A coordinated law enforcement operation codenamed MORPHEUS took down nearly 600 servers used by cybercriminal groups that were part of an attack infrastructure associated with Cobalt Strike.
According to Europol, the crackdown between June 24 and 28 targeted older, unlicensed versions of the Cobalt Strike red teaming framework.
Of the 690 IP addresses reported to online service providers in 27 countries as being linked to criminal activities, 590 are no longer accessible.
The joint operation, which began in 2021, was led by the UK’s National Crime Agency (NCA) and included agencies from Australia, Canada, Germany, the Netherlands, Poland and the US. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan and South Korea provided additional support.
Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems) that provides IT security professionals with a way to identify vulnerabilities in security operations and incident response.
However, Google and Microsoft have previously discovered that cracked versions of the software have fallen into the hands of cyber criminals who have repeatedly misused the software for subsequent purposes.
According to a recent report from Palo Alto Networks Unit 42, it uses a payload called “Beacon” that uses text-based profiles called “Malleable C2” to modify the properties of Beacon’s web traffic to evade detection.
“Although Cobalt Strike is legitimate software, cybercriminals have unfortunately abused it for nefarious purposes,” said Paul Foster, director of threat intelligence at the NCA, in a statement.
“Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals to launch damaging ransomware and malware attacks with little to no technical expertise. Such attacks can cost businesses millions in losses and recovery costs.”
This development comes after Spanish and Portuguese law enforcement authorities arrested 54 people for committing crimes against senior citizens through vishing attacks, in which perpetrators posed as bank employees and tricked them into revealing personal information under the pretense of fixing a problem with their accounts.
The data was then passed on to other members of the criminal network, who visited victims’ homes unannounced and pressured them to reveal their credit cards, PIN codes and bank details. In some cases, cash and jewelry were also stolen.
The criminal scheme ultimately allowed the perpetrators to gain control of victims’ bank accounts or make unauthorized cash withdrawals from ATMs and other expensive purchases.
“Through a mixture of fraudulent phone calls and social engineering, the criminals are responsible for damages of 2.5 million euros,” Europol said earlier this week.
“The funds were deposited into several Spanish and Portuguese accounts controlled by the fraudsters and from there channeled into a sophisticated money laundering system. An extensive network of money couriers, supervised by specialized members of the organization, served to conceal the origin of the illegal funds.”
The arrests also follow similar actions by INTERPOL to dismantle human trafficking rings in several countries, including Laos, where several Vietnamese citizens were lured with the promise of well-paying jobs and then coerced into opening fraudulent online accounts for financial fraud.
“The victims were forced to work 12 hours a day, and if they could not recruit others, the working hours were extended to 14 hours. Their papers were confiscated,” the agency said. “The families were extorted up to $10,000 to force their return to Vietnam.”
Last week, INTERPOL said it had also seized $257 million in assets and frozen 6,745 bank accounts as part of a global policing operation in 61 countries aimed at dismantling online fraud networks and organized crime.
The operation, known as Operation First Light, targeted phishing, investment fraud, fake online shopping sites, romance and identity fraud. It resulted in the arrest of 3,950 suspects and identified 14,643 more possible suspects across all continents.
