Almost 600 servers have already been shut down as part of a joint law enforcement operation led by Europol against hackers’ misuse of legitimate security tools such as Cobalt Strike.
Operation Morpheus was a week of operations carried out from Europol headquarters from 24 to 28 June and coordinated by various national criminal authorities and the private sector.
The operation, led by the UK’s National Crime Agency, involved law enforcement agencies from the UK, Australia, Canada, Germany, the Netherlands, Poland and the United States.
Cobalt Strike is a threat emulation program that provides penetration testers with access to a wide range of attack vectors and replicates the functionality of many common malware strains.
David Ferbrache, managing director of cyber resilience consultancy Beyond Blue, said Cobalt Strike was one of the best examples of hackers abusing legitimate security solutions.
“Cobalt Strike is a prominent example of a legitimate security tool being used for malicious purposes,” he explained.
“When used legitimately, the tool can help identify vulnerabilities in corporate networks. When used maliciously, it can enable remote access to a target, providing both cybercriminals and nation states with the ability to steal sensitive information or carry out further attacks such as ransomware.”
Over the course of the week, the coalition reported known IP addresses as well as a number of domain names operated by criminal groups to online service providers, who were then able to disable any unlicensed versions of the tool.
According to Press release Europol said a total of 690 IP addresses in 27 countries were identified and 593 of these addresses were removed by the end of the week.
Europol found that the coalition used a platform called the Malware Information Sharing Platform to enable the private sector to share threat information with its agents in real time.
“Throughout the investigation, over 730 threat intelligence reports were shared, containing nearly 1.2 million indications of compromise,” the report said.
“The disruptions do not end here. Law enforcement will continue to monitor and conduct similar actions as long as criminals abuse older versions of the tool.”
Cobalt Strike not yet completely out of the hands of hackers
Kevin Robertson, COO at Acumen Cyber, explained how Cobalt Strike is often used by threat actors in their attack chains.
“Criminals often use the tool for command and control purposes and to maintain persistence on a target computer. After gaining initial access to an endpoint, they install a Cobalt Strike Beacon to maintain persistence on the network and conduct further attacks.”
Robertson noted that while the shutdown was promising, Operation Morpheus would not put an end to the malicious use of Cobalt Strike.
“This is a major victory for law enforcement, but it will not take Cobalt Strike completely out of the hands of threat actors. With older and malicious versions of the software still available on the Internet, criminals have ample opportunity to continue using the tool for malicious purposes.”
According to Ferbrache, hackers will continue to try to use tools like Cobalt Strike in their attacks, which underscores the importance of monitoring malicious use of legitimate security solutions.
“Attackers will always try to misuse penetration testing and offensive security tools, but Cobalt Strike underscores the need to detect and respond to unauthorized use of such tools at scale.”
Therefore, organizations should continue to ensure that they implement basic cyber measures across their infrastructure and security teams and carefully patch their resources.
“This means ensuring that all employees are regularly trained to recognize phishing emails, that all systems are kept up to date with patches, and that we work with security partners who continuously track and collect cyber threat intelligence and who have the knowledge and tools to detect command and control level threats before they do damage.”