A global operation led by the National Crime Agency (NCA) of the United Kingdom, dubbed Operation Morpheus, has struck a significant blow against 593 servers of Cobalt Strike, a legitimate penetration testing tool, to conduct cyberattacks. This action, executed during the week commencing June 24th, marks the culmination of over two and a half years of international collaboration between law enforcement and private industry.
The servers were spread across 27 countries and hosted by 129 internet service providers. By the end of the action week, about 600 of these instances had been taken down, and abuse notifications were issued to the service providers, informing them they were hosting malware.
Law enforcement agencies contributed to the international effort, including Europol, the FBI, the Australian Federal Police, the Royal Canadian Mounted Police, the German Federal Criminal Police Office, the Netherlands National Police, and the Polish Central Cybercrime Bureau.
Private industry players such as BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus, and Abuse CH also played crucial roles in identifying and disrupting the malicious use of Cobalt Strike.
Cobalt Strike was initially created as a tool for cybersecurity professionals to test network defences. Around 2015, the tool has been increasingly misused by malicious actors.
“Since the mid-2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale,” explained NCA. “Due to the range of tools, free training guides and videos that come with legal versions of the software, those adopting it for criminal use require low levels of sophistication and money.”
As per NCA, illicit versions of Cobalt Strike have been linked to some of the most significant cyber incidents in recent years, including RYUK, Trickbot, and Conti malware. Cybercriminals deploy these versions via spear phishing or spam emails, which trick victims into clicking malicious links or opening infected attachments.
Once a victim is compromised, a Cobalt Strike ‘Beacon’ is installed, granting the attacker remote access to the system. This access allows them to profile the host, deploy further malware or ransomware, and steal data to extort victims.
“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” said Paul Foster, Director of Threat Leadership at the National Crime Agency.
The operation highlighted the role of private industry players who shared real-time intelligence through the Malware Information Sharing Platform. This collaboration resulted in the sharing of over 730 pieces of threat intelligence, containing nearly 1.2 million indicators of compromise.
Recently, the FBI obtained more than 7,000 Lockbit decryption keys, disrupting the entire operation. In the first week of June 2024, a joint task force of the FBI, Interpol, French and British authorities shut down an operation to bust the Red Notice system.
In May, Europol and law enforcement from France, Germany, the UK, the Netherlands, the United States, and Denmark initiated a crackdown on malicious droppers.
In the News: Over 384,000 websites still embed malicious Polyfill JS script