CyberWire Daily - Disrupting Cracked Cobalt Strike [The Microsoft Threat Intelligence Podcast]
Episode Date: January 1, 2025While we are on our winter publishing break, please enjoy an episode of our N2K CyberWire network show, The Microsoft Threat Intelligence Podcast by Microsoft Threat Intelligence. See you in 2025! O...n this week's episode of The Microsoft Threat Intelligence Podcast, we discuss the collaborative effort between Microsoft and Fortra to combat the illegal use of cracked Cobalt Strike software, which is commonly employed in ransomware attacks.  To break down the situation, our host, Sherrod DeGrippo, is joined by Richard Boscovich, Assistant General Counsel at Microsoft, Jason Lyons, Principal Investigator with the DCU, and Bob Erdman, Associate VP Research and Development at Fortra. The discussion covers the creative use of DMCA notifications tailored by geographic region to combat cybercrime globally. The group express their optimism about applying these successful techniques to other areas, such as phishing kits, and highlight ongoing efforts to make Cobalt Strike harder to abuse.    In this episode you’ll learn:        The impact on detection engineers due to the crackdown on cracked Cobalt Strike Extensive automation used to detect and dismantle large-scale threats How the team used the DMCA creatively to combat cybercrime  Some questions we ask:        Do you encounter any pushback when issuing DMCA notifications?  How do you plan to proceed following the success of this operation?  Can you explain the legal mechanisms behind this take-down?  Resources:  View Jason Lyons on LinkedIn View Bob Erdman on LinkedIn   View Richard Boscovich on LinkedIn  View Sherrod DeGrippo on LinkedIn   Related Microsoft Podcasts:                   Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks      Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Get the latest threat intelligence insights and guidance at Microsoft Security Insider   The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Welcome to the Microsoft Threat Intelligence Podcast.
I'm Sheri DeGrippo.
Ever wanted to step into the shadowy realm of digital espionage,
cybercrime, social engineering, fraud?
Well, each week, dive deep with us into the underground.
Come here for Microsoft's elite threat intelligence researchers.
Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity.
It might get a little weird.
But don't worry, I'm your guide to the back alleys of the threat landscape.
The effort to not crack the Cobalt Strike offline began in 2021 when DCU, an eclectic global group of cybercrime fighters, wanted to make a bigger dent on the rise in ransomware attacks.
Previous operations had targeted individual botnets like TrickBot and Neckers separately.
But ransomware investigator Jason Lyons proposed a major operation targeting many malware groups and focused on what they had in common, their
use of Cracked, Legacy, Cobalt Strike.
Welcome to the Microsoft Threat Intelligence Podcast, and oh boy, we're talking Cracked
Cobalt Strike takedown, and I am joined by my guests, Richard Boscovich, also known as
Bosco, Assistant General Counsel at Microsoft,
Jason Lyons, Principal Investigator with the DCU at Microsoft, and Bob Erdman, Associate VP Research and Development at Fortra. Thank you for joining me. Thanks for having us. Thank you.
There's a lot of really interesting articles written about the Cobalt Strike takedown.
And it happened about a year ago. So I think,
Jason, since you're sort of the lead in the technical aspect of the start of this, can you
kind of walk me through what happened here and why Microsoft chose to partner with Fortra to
take down Cracked Cobalt Strike? Yeah, so there was obviously, I think we started about two years ago,
and really a renewed effort to really understand the ransomware ecosystem. There was a lot of
effort inside Microsoft to really understand how ransomware was impacting our customers around the
world, not only from an antivirus protection or OS protection, but there was also from a digital
crime unit perspective of how do we identify these threat actors? How do we
possibly disrupt ransomware? And what are
the possible mechanisms we could use to disrupt the distribution of ransomware?
