Europol shuts down around 600 abusive Cobalt Strike servers

Numerous IP addresses associated with abuse of Fortra’s legitimate red teaming tool, Cobalt Strike, were taken down as part of a coordinated law enforcement operation dubbed “Morpheus.”

The Europol-led operation from June 24 to 28 targeted older, unlicensed versions of the tool and flagged abusive IP addresses operating from several countries.

“Law enforcement has joined forces with the private sector to combat the misuse of a legitimate security tool by criminals who are using it to penetrate victims’ IT systems,” Europol said in a press release. “This investigation, known as Operation MORPHEUS, was led by the UK’s National Crime Agency and involved law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States.”

The operation also involved support from a number of private partners, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation, the statement added.

Massive global disruptions

By the end of the week of Operation Morpheus, 593 IP addresses related to Cobalt Strike criminal abuse had been blocked.

“Over the course of the week, law enforcement agencies have flagged known IP addresses associated with criminal activity, as well as a number of domain names used by criminal groups, to enable online service providers to disable unlicensed versions of the tool,” the statement said. “In total, 690 IP addresses were flagged for online service providers in 27 countries.”

Since September 2021, Europol’s European Cybercrime Centre (EC3) has been supporting the operation with analytical and forensic support and enabling information sharing among all partners. In addition, the law enforcement agency operates a “malware intelligence sharing platform” and invites private partners to support the effort with real-time threat intelligence.

“Over the course of the entire investigation, over 730 threat intelligence pieces were shared, containing nearly 1.2 million indications of compromise,” Europol added. “The disruptions do not end here. Law enforcement will continue to monitor and conduct similar actions as long as criminals abuse older versions of the tool.”

Frequently abused pentester

The commercial pentesting tool, originally developed for red teaming and adversary simulation, has been abused by cybercriminals from time to time to conduct attacks or package sophisticated malware. The largest abuse was the SolarWinds supply chain attack reported in December 2020, in which attackers introduced customized Cobalt Strike Beacons via legitimate updates to the Orion platform.

In addition, Cobalt Strike has been used by many well-known threat actors in their high-profile campaigns. The most common perpetrators include the Ryuk ransomware group, state actors from the Hafnium group, and FIN7. In addition, modified versions of the tool have been integrated into well-known malware families such as Emotet and TrickBot to enable lateral movement and data exfiltration within compromised systems.