Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals.
The operation, codenamed “Operation Morpheus,” was spearheaded by the UK’s National Crime Agency (NCA) and coordinated by Europol. Agencies participating included the FBI, Australian Federal Police, and the Royal Canadian Mounted Police.
Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by Fortra, is a legitimate cybersecurity tool designed for penetration testing and red team operations.
It allows security professionals to simulate cyberattacks to identify and mitigate vulnerabilities within networks. However, its powerful capabilities have made it a favorite among cybercriminals who use pirated versions to conduct real attacks, including ransomware and data theft.
The key differences between the legal and illegal use of Cobalt Strike lie in the intent, licensing, deployment methods, and resources used.
While legal use aims to strengthen cybersecurity defenses through authorized and ethical testing, illegal use exploits the tool’s capabilities for malicious purposes, causing significant harm to organizations and individuals.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
International Operation
The week-long operation, which commenced on June 24, 2024, targeted 690 instances of malicious Cobalt Strike software across 129 internet service providers in 27 countries.
By the end of the operation, 593 of these instances had been neutralized through server takedowns and abuse notifications sent to ISPs, alerting them to malware on their networks.
Paul Foster, Director of Threat Leadership at the NCA, emphasized the significance of the operation: “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes. Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise”.
Operation Morpheus’s success was largely due to the extensive collaboration between law enforcement and private industry partners.
Companies such as BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus, and Abuse CH played crucial roles in identifying and reporting malicious instances of Cobalt Strike.
The operation also utilized the Malware Information Sharing Platform to share real-time threat intelligence, contributing to the identification of nearly 1.2 million indicators of compromise.
The takedown of these servers is expected to significantly disrupt the operations of cybercriminals who rely on Cobalt Strike for their attacks. However, experts caution that this may only be a temporary setback.
The disruption of illegal Cobalt Strike operations is a multi-faceted effort involving real-time threat intelligence sharing, network scanning, active probing, collaboration with ISPs, direct server takedowns, and international coordination.
Cybercriminals are known for their resilience and ability to adapt quickly, often setting up new infrastructure soon after takedowns.
Fortra, the company behind Cobalt Strike, has committed to continuing its efforts to prevent the abuse of its software. This includes working closely with law enforcement to identify and remove older, unlicensed versions of the tool from the internet.
Operation Morpheus represents a major victory in the ongoing battle against cybercrime.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files