So we have a lot of different internal teams inside Microsoft
that do a lot of different great work. We have our incident response folks who
respond to customer environments. We have our incident response folks who respond to
customer environments. We have our mystic folks that are tracking and grouping threat actors
together. So there's a lot of input signals inside Microsoft. And as I was examining the ransomware
ecosystem, there kept being one commonality popping up, and that was the use of cracked Cobalt Strike
in these ransomware attacks.
So, Bob, help me understand, with Cobalt Strike,
which, being in the trenches for a long time,
we've battled cracked Cobalt Strike for years,
help me understand legitimately what Cobalt Strike is used for
and then what threat actors were doing with it.
So, Cobalt Strike is an adversary em then what threat actors were doing with it. So Cobalt Strike is an adversary emulation or red teaming tool. So it allows defenders to go in and
test the defenses inside of the networks, look for areas that could be compromised by a threat actor
and show how they could harden that, make sure that they're giving the best protection to their enterprises that they can.
And what we had, this is a tool that Fortra took over a few years ago, developed by somebody else,
and then we brought that into our fold of our security tools. And what we're seeing,
and I think it especially started to grow in proliferation during COVID, was that threat
actors were getting copies of the tool illegally and using it for the
same types of purposes. They were going out and working into an enterprise and then using Cobalt
Strike as part of their attack chain and using it to gain lateral movement and exfiltrate data
from unsuspecting victims. So this is something that we have been working on and we're really
happy to work with Microsoft
to even have a greater effect on this.
So I guess now is a great time to ask Bosco,
I don't understand the legal mechanisms here
to take something like this down.
I know that it leveraged DMCA,
which I think is creative and wild
and the DMCA is so controversial.
Whose idea was this?
Where did this come from?
Help us understand from
a legal perspective, like how did this happen? Yeah, the DMCA has always polarized a lot of
people on both sides, right? It was originally meant the Digital Millennium Copyright Act
came, it's been around for a long time. And its main purpose, if not its primary purpose, was to
protect copyrights, copyright holders. And when you think about the statute itself,
it was meant to protect music, artists, movies,
things like that, and any type of copyrighted work.
What we did at the DCU a couple of operations ago,
so to speak, is try to expand our tool set
from a legal perspective and include the DMCA
in a unique way, specifically against Zloader
and Nickers, where we started looking at malware and trying to understand whether or not the
malware was using any of our APIs or SDKs in their processes.
And the reason why we came up with that idea, There was a case called Google versus Oracle, which actually
ended up going to Supreme Court. It was a Ninth Circuit case. And one of the key issues there,
if not the issue, was the use of Java by Google, which of course is owned by Oracle. Long story
short, the concept of whether APIs fall within copyright protection was addressed in that case.
whether APIs fall within copyright protection was addressed in that case.
And then eventually it went to the Supreme Court.
And although the case itself was overruled,
meaning that Google won the war in the sense that,
hey, the court said that it was fair use,
but the underlying legal concept
that APIs are in fact copyrightable remained.
So that's still good law.
So we wanted to check to see whether or not
we could use that for one primary purpose
when we did a couple of operations
before the actual Cobalt Strike operation.
And that was, can we kind of get around
the Computer Decency Act Section 230,
which gives immunity to a lot of hosting providers.
And there's a lot of
good hosting providers, but there's some hosting providers that are somewhat recalcitrant in how
they react. I love that. They're recalcitrant. And is this typically referred to as the safe harbor
piece? Yes. Okay. So it's the safe harbor of DMCA, which to my understanding, it protects ISPs from if it's automatically uploaded, then hey, not liable as a hosting provider.
And the CDA, yes.
And the CDA.
Yeah, Section 230, which is actually getting a lot of attention the last couple of years.
So the great thing about the DMCA, it's really currently the only exception to that Section 230.
So there was a carve-out in the DMCA, it's really currently the only exception to that section 230. So there was a carve out in the DMCA.
So I looked at that and said, this is what we should probably try to leverage to be much
more aggressive in our takedowns when it comes down to infringing malware or command and
control structures.
