NCA’s Operation Morpheus targets the illegal use of Cobalt Strike
The UK’s National Crime Agency (NCA), together with partner agencies from around the world, including the FBI and authorities from Australia, Canada and the European Union, have taken a series of measures against users of the Cobalt Strike penetration testing tool who misused it for cybercriminal activities.
Operation Morpheus last week targeted 690 individual cases of Cobalt Strike, which occurred at 129 internet service providers (ISPs) in nearly 30 countries. At the time of writing, the NCA coalition had managed to neutralize 593 of these malicious cases by taking down the servers themselves and informing the ISPs that they were hosting malware in order to provoke them into action.
Although Cobalt Strike is sold and used legally by many – in fact, it is currently owned by Fortra – over the years since its development by developer Raphael Mudge, it has also become the preferred tool of cybercriminals seeking to carry out a cyberattack.
It is relatively easy for such actors to obtain pirated or unlicensed versions of Cobalt Strike or to crack older versions and exploit its capabilities to quickly penetrate their victims’ IT systems and networks and carry out ransomware and other cyber attacks.
According to the NCA, illegal versions of Cobalt Strike have been used in some of the largest cyber attacks in recent years and by several ransomware gangs such as Ryuk and Conti.
“Although Cobalt Strike is legitimate software, cybercriminals have unfortunately exploited it for nefarious purposes,” said Paul Foster, NCA Director of Threat Intelligence. “Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals with little or no technical expertise to launch damaging ransomware and malware attacks. Such attacks can cost organisations millions in losses and recovery.”
“International disruptions like this are the most effective way to weaken the most dangerous cybercriminals by depriving them of the tools and services that support their operations. I would urge any companies that may have been victims of cybercrime to come forward and report such incidents to law enforcement.”
How do I prevent Cobalt Strike from being used against me?
As with many other tools used by cybercriminals, the most important weapon IT and security professionals can use against Cobalt Strike is to pay attention to and communicate the basics of cybersecurity hygiene within their organization.
Cobalt Strike is usually distributed via a spear phishing or spam email designed to trick the potential victim into clicking a link or opening a malicious attachment, which then installs a Cobalt Strike beacon that grants the cybercriminal remote access to the infected system so they can begin their work. Therefore, implementing and enforcing email security measures and policies is the first and best option.
In addition, Fortra is committed to continuing to work with law enforcement and the security industry to identify and remove older versions of the software from the Internet.
Actors in the animated film “Watchmen”: Katee Sackhoff, Matthew Rhys
Activists welcome ban on child marriages in Sierra Leone and call for action against FGM
Reactions to the death of Willie Mays, “a true giant on and off the field”
About The Author
