A joint law enforcement operation led by Europol targeting the abuse of legitimate security tools like Cobalt Strike by hackers has shuttered almost 600 servers already.
Operation Morpheus constituted a week of action conducted across various national crime agencies and the private sector, and coordinated from Europol’s headquarters between 24 and 28 June.
Law enforcement authorities from the UK, Australia, Canada, Germany, the Netherlands, Poland, and the United States, and took part in the operation, which was led by the UK’s National Crime Agency.
Cobalt Strike is a threat emulation program that allows penetration testers access a wide variety of attack capabilities and recreate the functionality of many popular strains of malware.
David Ferbrache, managing director of cyber resilience consultancy Beyond Blue, commented that Cobalt Strike is one of the best examples of legitimate security solutions being abused by hackers.
“Cobalt Strike is a high-profile example of a legitimate security tool being used for malicious purposes,” he explained.
“When used legitimately, the tool can help identify weaknesses in enterprise networks. When used maliciously, it can enable remote access to a target, providing an opportunity for cyber criminals and nation states alike to steal sensitive information or carry out further attacks, such as ransomware.”
Over the course of the week, the coalition flagged known IP addresses as well as a series of domain names operated by criminal groups to online service providers, who could then disable any unlicensed versions of the tool.
According to a press release shared by Europol, in total, 690 IP addresses in 27 countries were identified, with 593 of these addresses being taken down by the end of the week’s activity.
Europol noted the coalition used a platform known as the Malware Information Sharing Platform to allow the private sector to share real-time threat intelligence with their agents.
“Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise,” it reported.
“The disruption does not end here. Law enforcement will continue to monitor and carry out similar actions as long as criminals keep abusing older versions of the tool.”
Cobalt Strike not completely taken out of hackers’ hands
Kevin Robertson, COO at Acumen Cyber, outlined how Cobalt Strike is frequently deployed by threat actors in their attack chains.
“Criminals often use the tool for command and control and to maintain persistence on a target machine. After gaining initial access to an endpoint, then they will install a Cobalt Strike Beacon to maintain persistence on the network and carry out further attacks.”
Robertson cautioned that while the takedown is promising, Operation Morpheus will not put an end to malicious uses of Cobalt Strike.
“This is a big win for law enforcement, but it won’t completely take Cobalt Strike out of the hands of threat actors. With older and malicious versions of the software still available on the internet, criminals have plenty of opportunity to continue using the tool for malicious purposes.”
Ferbrache said hackers will continue to look to leverage tools like Cobalt Strike in their attacks, which emphasizes the importance of monitoring malicious use of legitimate security solutions.
“Attackers will always seek to repurpose penetration testing and offensive security tools, but Cobalt Strike reinforces the need to detect and respond to unauthorized use of such tools at scale.”
As such, enterprises should continue to ensure they are implementing cyber essentials across their infrastructure and security teams, Robertson added, as well as diligently patching their assets.
“This means ensuring all employees are regularly trained to identify phishing emails, keeping all systems updated with patches and working with security partners that continually track and gather cyber threat intelligence, and have knowledge and tools to identify command and control threats before they cause harm.”