Operation Morpheus has taken down 593 Cobalt Strike servers used by threat actors

Operation Morpheus has taken down 593 Cobalt Strike servers used by threat actors

Pierluigi Paganini
03 July 2024

As part of an international law enforcement operation codenamed “Operation Morpheus,” 593 Cobalt Strike servers used by fraudsters were shut down.

An international law enforcement operation codenamed Operation Morpheus aimed to combat the criminal misuse of an older, unlicensed version of the red teaming tool Cobalt Strike.

Designed for adversary simulations and red team operations and currently provided by cybersecurity software company Fortra, the Cobalt Strike platform has also become popular with threat actors such as APT29, FIN7, RYUK, Trickbot, and Conti in recent years.

It is quite easy to find pirated copies of the software used by attackers in the wild.

Operation MORPHEUS, led by the UK’s National Crime Agency, involved law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States. This disruptive action, which concluded a complex investigation, began in 2021.

The operation took place between 24 and 28 June and was coordinated by Europol. Europol also worked with private partners, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. These partners used enhanced scanning, telemetry and analysis capabilities to identify malicious activity and exploitation by cybercriminals.

Law enforcement experts identified 690 IP addresses and various domain names associated with criminal activities. The operation resulted in the shutdown of 593 of these IP addresses in 27 countries.

“Fortra has taken significant steps to prevent misuse of its software and has cooperated with law enforcement throughout this investigation to protect legitimate uses of its tools. However, in rare cases, criminals have stolen older versions of Cobalt Strike and created cracked copies to gain backdoor access to machines and install malware. Such unlicensed versions of the tool have been linked to several malware and ransomware investigations, including those into RYUK, Trickbot, and Conti.“ says the press release published by Europol.

“Law enforcement used a platform called the Malware Information Sharing Platform to enable the private sector to share threat intelligence with law enforcement in real time. Over 730 threat intelligences were shared throughout the investigation, containing nearly 1.2 million indications of compromise,” the press release concluded. “Europol’s EC3 organized over 40 coordination meetings between law enforcement and private partners. During the action week, Europol set up a virtual command post to coordinate law enforcement efforts worldwide.”

In April 2023, the Microsoft Digital Crimes Unit (DCU) announced that it had worked with Fortra, the company that develops and maintains the tool, and the Health Information Sharing and Analysis Center (Health-ISAC) to curb cybercriminals’ misuse of Cobalt Strike.

The Microsoft DCU obtained a court order in the US to remove cracked versions of Cobalt Strike (“refers to stolen, unlicensed or otherwise unauthorized versions or copies of the tool”) so that they can no longer be used by cybercriminals.

Threat actors, including ransomware groups and state actors, use Cobalt Strike after gaining initial access to a target network. The tool is used for several malicious activities, including privilege escalation, lateral movement, and delivery of additional malicious payloads.

“More specifically, cracked versions of Cobalt Strike allow the defendants to gain control of their victim’s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware such as Conti, LockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat, and PlayCrypt to prevent access to the systems. Essentially, the defendants can use cracked versions of Cobalt Strike to brute force their way into victims’ machines and install malware,” the complaint states. Court order“Once the defendants have installed the malware or ransomware on computers running Microsoft’s Windows operating system, they can also perform a number of actions that abuse Microsoft’s proprietary declaration code.”

Example of an attack flow of the threat actor DEV-0243.

Microsoft observed more than 68 ransomware attacks on healthcare organizations in over 19 countries around the world using cracked copies of Cobalt Strike.

The attacks caused enormous financial damage to the affected hospitals due to reconstruction and repair costs as well as interruptions to vital patient care.

Microsoft also observed that state actors, including APT groups from Russia, China, Vietnam and Iran, used cracked copies of Cobalt Strike.

“Microsoft, Fortra, and Health-ISAC remain relentless in their efforts to improve ecosystem security, and we are working with the FBI’s Cyber ​​Division, the National Cyber ​​Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Center (EC3) on this case. While this action will impact criminals’ immediate operations, we expect they will attempt to resume their efforts, so our action is not a one-time event,” the report concludes.

In November 2022, Google Cloud researchers announced the discovery of 34 different hacked release versions of Cobalt Strike with a total of 275 unique JAR files in these versions.

Researchers at Google Cloud Threat Intelligence (GCTI) developed a set of YARA rules to detect hacked variants in the wild with high accuracy. The researchers noticed that each Cobalt Strike version contains about 10 to 100 binaries with attack templates.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs And Facebook and Mastodon

(Security scandals – Hacking, Newsletters)