NCA conducts operation to degrade illegal versions of Cobalt Strike

Image courtesy of NCA

During a week of action last week, unlicensed versions of Cobalt Strike, a penetration testing tool designed to scan corporate networks for vulnerabilities and improve cybersecurity, were targeted.

Since the mid-2010s, pirated and unlicensed versions of this software, downloaded by criminals from illegal marketplaces and the dark web, have been considered the preferred tool for penetrating networks for cyberattacks, as they allow them to deploy ransomware quickly and on a large scale.

Advertising

Since the legal versions of the software include a number of tools, free training manuals and videos, using it for criminal purposes requires little knowledge and cost.

These disruption measures are the result of more than two and a half years of collaboration between the NCA and international law enforcement agencies and the private sector to identify, monitor and denounce their use.

Actions were taken against 690 individual cases of the malicious Cobalt Strike software at 129 Internet service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

This was achieved by the NCA and its law enforcement partners taking down servers, and was reinforced by “abuse reports” from law enforcement and private industry partners alerting service providers that they may be hosting malware.

Illicit versions of Cobalt Strike have been used in some of the largest recent cyber incidents, and the program has also been found in several malware and ransomware investigations, including the RYUK, Trickbot, and Conti attacks.

The operation was carried out jointly with Europol, which helped with international coordination, as well as the FBI, the Australian Federal Police, the Royal Canadian Mounted Police, the German Federal Criminal Police Office, the Dutch National Police (Politie) and the Polish Central Bureau for Cybercrime.

A number of private industry partners, including BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus and Abuse CH, also assisted law enforcement in identifying malicious cases and cybercriminals’ use of Cobalt Strike.

A platform called the Malware Information Sharing Platform allowed private organizations to share threat intelligence with law enforcement in real time. More than 730 threat intelligence reports containing nearly 1.2 million attack indicators were shared.

Advertising

Cybercriminals distribute unlicensed versions of Cobalt Strike via spear phishing or spam emails in an attempt to trick a victim into clicking on links or opening malicious attachments. When a victim opens the link or document, a Cobalt Strike “beacon” is installed, which gives the attacker remote access to profile the infected host, download malware or ransomware, and steal data to then extort the victim.

Paul Foster, Director of Threat Leadership at the National Crime Agency, said: “Although Cobalt Strike is legitimate software, unfortunately cybercriminals have abused it for nefarious purposes.

“Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals to launch malicious ransomware and malware attacks without having any technical expertise.

“Such attacks can result in millions of dollars in losses and recovery costs for companies.

“International disruptions like this are the most effective way to disrupt the most damaging cybercriminals by depriving them of the tools and services that underpin their operations.

“I would urge any companies that may have been victims of cybercrime to come forward and report such incidents to law enforcement.”

Fortra, owner of Cobalt Strike, will continue to work with law enforcement to identify and remove older and malicious versions of the program from the Internet.

Advertising