stokkete - stock.adobe.com

NCA’s Operation Morpheus targets illicit Cobalt Strike use

International law enforcement operation targets cyber criminals using the Cobalt Strike penetration testing framework for dodgy purposes

The UK’s National Crime Agency (NCA), together with partner agencies from around the world, including the FBI and agencies from Australia, Canada and the European Union, has undertaken a series of enforcement actions against users of the Cobalt Strike penetration testing tool who were exploiting it to enable cyber criminal activity.

Operation Morpheus took action last week against 690 individual instances of Cobalt Strike held at 129 internet service providers (ISPs) in almost 30 countries. At the time of writing, the NCA’s coalition has been successful in neutralising 593 of these malicious instances through a combination of taking down servers themselves, and notifying ISPs that they are hosting malware to get them to take action.

Though Cobalt Strike is sold and used legitimately by many – it is, in fact, owned at present by Fortra – over the years since its creation by developer Raphael Mudge it has also become the go-to tool for cyber criminals seeking to build a cyber attack.

For such actors, it is relatively easy to procure pirated or unlicensed versions, or crack older versions, of Cobalt Strike and exploit its capabilities to quickly infiltrate their victims’ IT systems and networks and conduct ransomware and other cyber attacks.

As such, said the NCA, illicit versions of Cobalt Strike have been used in some of the biggest cyber attacks of recent years, as well as by multiple ransomware gangs, including the likes of Ryuk and Conti.

“Although Cobalt Strike is a legitimate piece of software, sadly cyber criminals have exploited its use for nefarious purposes,” said the NCA’s director of threat leadership, Paul Foster. “Illegal versions of it have helped lower the barrier of entry into cyber crime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery.

“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations. I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”

How do I stop Cobalt Strike being used against me?

In common with many tools used by cyber criminals, the chief weapon that IT and security pros can use against Cobalt Strike is to pay attention to the basics of cyber security hygiene and communicate these around their organisation.

Cobalt Strike usually arrives via a spear phishing or spam email attempting to get the potential victim to click on a link or open a malicious attachment – which then installs a Cobalt Strike beacon, giving the cyber criminal remote access to the compromised system so that they can get to work. Therefore, implementing and enforcing email security measures and policies is the first and best option.

Additionally, Fortra has further committed to continuing to work with law enforcement and the security industry to identify and remove older versions of the software from the internet.

Read more about Cobalt Strike

  • In 2023, Microsoft, Fortra and the US Health Information Sharing and Analysis Center obtained a court order to curb malicious Cobalt Strike use.
  • Google’s YARA rules detect cracked versions of Cobalt Strike’s older releases so that legitimate instances of the red teaming tool, which use the latest version, aren’t targeted.
  • Cisco Talos researchers spotted a new wave of phishing attacks that target job seekers in the US and New Zealand, infecting them with Cobalt Strike beacons.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close