Global police operation shuts down 600 cybercrime servers linked to Cobalt Strike attack

A coordinated law enforcement operation codenamed MORPHEUS led to the destruction of nearly 600 servers used by cybercriminals and part of the attack infrastructure linked to Operation Cobalt Strike.

According to Europol, from 24 to 28 June the crackdown was directed against older, unlicensed versions of the Cobalt Strike Red Teaming system.

Of the 690 IP addresses that were flagged to online service providers in 27 countries as linked to criminal activity, 590 are no longer accessible.

The joint operation, which began in 2021, was led by the UK’s National Crime Agency (NCA) and involved officers from Australia, Canada, Germany, the Netherlands, Poland and the United States, with additional support from officials from Bulgaria, Estonia, Finland, Lithuania, Japan and South Korea.

Cobalt Strike is a popular adversary simulation and penetration testing tool from Fortra (formerly Help Systems) that offers IT security experts a way to identify weaknesses in security operations and incident response.

However, as Google and Microsoft have previously noted, hacked versions of the software ended up in the hands of malicious actors who repeatedly used them for later exploitation purposes.

According to a recent report by Palo Alto Networks Unit 42, this involves the use of a payload called Beacon, which uses text profiles called Malleable C2 to change the characteristics of Beacon network traffic to avoid detection.

“While Cobalt Strike is legitimate software, unfortunately cybercriminals are exploiting its use for nefarious purposes,” Paul Foster, NCA’s chief threat officer, said in a statement.

“Illegal versions have helped lower the barrier to entry into cybercrime, making it easier for cybercriminals to launch malicious ransomware and malware attacks with little or no technical knowledge. Such attacks can cost businesses millions in losses and recovery.”

The news comes after Spanish and Portuguese law enforcement arrested 54 people on suspicion of committing crimes against the elderly through vishing scams, where they posed as bank employees and, under the pretext of fixing a problem with their accounts, tricked them into providing their personal information.

Details were then passed on to other members of the criminal network, who would visit victims’ homes unannounced and pressure them to hand over their credit cards, PINs and bank details. In some cases, cash and jewellery were also stolen.

Ultimately, the criminal activity allowed the criminals to take control of the victims’ bank accounts or make unauthorized cash withdrawals from ATMs, as well as other expensive purchases.

“Using a mix of fraudulent phone calls and social engineering, the criminals are responsible for losses of €2.5 million,” Europol reported earlier this week.

“The funds were deposited into multiple Spanish and Portuguese accounts controlled by the fraudsters, from where they were transferred into a complex money laundering scheme. An extensive network of money mules, overseen by specialist members of the organisation, was used to conceal the origin of the illicit funds.”

The arrests follow similar operations by INTERPOL to dismantle human trafficking rings in several countries, including Laos, where scores of Vietnamese nationals were lured with promises of well-paid work and then persuaded to set up fake online accounts to commit financial fraud.

“Victims worked 12-hour days, extended to 14 if they failed to recruit others, and their documents were confiscated,” the agency reported. “Families were blackmailed for up to $10,000 to ensure their return to Vietnam.”

Last week, INTERPOL reported the seizure of assets worth $257 million and the freezing of 6,745 bank accounts as part of a global police operation spanning 61 countries aimed at disrupting online fraud and organised crime networks.

The exercise, known as Operation First Light, targeted phishing, investment fraud, fake online shopping sites, romance and impersonation scams. It led to the arrest of 3,950 suspects and the identification of 14,643 other potential suspects across all continents.