So we tested that concept in a couple of cases previously, and it worked. The courts agreed. They relied on the Google Oracle case, and then they said yes, that it in fact is applicable.
hammer possible, which is the DMCA hammer, to take away and take down these cracked versions of Cobalt Strike, which of course are copyrightable.
And also we did a lot of reverse engineering, and this is something that Jason Lyons could
talk to on some of the ransomware that was being dropped after the leveraging of Cobalt
Strike.
And a lot of that reverse engineering, again, identified APIs belonging to Microsoft,
which are copyrightable and have been copyrighted in those ransomware samples as well.
So it was kind of looking at it from a nice holistic way of getting the most leverage possible
to persuade aggressively these hosting providers to
take those C2s or infringing sites down which were hosting, distributing, or
somehow leveraging Cobalt Strike. And it was very very effective because remember
the DMCA and here's really the kicker is that they have the statute itself has
very serious financial penalties. If it's not taking down, the fines
in the DMCA go up very fast. In fact, there was a case that we filed in the eastern district of
Virginia, which was interesting. We were filing one of our cases, and I think I was there with
Jason Lyons. And it might have been Trickbot or Zeebler, I don't remember right now. But there
was a jury that was about to be instructed and had just left.
And little did we know that a couple of months later, we find out that that was the jury that awarded. In the DMCA case, I think it was something upwards of a billion dollar jury verdict against a
major internet service provider or telco company. So that shows you how big a hammer the DMCA is.
So it's a very great cause of action to use in these cases.
You could even say the DMCA is a banhammer in a way.
It's a big old banhammer.
It's a thorn.
So I guess, Jason, the question for you then is,
it sounds like you were able to find a lot of cracked Cobalt Strike instances out there,
either via beacons or servers.
How did you find those?
Yeah, so we took a multi-source approach
to identifying what we believed to be cracked Cobalt Strike.
The kicker is that the only people that really know
what is cracked or compromised Cobalt Strike is Fortra.
Right, so I was going through this exercise
of working with our Windows
Defender folks, collecting beacons because Windows Defender detects any version of Cold
War Strike as malware. We were using some open source tools like Shodom and other threat
intelligence companies like Risk IQ, which is now a Microsoft company, some of their
threat intelligence because all these different services were out there collecting cracked
Cold War Strike beacons.
And so we just started collecting as much data as we could from multiple sources and
then doing basically like a frequency analysis of like what watermarks of cobalt strike do
we see the most frequently?
And then obviously looking and extracting the value out of those watermarks, you can
quickly kind of tell what's been cracked or forged.
But again, it's all theoretical exercise
until we were able to partner with Fortra,
who they could actually give us the definitive list
of what was cracked according to them.
And then we could apply that to our takedown pipeline.
Bob, how'd you make that decision?
I think it was a pretty easy one for us.
Fortra on its own was kind of hitting down that same path.
We were doing our own surveys and investigations.
We had our own set of partners that we were working with to gather data on where we were seeing these things out across the internet.
things out across the internet. And we were actually using the DMCA in much more of a traditional fashion, looking for
the places that the software was being shared, where these actors are getting their copies
from, and then using the DMCA to knock down those sharing sites and those places where
the files were proliferating.
But once Microsoft reached out, being able to combine the telemetry data that they were
seeing, which in a large part was different than the telemetry data that they were seeing, which in a large part was different than the telemetry data that we were seeing.
It really gave us a much broader picture
of what was going on in the internet at wide.
And then it's very easy for us to tell
as the license issuers,
which copies were legitimate and which copies weren't.
Sometimes it's easy.
Jason can look at a fake watermark
and it's pretty obviously fake.
But a lot of times we can't really tell
without going back and seeing if it had ever been issued
or maybe it was issued and somebody lost control
of their environment and ended up being compromised.
Those also go on the list.
So it let us quickly make that determination
and really Microsoft had a bigger scale
than we could go after.
