600 Cybercrime Servers Linked To Cobalt Strike Shutdown
Recent news reports have brought to light a law enforcement operation codenamed MORPHEUS. The operation was conducted against the threat actors using the Cobalt strike tool as part of their attack infrastructure and has led to the shutdown of 600 cybercrime servers.
In this article, we’ll explore what Cobalt strike is, why it’s useful, and detail of the server shutdown operation.
What Is Cobalt Strike?
Cobalt strike is a cybersecurity tool developed by Fortra. The tool is designed to help cybersecurity professionals conduct attack simulations, allowing them to uncover vulnerabilities. Insight derived from such simulations can then be used for improving security posture and reducing exposure to risk.
As far as attack simulations are concerned, spear-phishing, gaining unauthorized access, and emulating varying malware are a few examples of attack simulations conducted using Cobalt strike. While the primary use of the tool is penetration testing and threat simulation, its capabilities can be harnessed by threat actors for malicious purposes.
Why Is Cobalt Strike Useful?
This threat emulation program, if exploited by threat actors, is useful given that it allows them to:
- Enables them to launch and execute payloads.
- Bypass two-factor authentication.
- Allows real-time collaboration and communication.
- Discover which client-side server the target is using.
- Launch a variety of attacks, including trojans, drive-by downloads, social engineering attacks, and more.
Apart from these capabilities, the Cobalt strike beacon module is also paramount to threat actors. This module is a light-weight backdoor allowing the operator to control a compromised system with remote access.
In addition, it also has a low network indicator and flexible communication options making it hard to detect. Using the module allows threat actors to execute commands, upload and download files, and spawn processes, making it a highly feasible option for their attack arsenal.
Furthermore, this Cobalt strike module also comes with post-exploitation capabilities. These capabilities aid threat actors in increasing the stealth of their attacks, allowing them to maintain persistence on the compromised devices.
Cobalt Strike Malware Shutdown
The crackdown against the Cobalt strike servers was the United Kingdom’s (UK) National Crime Agency (NCA). Alongside the NCA, other agencies from Australia, Canada, Germany, the Netherlands, Poland, and the United States (US) were also involved in the operation. Commenting on the shutdown, Paul Foster, the NCA’s threat leadership director, said:
“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery. I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”
The operation took place between June 24th to June 28th and targeted unlicensed versions of tools that were being used for malicious purposes. As per recent reports, the operation is said to have been successful due to the collaboration of private industry partners and the support from Europol’s EC3.
This collaborative strategy has strengthened Europe’s resilience against cyber threats in the digital ecosystem. As a result of the efforts, out of the 690 IP addresses that were flagged for criminal activity, 590 are on longer accessible. A paramount lesson that can be learned here is that private and public organizations now must collaborate to fight cyber threats.
Conclusion
Operation MORPHEUS exemplifies the power of global collaboration in cybersecurity. The unified efforts between the public and private sectors have effectively dismantled sophisticated cybercrime infrastructures. This success underscores the importance of continued cooperation and the use of robust security protocols to protect the digital ecosystem from malicious threats.
The sources for this piece include The Hacker News and Readwrite.