Europol destroys almost 600 IP addresses as part of Cobalt Strike operation • The Register

Europol just announced that a week-long operation in late June removed nearly 600 IP addresses supporting illegal copies of Cobalt Strike.

Fortra’s legitimate red teaming tool is notorious for being frequently abused by cybercriminals who obtain cracked copies of the tool and use them for malware and ransomware operations such as Ryuk, Trickbot, and Conti.

Europol said the disruption operation, dubbed Operation Morpheus, was the culmination of work that began three years ago and was carried out between 24 and 28 June together with private sector partners.

“Over the course of the week, law enforcement has flagged known IP addresses associated with criminal activity, as well as a number of domain names used by criminal groups, to enable online service providers to disable unlicensed versions of the tool,” it said today.

“A total of 690 IP addresses were reported to online service providers in 27 countries. By the end of the week, 593 of these addresses had been removed.

“This investigation was led by the UK National Crime Agency and involved law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States. Europol coordinated the international activities and liaised with the private partners.”

Various private sector partners supported the week-long sprint, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation.

Partners used Europol’s Malware Information Sharing Platform to submit evidence and threat intelligence that supported the disruption efforts. According to Europol, more than 730 pieces of threat intelligence and nearly 1.2 million evidence of compromise were shared throughout the operation.

“Cobalt Strike is the Swiss Army knife of cybercriminals and state actors,” said Don Smith, vice president of threat intelligence at Secureworks. “Cobalt Strike has long been the preferred tool of cybercriminals, including as a precursor to ransomware. It is also used by state actors such as Russian and Chinese (groups) to facilitate intrusions in cyber espionage campaigns.

“As an entry point, it has proven to be extremely effective in providing victims with a permanent backdoor and enabling intrusion attempts of all kinds. This disruption is welcome, removing the Cobalt Strike infrastructure used by criminals is always a good thing.”

Trellix’s Joao Marques, John Fokker and Leandro Velasco also posted on their blog about their involvement in Operation Morpheus. They said that while the disruption activity will make criminals rethink their use of Cobalt Strike, data shows that the work has not touched China.

According to telemetry, 43.85 percent of Cobalt Strike’s resources are located in China. For comparison, the next largest distributor is the United States with a share of 19.08 percent.

Comparing that to the country that bears the brunt of most Cobalt Strike attacks (the United States with a share of 45.04 percent), one can make an educated guess as to where the criminals who most abuse Fortra’s tool are located.

“The takedown of the Cobalt Strike infrastructure sends a strong message to cybercriminals and state actors about the impact of malicious cyber activity,” the researchers said.

The NCA said in a statement: “These disruptive measures are the result of more than two and a half years of collaboration between the NCA and international law enforcement agencies and the private sector to identify, monitor and denounce their use.”

While law enforcement acknowledged the “significant steps” Fortra has taken to prevent abuse of its powerful post-exploitation tool, the team at Trellix was not so optimistic.

Marques, Fokker and Velasco said they welcomed Fortra’s cooperation with Operation Morpheus and the measures taken to prevent the misuse of Cobalt Strike, but pointed to ongoing concerns.

“We are very pleased that Fortra, the current owners of Cobalt Strike, cooperated in the operation and are taking more sophisticated measures to prevent the cracking of their software,” they said.

“However, it is important to address Cobalt Strike’s long-standing stance under previous ownership regarding its restrictions on cybersecurity vendors acquiring a license. Many cybersecurity vendors believe this decision has inadvertently fostered a precarious environment in which cybercriminals exploit cracked versions of Cobalt Strike for malicious activities and vendors are unable to defend against their misuse.

“While these new measures are a very good step in the right direction, we want to do more. This situation underscores the need for a broader, collaborative effort to protect organizations from Cobalt Strike abuse. We urge Cobalt Strike to reconsider its policies and work with cybersecurity vendors to improve products and combat abuse of these powerful tools.”

We’ve asked Trellix about the specific issues they’re referring to and will update the article as responses come in.

take two

The Operation Morpheus effort comes just over a year after Microsoft, Fortra and Health-ISAC took the case to court and received legal permission to block various IP addresses hosting cracked versions of Cobalt Strike.

This followed Google offering a different kind of assistance in the fight against Cobalt Strike abuse. In 2022, the company compiled and open-sourced a list of 165 YARA rules to help organizations quickly suppress any of the 34 versions that Chocolate Factory identified in circulation at the time.

But when the first round of IP addresses was neutralized last year, it was already clear to investigators that this would not be enough.

“While this action will impact the immediate activities of the criminals, we expect they will attempt to resume their efforts,” said Amy Hogan-Burney, general manager of Microsoft’s security unit at the time. “Our action is therefore not a one-time event.”

Since Fortra bought Cobalt Strike in 2020, the company has gone to great lengths to ensure criminals do not gain access to legitimate versions of its tools. For example, it soon began to thoroughly vet all applicants before granting licenses. However, cracked versions in hard-to-reach countries like China may be difficult to eradicate permanently.

Paul Foster, Director of Threat Intelligence at the National Crime Agency, said: “Although Cobalt Strike is legitimate software, unfortunately cybercriminals have abused it for nefarious purposes.

“Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for online criminals to launch malicious ransomware and malware attacks with little or no technical expertise.”

“Such attacks can cost companies millions in losses and recovery points.”

He urged companies that have fallen victim to cybercrime to “come forward and report such incidents to law enforcement authorities.” ®