We weren't seeing all the effects that we wanted to
and being able to partner,
let us combine forces and really reach out a lot farther. So prior to the contact from Microsoft, you were doing
traditional DMCA notification submissions to ISPs that had like forums and hosting of Crack to Go
Wallstrike? Social media type sites, forums and hosting, anonymous file share sites, and passing
IOCs out to the community.
But it was really more,
we see this server over here and we know it's bad.
Here's an IP and a port,
but we didn't have the tools to really take it down.
We could just identify it
and try and make everybody know that it's there.
So it was really giving us one more step in the chain
to really go after these providers
and knock it down with the DMCA theory that Bosco provided.
So Bosco, that makes me want to ask you then, it sounds like this strategy was not to just submit the traditional DMCA notification to hosts.
What did we do that was different than that, that leveraged the DMCA?
Because I saw there was like an order from a judge that gave us some kind of extra legitimacy. What is that?
The DMCA itself has a statutory mechanism and depending on how you kind of set up the
program in and of itself is really, as we mentioned earlier, a big hammer. And of course
the financial penalties. But it's kind of a series. You really have to follow the statute
very carefully. It's kind of a quick interaction between where a notification goes out, which has to provide a certain amount of quantitative information.
That information, there's going to be a response.
And depending on the response, it's taken down or there's a potential for litigation.
That's the traditional statutory DMCA, which is very effective, but it takes some time.
statutory DMCA, which is very effective, but it takes some time.
What we've done is that we went ahead and we said, okay, we're going to have causes of action of the DMCA, but we're going to get court orders.
Now, the court order changes the dynamics of that statutory dance of communications
back and forth and accelerates it because now there's a federal court order directed
at the hosting provider.
So you speed things up exponentially.
So that process of taking things down goes much, much faster.
So that's what we did.
We kind of accelerated the process by seeking the court's intervention via court orders
pursuant to the MCA and a host of other, both common law and other types of causes of action,
to accelerate the takedown process.
Not only on the site's hosting, but there was always a component of domain seizure,
which was very integral to the operation and was going in parallel also with court orders
to seize domains that were also leveraging a crack global strike.
That is so fascinating because
that's not the traditional understanding that most people have to the way the DMCA is leveraged.
To my understanding, you submit a DMCA notification to a host that you're a copyright owner,
and that user that's uploaded has the option to take it down or submit a counter notification
saying, hey, get out of here. If you really want to deal with this, take me to court.
notification saying, hey, get out of here. If you really want to deal with this, take me to court.
So my question is, did we get any kind of pushback or counter DMCAs or anybody that said, hey,
I'm not taking this out? No, not a single one. Okay. Not domestically. I mean, obviously we're talking within the U.S. jurisdiction. Once the court order came back in, and to the credit,
both of Fortra and Jason Lyons and the DCU and Microsoft teams, we presented overwhelming evidence and very
specific evidence to the court. And that really assisted us in getting these orders and kind of
really made the court's job easier from that perspective. And once we had those orders locked
in, it was basically, you know, it goes out, the order goes out, the sites go down.
And what do you think it was that was compelling to a judge to say,
you know what, enough is enough, I'm ready to do an order? Well, that's a great question,
especially when it comes to the domain seizure side. One of the things that a lot of lawyers understand is that the courts are really overburdened. They're listening to a lot of
cases, a lot of criminal cases, a lot of cases even at the federal level. So many times when a federal judge sees a copyright or an IP type case from a civil perspective, they kind of view it, oh my God, it's Microsoft or it's Fortra or it could be whatever multinational coming in trying to protect itself.
It deals with the case a little bit differently.
trying to protect itself, it deals with the case a little bit differently.
What we try to do and what we have to do, especially on the domain seizure side,
because we're seizing something ex parte, that we're going to seize the domain first and then give notice to the defendant, there's a balancing test that we have to do
because that's a constitutional question, and that is a balancing test on
does the public harm outweigh the defendant's right to prior notice so what that
means basically is that we have to show that hey yeah this is an ip case it's a copyright case you
want to see something but it's it's not only to protect microsoft's ip or to protect fortress ip
there's a huge public policy public safety. And we always do a very good job in explaining, well, this is what's happening with the crack
cobalt strike.
