Cobalt Strike servers disrupted in major cybercrime operation

'Operation MORPHEUS' targeted unlicensed versions of the legitimate security tool

Cobalt Strike servers disrupted in major cybercrime operation

Image:
Cobalt Strike servers disrupted in major cybercrime operation

Law enforcement agencies from around the world, led by the UK's National Crime Agency (NCA), have taken down nearly 600 servers used by cybercriminals to infiltrate victim networks.

The week-long takedown, codenamed "Operation MORPHEUS," targeted unlicensed versions of a legitimate security tool called Cobalt Strike.

Cobalt Strike is a penetration testing tool used by ethical hackers to simulate cyberattacks and identify vulnerabilities in computer systems. However, it has become a weapon of choice for cybercriminals due to its ability to provide persistent remote access to compromised systems.

Cybercriminals use unlicensed, cracked versions of Cobalt Strike through spear phishing or spam emails, which aim to lure targets into clicking on links or opening malicious attachments.

Once a victim engages with the link or document, a Cobalt Strike 'Beacon' is installed, granting the attacker remote access. This allows them to profile the infected host, download malware or ransomware, and steal data for extortion purposes.

"Since the mid 2010's, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the 'go-to' network intrusion tool for those seeking to build a cyberattack, allowing them to deploy ransomware at speed and at scale," the NCA said.

Fortra, the developer of Cobalt Strike, has taken steps to prevent the misuse of their software, collaborating with the law enforcement agencies throughout Operation Morpheus, to protect the legitimate use of its tools.

Operation Morpheus was initiated in 2021. Over the three-year period, law enforcement shared over 730 pieces of threat intelligence containing nearly 1.2 million indicators of compromise (IOCs).

"Throughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool," Europol said.

"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down."

Europol's European Cybercrime Centre (EC3) played a key role in the operation, facilitating communication and information exchange between law enforcement agencies from Australia, Germany, Canada, Poland, the UK, the Netherlands and the United States.

EC3 organised over 40 coordination meetings and established a virtual command centre during the takedown to ensure global, synchronised action.

The success of Operation Morpheus hinged on collaboration with the private sector. Companies like BAE Systems Digital Intelligence, Spamhaus, Trellix, abuse.ch, and The Shadowserver Foundation provided invaluable assistance. Their expertise in threat detection and analysis helped pinpoint malicious activity associated with Cobalt Strike.

Paul Foster, Director of Threat Leadership at the NCA, said illegal versions of Cobalt Strike "have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise."

"Such attacks can cost companies millions in terms of losses and recovery."

This takedown is not the first attempt to curb the misuse of Cobalt Strike.

In April 2023, Microsoft, Fortra and the US Health Information Sharing and Analysis Center (Health-ISAC) launched a legal offensive against servers hosting cracked copies of the software.

In November 2022, the Google open-sourced a collection of IOCs and 165 YARA rules to assist defenders in detecting Cobalt Strike components within their networks.