out and sending takedown notices to other providers” (29:27).
This involved scanning Azure for any compromised Cobalt Strike instances and implementing automated takedown processes to maintain internal security.
Coordination with Law Enforcement
A critical component of the operation was coordinating with law enforcement to balance civil takedown actions with ongoing criminal investigations. Jason Lyons elaborates:
“We wanted to make sure that our visibility was also visible to law enforcement… allowing us to clean up as much of the ecosystem as possible whilst allowing law enforcement to complete their work” (31:38).
This coordination ensured that takedowns did not hinder criminal investigations, enabling a dual approach of immediate threat mitigation and long-term deterrence.
Conclusion: A Model for Cybersecurity Defense
The operation against cracked Cobalt Strike exemplifies how innovative legal strategies, combined with technical expertise and collaborative efforts, can effectively disrupt cybercriminal activities. By repurposing the DMCA and automating takedown processes, Microsoft and Fortra have significantly curtailed the abuse of a critical cybersecurity tool, thereby enhancing global defenses against ransomware and other cyber threats.
As Jason Lyons aptly puts it, “Sometimes you don’t need new law to address a problem. You just have to be able to use what you have and use it in a unique and novel way” (27:55). This approach serves as a blueprint for future initiatives aimed at safeguarding the digital landscape.
This summary encapsulates the key discussions and insights from the podcast episode, providing a comprehensive overview for those who haven't listened to the full broadcast.