Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown

Europol just announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.

Fortra’s legitimate red-teaming tool is notorious for being widely abused by cybercriminals, who source cracked copies of the tool for use in malware and ransomware operations like Ryuk, Trickbot, and Conti.

Europol said the disruptive action, dubbed Operation Morpheus, is the culmination of work that began three years ago. It was carried out with partners in the private sector between June 24 and 28.

“Throughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool,” it said today.

“A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

“This investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol coordinated the international activity and liaised with the private partners.”

Various private sector partners supported the week-long sprint, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. 

The partners used Europol’s Malware Information Sharing Platform to submit pieces of evidence and threat intelligence that supported the disruption efforts. The Euro cop shop said more than 730 pieces of threat intel were shared as well as nearly 1.2 million indicators of compromise over the course of the entire operation.

“Cobalt Strike is the Swiss Army knife of cybercriminals and nation-state actors,” said Don Smith, vice president of threat intelligence at Secureworks. “Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors, such as Russian and Chinese [groups], to facilitate intrusions in cyber espionage campaigns.

“Used as a foothold, it has proven to be highly effective at providing a persistent backdoor to victims, facilitating intrusions of all forms. This disruption is to be welcomed, removing Cobalt Strike infrastructure used by criminals is always a good thing.”

Trellix’s Joao Marques, John Fokker, and Leandro Velasco also blogged about their involvement in Operation Morpheus. They said that while the disruption activity will make criminals rethink their use of Cobalt Strike, its data shows that the work didn’t touch China.

According to its telemetry, China hosts 43.85 percent of Cobalt Strike resources. To put that in context, the next biggest distributor is the US with a 19.08 percent share.

Contrast that with the country that bears the brunt of the most Cobalt Strike attacks (the US with a 45.04 percent share) and you can take an educated guess as to where the criminals that abuse Fortra’s tool the most reside.

“The dismantling of Cobalt Strike infrastructure sends a powerful message to cybercriminals and nation-state actors about the repercussions of malicious cyber activities,” said the researchers.

The NCA said in a statement: “This disruption activity represents more than two-and-a-half years of NCA-led international law enforcement and private industry collaboration to identify, monitor and denigrate its use.”

While law enforcement agencies acknowledged the “significant steps” Fortra has taken to prevent its powerful post-exploitation tool from being misused, Trellix’s team wasn’t as positive.

Marques, Fokker, and Velasco said they welcomed Fortra’s collaboration with Operation Morpheus and the measures taken to prevent Cobalt Strike’s misuse, but alluded to lingering concerns.

“We are very content to see that Fortra, the current owners of Cobalt Strike, have collaborated in the operation and are implementing more sophisticated measures to prevent cracking their software,” they said.

“However, it is important to address the longstanding stance of Cobalt Strike under previous ownership, regarding its restrictions to purchase a license for cybersecurity vendors. Many cybersecurity vendors believe this decision has inadvertently fostered a precarious environment where cybercriminals exploit cracked versions of Cobalt Strike for malicious activities and vendors are not able to defend against its misuse.

“Although these new measures are a very good step in the right direction, we are eager to do more. This situation underscores the need for more integral collaborative efforts to protect organizations against the abuse of Cobalt Strike. We call on Cobalt Strike to reconsider its policies and collaborate with cybersecurity vendors to enhance products and combat the misuse of these powerful tools.”

We asked Trellix about the specific issues they’re referring to and will update the article when answers come in.

Take two

Operation Morpheus’s efforts come just over a year after Microsoft, Fortra, and Health-ISAC took a case to court, getting legal permission to take down various IP addresses it located that hosted cracked versions of Cobalt Strike.

This followed Google offering a different kind of support in the fight against the abuse of Cobalt Strike. In 2022 it worked up and open-sourced a list of 165 YARA rules to help organizations swiftly quash any of the 34 versions the Chocolate Factory identified in circulation at the time.

However, even last year when the first round of IP addresses was neutralized, investigators knew it wasn’t going to be enough.

“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” said Amy Hogan-Burney, general manager of the Microsoft security unit at the time. “Our action is therefore not one and done.”

Since Fortra bought Cobalt Strike in 2020, it has made strides in ensuring criminals don’t get access to legitimate versions of its tools. For example, it soon started vetting all applicants vigorously before giving licenses out, but cracked versions in hard-to-reach places like China may prove difficult to eradicate for good.

Paul Foster, director of Threat Leadership at the National Crime Agency, said: “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes.

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.

“Such attacks can cost companies millions in terms of losses and recovery.”

He urged businesses that have been a victim of cyber crime to “come forward and report such incidents to law enforcement.” ®

READ MORE HERE