An international coalition of law enforcement agencies and entities from the private sector has taken the fight to criminals abusing Cobalt Strike.

In an operation dubbed “Morpheus”, led by the UK National Crime Agency (NCA), and involving law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the United States, hundreds of individual instances of malicious Cobalt Strike addresses were taken offline.

The operation looked for older, unlicensed Cobalt Strike instances. In total 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

Over the time span of the operation, which started in September 2021, over 730 pieces of threat intelligence were shared, containing almost 1.2 million indicators of compromise (IoCs).

Cobalt Strike is a popular commercial tool provided by the cybersecurity software company Fortra. It was designed to help legitimate IT security experts perform attack simulations that identify weaknesses in security operations and incident responses. However, the tool was so good at its job, criminals began to use it during real attacks.

In fact, if you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would be very near the top of the list. In the wrong hands, unlicensed copies of Cobalt Strike can provide a cybercriminal with a wide range of attack capabilities.

Paul Foster, Director of Threat Leadership at the National Crime Agency, said:

Illegal versions of [Cobalt Strike] have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery.

Cybercriminals use unlicensed Cobalt Strike instances by tricking targets into installing a Cobalt Strike ‘Beacon’ which provides them with remote access to an affected system. From there, criminals can build out their presence on the environment, moving laterally, stealing data, and deploying malware, such as ransomware.

Useful as it is, the disruption is unlikely to have a lasting impact. There are plenty of other, similar tools available—both open source and cracked versions of legitimate software.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.