From the Microsoft Blog published July 31, 2023
Written by Vanessa Ho
Link to the full blog:
Excerpt from the blog:
After tricking an employee with a phishing email and a poisoned spreadsheet, hackers used the employee’s infected computer to break into Ireland’s public health system and tunnel through the network for weeks. They prowled from hospital to hospital, browsed folders, opened private files and spread the infection to thousands of other computers and servers.
By the time they made their ransom demand, they had hijacked more than 80% of the IT system, forcing the organization of over 100,000 people offline and jeopardizing the lives of thousands of patients.
The attackers unleashed the 2021 assault on Ireland’s Health Service Executive (HSE) with help from a “cracked,” or abused and unauthorized, legacy version of a powerful tool. Used by legitimate security professionals to simulate cyberattacks in defense testing, the tool has also become a favorite instrument of criminals who steal and manipulate older versions to launch ransomware attacks around the world. In the last two years, hackers have used cracked copies of the tool, Cobalt Strike, to try and infect roughly 1.5 million devices.
But Microsoft and Fortra, the tool’s owner, are now armed with a court order authorizing them to seize and block infrastructure linked to cracked versions of the software. The order also allows Microsoft to disrupt infrastructure associated with abuse of its software code, which criminals have used to disable antivirus systems in some of the attacks. Since the order was executed in April, the number of infected IP addresses has since plummeted.
“The message we want to send in cases like these is: ‘If you think you’re going to get away with weaponizing our products, you’re in for a rude awakening,’” says Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU) and head of the unit’s Malware Analysis & Disruption team.
Health-ISAC quote in the blog:
Many victims attacked with cracked Cobalt Strike have been health care organizations forced to cancel surgeries, divert ambulances and delay treatment. That trend prompted Health-ISAC, a cyberthreat information-sharing association of 800 health organizations, to join the lawsuit as a co-plaintiff.
“We’re talking about people’s lives being at stake,” says Errol Weiss, Health-ISAC chief security officer.