Europol has just announced that during a week-long operation in late June, nearly 600 IP addresses supporting illegal copies of Cobalt Strike were removed.
Fortra’s legitimate red-teaming tool is known to be widely abused by cybercriminals, who use cracked copies of the tool to launch malware and ransomware attacks such as Ryuk, Trickbot, and Conti.
Europol said the disruptive action, called Operation Morpheus, is the culmination of work that began three years ago and was carried out with private sector partners between 24 and 28 June.
“During the week, law enforcement agencies identified known IP addresses associated with criminal activity, along with a series of domain names used by criminal gangs to allow online service providers to disable unlicensed versions of the tool,” the company said today.
“A total of 690 IP addresses were flagged at online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken offline.
“This investigation was led by the UK National Crime Agency and involved law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States. Europol coordinated the international activity and liaised with the private partners.”
Several private sector partners supported the week-long sprint, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation.
The partners used Europol’s Malware Information Sharing Platform to submit evidence and threat intelligence to support the disruptive efforts. The Euro Cop Shop said more than 730 pieces of threat intel were shared, as well as nearly 1.2 million indicators of compromise throughout the operation.
“Cobalt Strike is the Swiss Army knife of cybercriminals and nation-state actors,” said Don Smith, vice president of threat intelligence at Secureworks. “Cobalt Strike has long been a tool of choice for cybercriminals, including as a precursor to ransomware. It has also been deployed by nation-state actors, such as Russian and Chinese [groups]to facilitate intruders in cyber espionage campaigns.
“As a fulcrum, it has proven to be highly effective in providing a persistent backdoor to victims, facilitating intrusions of all forms. This disruption is to be welcomed, and removing Cobalt Strike infrastructure used by criminals is always a good thing.”
Trellix’s Joao Marques, John Fokker and Leandro Velasco also blogged about their involvement in Operation Morpheus. They said that while the disruptive activity will make criminals reconsider their use of Cobalt Strike, the data shows that the work did not touch China.
According to the telemetry, China is home to 43.85 percent of Cobalt Strike resources. To put that into context, the next largest distributor is the US with a 19.08 percent share.
Compare that to the country hit hardest by the most Cobalt Strike attacks (the US with a 45.04 percent share), and you can make an educated guess as to where the criminals most likely to abuse Fortra’s tool reside.
“The dismantling of the Cobalt Strike infrastructure sends a powerful message to cybercriminals and national government actors about the consequences of malicious cyber activity,” the researchers said.
The NCA said in a statement: “This disruptive activity is the result of more than two and a half years of collaboration between the NCA, international law enforcement and the private sector to identify, monitor and blacklist its use.”
While law enforcement agencies acknowledge the “significant steps” Fortra has taken to prevent its powerful post-exploitation tool from being abused, the Trellix team was less positive.
Marques, Fokker and Velasco said they welcomed Fortra’s cooperation with Operation Morpheus and the measures taken to prevent Cobalt Strike misuse, but they also hinted at ongoing concerns.
“We are very pleased that Fortra, the current owner of Cobalt Strike, cooperated with the operation and implemented more advanced measures to prevent their software from being cracked,” the researchers said.
“However, it is important to address Cobalt Strike’s longstanding stance under its previous ownership regarding restrictions on licensing cybersecurity vendors. Many cybersecurity vendors believe this decision has inadvertently created a precarious environment in which cybercriminals are abusing cracked versions of Cobalt Strike for malicious activity and vendors are left unable to defend against abuse.
“While these new measures are a very positive step in the right direction, we would like to do more. This situation underscores the need for more comprehensive collaboration to protect organizations from Cobalt Strike abuse. We call on Cobalt Strike to reconsider its policies and work with cybersecurity vendors to improve products and combat abuse of these powerful tools.”
We’ve asked Trellix about the specific issues they’re talking about and will update the article once they have answers.
Second try
The Operation Morpheus efforts come just over a year after Microsoft, Fortra and Health-ISAC filed a lawsuit seeking permission to take down several IP addresses hosting cracked versions of Cobalt Strike.
This followed Google offering another kind of support in the fight against Cobalt Strike abuse. In 2022, it developed and open-sourced a list of 165 YARA rules to help organizations quickly destroy any of the 34 versions that Chocolate Factory identified as being in circulation at the time.
But even last year, when the first round of IP addresses were neutralized, researchers knew it wouldn’t be enough.
“While this action will have an immediate impact on the criminals, we fully expect that they will attempt to revive their efforts,” said Amy Hogan-Burney, general manager of Microsoft’s security unit at the time. “Our action is therefore not a one-off.”
Since acquiring Cobalt Strike in 2020, Fortra has taken steps to ensure that criminals can’t access legitimate versions of its tools. For example, it quickly began vetting all applicants before issuing licenses, but cracked versions in hard-to-reach places like China can be tough to eradicate for good.
Paul Foster, Director of Threat Leadership at the National Crime Agency, said: “While Cobalt Strike is legitimate software, cybercriminals have unfortunately abused it for sinister purposes.
Pirated versions of it have lowered the barrier to entry for cybercrime, making it easier for online criminals to launch damaging ransomware and malware attacks with little or no technical knowledge.
“Such attacks can cost companies millions in losses and recovery.”
He urged companies that have been victims of cybercrime to “come forward and report such incidents to law enforcement.”