Cobalt Strike Crackdown: Global Police Operation Dismantles 600 Malicious Servers

Online security tools are a very important part of the internet because they ensure smooth transactions and communication between parties online. These tools come in various forms - from simple anti-viruses installed on computers to intricate tools that test the capability of a network from different types of attacks.

But what if a tool designed to protect goes rogue? This was the scenario faced by network security experts when a popular network testing tool Cobalt Strike got into the wrong hands. Developed by Forta, Cobalt Strike is a “threat emulation tool for cybersecurity professionals running Adversary Simulations and Red Team operations”. Unfortunately, cracked or illegal versions have made their way to the wrong hands and were used for actually testing network weakness for an attack.

Codename MORPHEUS

To deal with this problem, a worldwide operation with codename “MORPHEUS” was conducted among law enforcement agencies and they were successful in closing servers and IP addresses associated with the attacks. According to Threatdown.com, the law enforcement agencies targeted “older, unlicensed Cobalt Strike instances. In total 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.”

Aside from law enforcement agencies around the world, private organizations that specialize in online security also share information through Malware Sharing Information Program. Through the program, more than a million indicators were obtained that pointed to possible attacks.

Real World Threat and Cost

When it comes to security tools that can be used to attack networks and mine everything useful, Cobalt Strike is one of the most efficient because it’s specifically built to look for vulnerabilities in every possible way. Although older versions are used for these attacks, it can still deal significant damage especially when the target is not secured enough for advanced attacks.

UK’s National Crime Agency perfectly describes what it could do:

“Cyber criminals deploy unlicensed versions of Cobalt Strike via spear phishing or spam emails, which attempt to get a target to click on links or open malicious attachments. When a victim opens the link or document, a Cobalt Strike ‘Beacon’ is installed giving the threat actor remote access, enabling them to profile the infected host, download malware or ransomware and steal data to then extort the victim.”

Because everything is done on behalf of the cyber criminal, attacks using this tool have become easier. For now, use of one of the most powerful tools for hacking has been thwarted but consumers and enterprises always have to be on the lookout to avoid a potential attack to steal personal data and more.