The National Crime Agency is coordinating the global fight against illegal software that has been used by cybercriminals to infiltrate victims’ IT systems and carry out attacks for more than a decade.
Last week (Wednesday, June 24), unlicensed versions of Cobalt Strike were targeted. Cobalt Strike is a penetration testing tool used to detect vulnerabilities in a company’s network and improve cybersecurity.
Since the mid-2010s, pirated and unlicensed versions of software downloaded from illicit marketplaces and the dark web have become the go-to tool for cyberattacks, allowing them to deploy ransomware quickly and at scale.
Since the legal versions of the software include a wide range of tools, free training manuals and videos, little knowledge and money is needed to use the software for criminal purposes.
This disruptive activity is the result of more than two and a half years of collaboration between international law enforcement and the private sector, led by the NCA, to identify, monitor and blacklist its use.
Action was taken against 690 individual instances of malicious Cobalt Strike software at 129 ISPs in 27 countries. By the end of the week, 593 of these addresses had been taken offline.
This was achieved by the NCA and law enforcement partners taking servers offline and by receiving reports of abuse from law enforcement partners and the private sector, alerting service providers that they may be hosting malware.
Pirated versions of Cobalt Strike have been identified as being used in some of the largest cyber incidents of recent times. Its use has also been identified in multiple malware and ransomware investigations, including those into RYUK, Trickbot, and Conti attacks.
The operation was conducted jointly with Europol, which assisted with international coordination, the FBI, the Australian Federal Police, the Royal Canadian Mounted Police, the German Federal Police Office (Bundeskriminalamt), the Dutch National Police (Politie) and the Polish Central Cybercrime Bureau.
A number of private sector partners, including BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus and Abuse CH, also assisted law enforcement in identifying malicious instances and cybercriminal use of Cobalt Strike.
Using a platform known as the Malware Information Sharing Platform, private sector organizations shared real-time threat intelligence with law enforcement. More than 730 pieces of threat intelligence containing nearly 1.2 million indicators of compromise were shared.
Cybercriminals are deploying unlicensed versions of Cobalt Strike via spearphishing or spam emails, which attempt to trick a target into clicking on links or opening malicious attachments. When a victim opens the link or document, a Cobalt Strike ‘Beacon’ is installed, giving the threat actor remote access, allowing them to profile the infected host, download malware or ransomware, and steal data in order to extort money from the victim.
Paul Foster, Director of Threat Leadership at the National Crime Agency, said: “While Cobalt Strike is a legitimate piece of software, cybercriminals have unfortunately abused it for sinister purposes.
“Pirated versions of it have lowered the barrier to entry for cybercrime, making it easier for online criminals to launch damaging ransomware and malware attacks with little or no technical expertise.
“Such attacks can cost companies millions in losses and recovery.”
“International disruptions like this are the most effective way to degrade the most damaging cybercriminals by removing the tools and services that underpin their activities.
“I would like to urge all companies that may have been victims of cybercrime to report such incidents to the police.”
Cobalt Strike owners Fortra continue to cooperate with law enforcement to identify and remove older and malicious versions of the program from the Internet.
July 3, 2024