It's leading to all of these bad things happening to the public, to consumers, to end users.
And that's a very compelling argument.
It meets our requirement of the statute.
And it allows the court to view the case very differently from a
standard copyright case. And it becomes a case which is really more for public good, for public
welfare. I think that's so interesting because one of the constituents that you didn't mention
that I would like to mention is detection engineers really benefited from this because
for years, cracked cobalt strike was just a pain in the rear for those who create detections and security products.
Because it was a constant battle to say, oh, that's a cracked cobalt strike beacon.
So Bob, my question for you is, what has been the impact from your point of view, from your perspective over the past year?
What's the difference today versus before
this action took place for you? I think one of the biggest differences in the global surveys that we
perform with Microsoft and what we're seeing on a daily basis, where are things being used? How
much of this are we seeing? More than a 50% reduction in active systems. I mean, we're not
at zero. We know this is going to be a long term effort but the amount of systems that were proliferating has been greatly reduced the places
that we were seeing the software shared has have been greatly reduced people are a little bit
scared now in some respects we see we see people warning each other about being exposed up on the
internet and being bound by this effort.
And we've also seen kind of a geographic shift of where these things run from.
So when you're going to stand this up, you have to host it somewhere.
And just where those things are able to be hosted now because of these actions has kind
of pushed it into a smaller pocket of the globe, which makes it easier for people to
defend against just by knowing where it might be coming from.
So I guess from our side, Jason, from Microsoft's point of view, what's been the impact here? I know
that we've seen some botnets impacted. Have you sort of seen any difference in the past year that
relates to your visibility? Oh yeah, there's been a dramatic drop. And when we started, we would
observe an active thousand COBOL Strike C2 servers a day, right?
And since the takedown, we're down to a couple hundred a day.
So it's been a dramatic increase.
And I just want to point out that the scope and scale of this operation was huge, right?
So we were not only targeting domains that were hosting Cold, Strike. We were targeting also just pure IP hosting.
So we had to build all this automation in the background
to basically to be able to tackle this at scale.
And so we built what we call crawlers and emulators
that would go out and take these inputs
from the different sources I had mentioned earlier,
Defender, RiskIQ, Shodown, use that as inputs.
Our automation would go out and make contact with those C2s or domains, sources I had mentioned earlier, Defender, RiskIQ, Shodown, use that as inputs.
Our automation would go out and make contact with those C2s or domains,
confirm and download a beacon,
and then basically extract the watermark from those beacons and determine whether it's bad or good.
And then if it was bad or good,
it then would get kicked over to the DMCA automation email notification system,
which would then kick out automatic DMCA notifications
to, I think we're averaging a couple thousand a day emails of going out.
So the scale of this thing was huge.
I love that it's automated.
So essentially, we're using a bot to find and
destroy, to search and destroy
for cracked Cobalt Strike. Bob, you're laughing.
Don't you think that's kind of a good
characterization or no? No, I do
think it's good. I was going to throw
even more in the automation that the messaging
that's going on is actually
targeted by the place that we're
seeing the infrastructure.
So there's even more automation that Jason's team has built
so that a message that might go out to a U.S.
provider is different than a message that might go out to a European provider
based on where we're seeing things.
Yeah, that's a good point.
We had like, I think we're up to like over 30 different email
notification templates depending on for different countries.
Yes.
So try and Bosco did a lot of work on researching what laws we could use in certain countries
and areas that would basically affect some takedown.
Okay, well, that's a super nerdy thing that you've just walked me into, Bosco.
What's the global DMCA equivalent looking like?
I mean, there really is no exact equivalent now.
