close
close

Europol shuts down 593 Cobalt Strike servers used by cybercriminals

Posted on by Dsen .N

Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victim networks.

Over the course of a single week in late June, law enforcement identified known IP addresses linked to criminal activity and domain names that were part of the attack infrastructure used by criminal groups.

In the next stage of the operation, the collected information was forwarded to online service providers so that they could disable unlicensed versions of the tool.

“Older, unlicensed versions of the Cobalt Strike Red Teaming tool were targeted in a week-long operation coordinated from Europol headquarters between 24 and 28 June,” Europol said.

“A total of 690 IP addresses were reported to online service providers in 27 countries. By the end of the week, 593 of these addresses had been removed.”

Operation Morpheus involved law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States and was led by the UK National Crime Agency.

Private industry partners such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation also offered their support during this international law enforcement operation, providing assistance with enhanced scanning, telemetry, and analysis capabilities that identified Cobalt Strike servers used in cybercrime campaigns.

This destabilising action coordinated by Europol is the culmination of a complex investigation that began three years ago in 2021.

“Threat intelligence containing almost 1.2 million vulnerability indicators was made available throughout the investigation,” Europol added.

“In addition, Europol’s EC3 organised over 40 coordination meetings between law enforcement and private partners. During the week of action, Europol set up a virtual command post to coordinate law enforcement efforts worldwide.”

Used in ransomware attacks and cyber espionage campaigns

In April 2023, Microsoft, Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) also announced broad legal action against servers hosting hacked copies of Cobalt Strike, one of the primary hacking tools used by cybercriminals.

Cobalt Strike was released by Fortra (formerly Help Systems) more than a decade ago as a legitimate commercial penetration testing tool for red teams to scan network infrastructure for vulnerabilities. However, threat actors have obtained cracked copies of the software, making it one of the most commonly used tools in data theft and ransomware attacks.

Attackers leverage Cobalt Strike post-exploitation to deploy beacons that provide persistent remote access to compromised networks and help steal sensitive data or drop additional malicious payloads.

Microsoft says various government-backed cybercriminal actors and hacking groups are using hacked versions of Cobalt Strike acting on behalf of foreign governments such as Russia, China, Vietnam, and Iran.

In November 2022, the Google Cloud Threat Intelligence team open-sourced a set of indicators of compromise (IOCs) and 165 YARA rules to help defenders detect Cobalt Strike components in their networks.