A new white paper from the Department of Health and Human Services Cybersecurity Coordination Center reminds healthcare providers that some of the legitimate security tools they rely on are also commonly abused by threat actors to deploy attacks or worsen the impact of an exploit.
The resource names a number of commonly used security tools, like Cobalt Strike, PowerShell, Mimikatz, Sysinternals, Anydesk, and Brute Ratel, as examples.
“The same tools used to operate, maintain and secure healthcare systems and networks can also be turned against their own infrastructure,” HC3 warned.
HC3 is not endorsing or criticizing the legitimate tools detailed in the report, “nor is it a call for healthcare organizations to avoid them." Rather, it’s a call for entities to evaluate open source or vendor tools and capabilities prior to purchase or deployment to determine the possible risks against the benefits.
One of the most prolific of these is Cobalt Strike, "the primary tool used for adversary emulation" that is able to emulate highly customizable phishing attacks and can simulate many environments. The tool has been abused for malicious purposes for the last five years.
Cobalt Strike is a commonly used remote access tool able to orchestrate cyberattacks and has been frequently used by prolific groups like Emotet, Ryuk, Conti, and the Cuba ransomware group. Namely, the Cobalt Strike Beacon was among the many tools leveraged in the massive SolarWinds supply-chain attack.
Another commonly used tool, PowerShell, “give administrators the ability to manage their networks, but also allow for opportunities for attackers to compromise resources.” From active directory, to third-party modules, these tools are regularly abused by dozens of nation-state threat groups.
Defending against PowerShell abuse can be complicated, because it often means blocking group or security policies, or disabling access to PowerShell ISE altogether. However, the U.S. government recommends not disabling the tool due to its functionality. Other agencies like the NSA and Cybersecurity and Infrastructure Security Agency has previously provided guidance on best practice defense for PowerShell.
The report details each legitimate tool, the threat actors who abuse them, and the tactics used to accomplish their malicious goals. As demonstrated with its defense mitigations for Cobalt Strike, remediation and containment strategies for these threats can be a challenge in any environment for many healthcare organizations.
“The tools in this presentation represent especially challenging security issues,” HC3 concluded. “Mitigating the risk associated with them is not as simple as deploying a patch or reconfiguring an application. Several of them are resident on common systems, making them even more challenging to detect when used maliciously.”