I mean, there's some EU regulations and security rules in the EU that were very
helpful and that act almost as fast. And I think there's some new legislation now since then that's
just passed that's really good. But we had to take a look and see if there are any unique
notification processes and templates that we'd have to use. And I'll give an example.
and templates that we'd have to use.
And I'll give an example.
You know, for example,
in the case of Crack Cobalt Strike that were located in China,
you know, there are very specific ways
and who you have to notify.
And so we had to make sure
that our templates were consistent
with the local rules and laws
in that jurisdiction
and made sure that all of our notifications
went directly into that particular mailbox.
So it took some time.
There are a lot of templates,
but we've gotten some very good results,
even in a lot of the foreign jurisdictions,
which are outside of the ability of U.S. courts
to uphold any law,
simply by kind of leveraging their local regulations and notification processes.
That's incredible that you're essentially automating
a global notification and takedown
of a threat actor infrastructure
partnered with the legitimate software publisher of Fortra.
So I guess like kind of the next question is
where do we go from here? And Jason,
I'll ask you, like, it sounds like Cracked Cobalt Strike is a much reduced level than it was before
from a volume perspective. What's the criminals doing now? Like what's the next thing?
You know, there's always some new thing on the scene, right? And it just really depends on these actor groups and what they're comfortable with. You know, when you talk about the more sophisticated groups, you know, there's usually custom stuff that they create.
They also utilize basically, you know, cybercrime as a service. You know, you have these different service level providers that provide, you know, usage of botnets. You know, we got DarkGate out there. There's always another tool to replace
the last thing we took down. We also see also use of other post-exploit tools that are commercially
available as well. Not as prolific as what we saw, but there's always a mixed bag of people
taking open source tools that are used for contesting and using them for cybercrime.
Very cool.
And Bob, tell me,
what are you seeing in terms of your next frontier
on dealing with Cracked Cobalt Strike
or other kinds of abuse that threat actors might do
leveraging your work?
Yeah, we work in a lot of areas other than Cobalt Strike.
We're trying to take these same kind of techniques
that we've seen here
and how successful this has been
and apply them to things like fishing kits as a service
and other larger ecosystems like this.
And I think it's really encouraging that we're seeing
more and more of these law enforcement operations
going after these larger sources,
knocking down whole environments,
whole threat actor groups,
all in one shot.
It's been great having the publicity around this because we're also getting more inputs,
and I think that's helping all of our jobs.
We're getting more reach out from private threat investigator-type parties.
We're getting more reach out from public law enforcement-type sources, feeding indicators,
and bringing those into the pool so we can run them through the pipeline and add them to the list. So that's been a really great thing to see. And
we're going to continue doing the same kind of work. This will be a multi-year effort as far
as the cobalt strike. As the product's changing to make it harder to abuse, and then we're pushing
on the other end to anything that we find to be able to shut it down, we're going to keep pushing
towards that zero number in the future here.
Can you tell me just a little bit more about that?
Is there any specific points that are noteworthy
that you want to mention that you've done
to make Cobalt Strike harder to abuse?
So one of the things probably not everybody knows,
Cobalt Strike in itself is actually fairly well regulated.
There's a lot of export restrictions on these types of tools.
There's a huge vetting process that goes on in the background.
We deny about as many requests for license as we fulfill
because they don't meet the background when we check out
a different system. That's why you see so many of these being stolen, copied.
