More and More Cyberattacks Used the Cobalt Strike Penetration Testing Framework on Healthcare Companies

The Health Sector Cybersecurity Coordination Center (HC3) of HHS is warning the medical care industry because cyber attackers had been using the Cobalt Strike penetration testing tool in attacks.

This tool is a powerful red team tool used by penetration testers every time carrying out risk and vulnerability testing, nonetheless, it can also be misused. Cyber attackers are utilizing it increasingly in attacking the private and public health sectors.

Cobalt Strike can be used for reconnaissance to acquire valuable information regarding the target infrastructure to enable attackers to know the best way to use time if attacking healthcare networks. The system profiler feature can be used to locate client-side applications employed by a target and provides version specifics. The system profiler starts at a local web server, fingerprints visitors, finds internal IP addresses protected by a proxy, and obtains reconnaissance data from the website, applications, and provides information on targets.

Cobalt Strike includes a spear phish software that can be employed to create and distribute fake emails with arbitrary message styles. Cobalt Strike will alter links/text in messages, send convincing phishing emails, and track people’s clicks.

The Beacon tool is employed to locate client-side applications and versions and makes it possible to load malleable command and manipulate profiles, uses HTTP/HTTPS/DNS to egress a system, and used pipes to control Beacons, peer-to-peer, through SMB for undetectable messages. Beacon could in the same way be used for exploitation afterward and run PowerShell scripts, capture keystrokes, obtain screenshots, deploy other malicious payloads and get data files. Cobalt Strike in addition uses attack packages to let attacks develop through their countless levels and has acquired the capability to alter basic files into a Trojan horse.

Using browser pivoting, Cobalt Strike could circumvent 2-factor authentication and acquire targeted website access. Client SSL certifications, cookies, and authenticated HTTP sessions could be employed to seize a user’s breached authenticated internet sessions. Using the Cobalt Strike team server, attackers could share data, communicate in real-time, and have full command of compromised systems.

Cobalt Strike is a powerful penetration testing device and since it is a comprehensive framework, there are a lot more features in comparison with a lot of malware variants. Therefore, it is a very valuable tool for black hat attackers. Numerous nation-state hacking gangs and cybercriminal groups are using Cobalt Strike if attacking the healthcare sector in America.

Because of the magnitude to which this framework is employed in cyberattacks, medical care firms ought to focus on the possibility that Cobalt Strike will be utilized in targeted attacks. Therefore, it is a must to avoid and look for solutions and use the MITRE D3FEND framework.

Several infection vectors provide Cobalt Strike, hence safeguarding against attacks is difficult. There is also no single containment strategy that is useful for the framework.

Cobalt Strike is commonly delivered in phishing emails with malware downloaders such as BazarLoader. For that reason, it is vital to have sophisticated email security tools that can stop phishing emails and provide steady security awareness guidance teaching employees to identify malicious emails that have BazarLoader or other malware downloaders.

Attackers typically target known vulnerabilities in software applications and OS to be able to access healthcare networks. It is consequently crucial to have a complete listing of gadgets and applications. Patches is also another mitigating solution used to manage vulnerabilities right away. Healthcare organizations should also increase their defense against attacks that exploit their remote access capabilities.

Identifying Cobalt Strike the moment it is installed is not easy. HC3 suggests employing signatures for attack identification and endpoint security systems, and Yara Rules. Additional information can be read from the HC3 Cobalt Strike White Paper.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at