A coordinated law enforcement operation, codenamed MORPHEUS, has dismantled nearly 600 servers used by cybercriminal groups as part of an infrastructure associated with Cobalt Strike. The operation targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol. Out of 690 IP addresses flagged to online service providers in 27 countries for criminal activity, 590 are now inaccessible.
The joint operation, initiated in 2021, was led by the U.K. National Crime Agency (NCA) and included authorities from Australia, Canada, Germany, the Netherlands, Poland, and the U.S., with additional support from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea. Cobalt Strike, developed by Fortra (formerly Help Systems), is a popular adversary simulation and penetration testing tool used by IT security experts to identify security weaknesses and improve incident response.
However, as noted by Google and Microsoft, cracked versions of the software have been misused by malicious actors for post-exploitation purposes. “Cobalt Strike is the Swiss army knife of cybercriminals and nation-state actors,” Don Smith, vice president of threat intelligence at SecureWorks, said in a statement shared with The Hacker News. “Cobalt Strike has long been the tool of choice for cyber criminals, including as a precursor to ransomware. It is also used by nation-state actors, such as those from Russia and China, to facilitate intrusions in cyber espionage campaigns. It has proven highly effective at providing a persistent backdoor to victims”.
Data from Trellix shows that the U.S., India, Hong Kong, Spain, and Canada account for over 70% of the countries targeted by threat actors using Cobalt Strike. Most of the Cobalt Strike infrastructure is hosted in China, the U.S., Hong Kong, Russia, and Singapore.
According to a recent report from Palo Alto Networks Unit 42, this involves a payload called Beacon, which uses text-based profiles called Malleable C2 to alter the characteristics of Beacon’s web traffic to avoid detection. “Although Cobalt Strike is legitimate software, cybercriminals have exploited it for nefarious purposes,” Paul Foster, director of threat leadership at the NCA, said in a statement. “Illegal versions have lowered the barrier to entry into cybercrime, making it easier for criminals to launch damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in losses and recovery”.
In related news, Spanish and Portuguese law enforcement have arrested 54 people for crimes against elderly citizens through vishing schemes, posing as bank employees and tricking victims into giving personal information under the guise of rectifying account issues”. The criminals then used this information to visit victims’ homes, pressuring them to hand over credit cards, PIN codes, and bank details. Some instances involved the theft of cash and jewelry.
This scheme allowed the criminals to take control of victims’ bank accounts or make unauthorized cash withdrawals and purchases. “Using fraudulent phone calls and social engineering, the criminals caused €2,500,000 in losses,” Europol said. “The funds were deposited into multiple accounts controlled by the fraudsters, then funneled through an elaborate money laundering scheme using a network of money mules”.