It's hard to purchase it the right way. As part of the efforts that we
had going on before we joined up with this action,
as we were finding these things out on a file share site
or a social media share, a Telegram channel, what have you,
we were pulling them apart internally
and then closing off loopholes in the product
where we might have seen a threat actor was able to crack a copy
and make an adjustment and use it illegitimately
by a certain method,
then we could shut that down and make changes in the actual software to make it harder for the
next time. And we're continuing to improve the resiliency of that front-end process from Fortress
perspective, closing the things that they've been able to abuse, making it harder to obtain copies
illegitimately and make it easier to detect from the outside for
defenders so that we can push this whole process forward. Awesome. I love that it's like this
continually evolving thing to make sure that Cracked Cobalt Strike is kind of kept off the
streets. Bosco, I want to ask you just sort of, I think for my own curiosity, can you rate
the creativity level of using the DMCA for this? Is this something,
for me, I find this wildly creative, but in your world that's full of lawyers and DCU people,
was this kind of a like, oh yeah, that's fine? I mean, I think the most interesting aspect of it
was we always, for the past 15 years, we prided ourselves in developing and leveraging what would be standard,
either common law causes of action or any type of civil causes of action,
which were not necessarily meant to address cybercrime, but that we've been able to apply in novel ways. So it really was novel in its application,
especially when it came to the point of utilizing the copyrightability of APIs
after the Google and Oracle case came out.
So from that perspective, I think it's pretty novel.
It's pretty unique.
But it is consistent with what we've done in the past, and we've
developed our toolkit over the past decade to address these types of questions. In fact,
I think in the very near future, you're going to see some additional cases in which we're going to
be leveraging some very unique application of civil law, again, within the cybercrime context.
So the short answer is yes,
it's a unique application of a statute.
And I always like to say,
sometimes you don't necessarily need new law
to address a problem.
You just have to be able to use what you have
and use it in a unique and novel way
because the courts in common law are very receptive
and are able to adapt very quickly as we've seen over the past decade or so.
I love it. I've never heard such a creative use of the DMCA.
So that's been a really fascinating thing to see.
So Jason, I'm always worried about focusing on Microsoft being secure.
That's really important to me.
And so did we find any cracked Cobalt Strike
hanging out on Microsoft infrastructure?
How did we handle that?
Yeah, that was really the first operational phase of this operation
was to make sure that our own house was clean
before we started going out and sending takedown notices to other providers.
As you can imagine, that could be kind of a PR nightmare
if Azure was hosting a bunch of crack cobalt strike, right?
So yeah, really the first phase is really to work with CDOC and get a really efficient takedown process.
We build a lot of...
What is CDOC?
CDOC is our Cyber Defense Center.
It's really an organization of multiple organizations that protect Azure and the different properties and products, Office, different things like that, and Microsoft.
So it's really kind of our central point of being able to do some internal takedowns.
Like I mentioned earlier, we built a lot of automation to make this stuff happen in real time.
So it was really an important point for us to make sure that we were keeping our own house alone.
And can you just give me just a little bit of detail on that?
Does that mean that we scanned Azure to find Craft Cobalt Strike?
That is correct. Yep.
Awesome. And when we found them, what did we do?
Well, there's several different processes in Microsoft, as you can imagine,
depending on who the client is, what kind of subscription is in Azure.
But we really had to work out basically
a terms of service takedown notice in Azure
for different versions of Cobalt Strike.
So the CDOP was very important for us
and was really our central point of contact
in trying to keep Azure clean.
Love that.
Okay, so Vasco, something else I want to understand is you kept mentioning
common law, civil stuff. I know the DMCA has criminal aspects to it. How did you kind of work
with law enforcement versus civil versus criminal courts? How did all that shake out?
Yeah, I mean, that's a good question. And it's a question we got a lot of those questions back
when we started the program over a decade ago, right?
One of the things that, you know, as a private litigant, both Microsoft and Fortune in this case, obviously private litigants,
our main concern obviously is to protect not only our customers and our intellectual property.
And we have to do it very quickly and aggressively.
So from a civil perspective, one of the great things about civil law in this case is that our main focus is stop the harm immediately, identify any potential victims, and remediate the problem.
But to do that, you also don't want to interfere with any criminal investigations.
Because the criminal law, of course, their objective is to not deter by attribution.
to not deter by attribution.
In other words, identifying who the bad players are,
the criminals, trying to indict, bring them to justice,
which of course that brings a deterrent effect.
So we try to kind of do two of these things at the same time to get the biggest impact possible.
