International law enforcement operation combats illegal use of the “Swiss Army Knife” pentesting tool

An international coalition of law enforcement agencies has taken action against hundreds of installations of Cobalt Strike software, a penetration testing tool known to be abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.

The UK’s National Crime Agency (NCA) announced on Wednesday that it had coordinated global action against the tool, targeting 690 IP addresses in 27 countries that were running illegal instances of the software.

Cobalt Strike, now owned by a company called Fortra, was developed in 2012 to simulate how hackers break into their victims’ networks. But it works so well – simplifying the process involved in trying to break into a victim’s network – that pirated versions of the tool have been widely used by real criminals over the past decade.

This action comes as law enforcement continues to crack down on ransomware gangs by targeting the ecosystem’s weak points – hitting the links in the chain that could have cascading effects, such as the seizure of Bulletproof hosting provider LolekHosted.

In addition to its legitimate users and those in the ransomware space, Cobalt Strike has also been used by hackers linked to the Russian, Chinese and North Korean governments.

“Since the mid-2010s, pirated and unlicensed versions of software downloaded by criminals from illegal marketplaces and the dark web have been considered the preferred tool for penetrating networks for those planning a cyberattack, as they allow them to deploy ransomware quickly and on a large scale,” the NCA said.

Most commonly, the unlicensed versions of Cobalt Strike are used in spear phishing emails, whose goal is to install a beacon on the target’s device. This beacon then allows the attacker to profile the victim’s network and access it remotely.

However, its multifunctionality – including a framework for managing the hackers’ command and control infrastructure – makes the tool a “Swiss Army knife for cybercriminals and state actors,” as Don Smith, vice president of threat research at the Secureworks Counter Threats Unit, describes it.

“Cobalt Strike has long been the preferred tool of cybercriminals, including as a precursor to ransomware. It is also used by state actors, such as Russia and China, to facilitate intrusion attempts in cyber espionage campaigns. As an entry point, it has proven extremely effective in providing victims with a backdoor to facilitate intrusion attempts in cyber espionage campaigns,” Smith said.

According to the NCA, the measures to combat fraudulent use of the software took place last week, with servers being shut down and “abuse notices” being sent to ISPs to warn them that they may be hosting malware.

Paul Foster, the NCA’s director of threat security, stressed that while Cobalt Strike was “legitimate software”, cybercriminals “have unfortunately misused it for nefarious purposes”.

“Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals to launch malicious ransomware and malware attacks with little or no technical expertise,” Foster said.

“International disruptions like this are the most effective way to disrupt the most damaging cybercriminals by depriving them of the tools and services that underpin their operations,” the NCA director added.

Despite law enforcement actions, “the threat of ransomware remains ever-present and while this disruption is welcome, criminals and state actors will almost certainly have a Plan B,” said Secureworks’ Smith.

Fortra has released a new version of Cobalt Strike that it claims offers “enhanced security measures.” The company has pledged to continue working with law enforcement to identify and remove older versions of its software from the internet.

“Fortra has taken significant steps to prevent misuse of its software and has cooperated with law enforcement throughout the investigation to protect the legitimate use of its tools,” Europol said.

“However, in rare cases, criminals have stolen older versions of Cobalt Strike and created cracked copies to gain backdoor access to machines and distribute malware. Such unlicensed versions of the tool have been linked to several malware and ransomware investigations, including those on RYUK, Trickbot and Conti.”