Stop the harm immediately, start remediating,
whilst at the same time allow law enforcement
to go out and do their job in attribution,
arrest for deterrence.
So what we developed in this case, and we've been doing this manually, so to speak, until ultimately
we've automated this process as well, and that is in real-time de-confliction. And what I mean by
that, if you go back to what Jason and Bob were talking about, identifying the crack cobalt
shark, where it's located, and so forth,
we wanted to make sure that our visibility was also visible to law enforcement for the main purpose of the confliction.
In other words, we didn't want to interfere in any ongoing criminal investigation by taking a site down via our civil process,
which is very fast, as I mentioned, it goes quick, and then not allowing
law enforcement to complete their work in terms of attribution for the criminal investigation.
So we developed a process where law enforcement would be able to come back and say,
you know, pause, wait, to give them time to do their job, whilst at the same time allowing us
to clean up as much of the ecosystem as possible.
And it worked out brilliantly well,
and we're very happy with that relationship
and the ability to de-conflict
and partner with law enforcement.
And it was interesting because we were talking
to law enforcement, as was Fortro.
So we just got all of it together
and made it into one automated system,
and we're really happy about the results.
I love that.
I love that it really is such a
coordinated effort between so many different groups and organizations and being able to
protect the internet better. So Jason, I know that we've seized about 170 domains so far in this
focused operation and several even this week. So how does that work? And help me understand too,
I know that we set up some sinkholes.
So can you kind of help us understand
what sinkholes are
and how they played into this particular project?
Yeah, so what we do is the term sinkhole
is a DNS sinkhole, right?
So domain name system sinkhole.
So when, you know,
we'll just use badguy.com, right?
For instance.
So badguy.com's got to resolve to an IP address.
And so what we do is during the course of the investigation,
as we're crawling and scanning infrastructure,
identifying crack versions of Cobalt Strike,
if that C2, that crack Cobalt Strike's team server,
is actually using a domain as infrastructure,
we'll be able to capture that, right?
And then we'll be able to verify the watermark
and verify that the domain is hosting,
you know, crack, pull, strike.
So part of the disruption process
is then to legally take down that domain.
And really the main purpose, one, is to disrupt,
obviously stop the harm of the infrastructure
or the command and control server.
But two, we then get the cork to award us that domain as Microsoft.
We seize that domain.
It now becomes property of Microsoft.
Now we can change the IP address on that domain.
And now all the victims of that particular command and control server of badguy.com, for instance, is now communicating to Microsoft.
And so really the point of that is really to gain visibility into the victims, right?
To really understand, hey, grandma's computer is infected and they're over at XYZ ISP.
And that's really one of the really staples of, I think, DCU is we don't sell this as cyber, we don't sell this as threat intelligence, right?
We take this intelligence and we give it out to the DELCOs, the ISPs, to basically identify critical infrastructure and for the responders to be able to respond to this and get it cleaned up.
Jason, I love how community-focused that is.
This has been amazing.
Thank you so much, Bob Erdman from Fortra,
Bosco from Microsoft, Jason Lyons from Microsoft.
Thank you for joining me.
This was a fascinating thing.
And I hope we get to hear back from you soon
on all the cool things that you guys are working on.
I appreciate you coming on the podcast.
Thanks for having us.
Thank you.
Thank you.
Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to. Thank you. Thank you. Thanks for listening
to the Microsoft Threat Intelligence Podcast.
We'd love to hear from you.
Email us with your ideas
at tipodcast at microsoft.com.
Every episode will decode the threat landscape
and arm you with the intelligence you need
to take on threat actors.
Check us out, msthreatintelpodcast.com for more
and subscribe on your favorite podcast app.
This week on the Blue Hat Podcast,
we welcome Rohit and George
for a great discussion on mitigating NTLM-related attacks.
Be sure to listen in and follow us at bluehattpodcast.com
or wherever you get your favorite podcasts.