A coordinated law enforcement operation codenamed MORPHEUS has felled close to 600 servers that were used by cybercriminal groups and were part of an attack infrastructure associated with the Cobalt Strike tool.
The crackdown targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol.
Of the 690 IP addresses that were flagged to online service providers in 27 countries as associated with criminal activity, 590 are no longer accessible.
The joint operation, which commenced in 2021, was led by the U.K. National Crime Agency (NCA) and involved authorities from Australia, Canada, Germany, the Netherlands, Poland, and the U.S. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea provided additional support.
Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems), offering IT security experts a way to identify weaknesses in security operations and incident responses.
However, as previously observed by Google and Microsoft, cracked versions of the software have found their way into the hands of malicious actors, who have time-and-again abused it for post-exploitation purposes.
“Cobalt Strike is the Swiss army knife of cybercriminals and nation-state actors,” Don Smith, vice president of threat intelligence at SecureWorks, said in a statement shared with The Hacker News.
“Cobalt Strike has long been the tool of choice for cyber criminals, including as a precursor to ransomware. It is also deployed by nation state actors, e.g., Russian and Chinese, to facilitate intrusions in cyber espionage campaigns. Used as a foothold, it has proven to be highly effective at providing the persistent back door to victims.”
Data shared by Trellix shows that the U.S., India, Hong Kong, Spain, and Canada account for over 70% of the countries targeted by threat actors using Cobalt Strike. A majority of the Cobalt Strike infrastructure is hosted in China, the U.S., Hong Kong, Russia, and Singapore.
According to a recent report from Palo Alto Networks Unit 42, attacks involving the tool make use of a payload called Beacon, which uses text-based profiles called Malleable C2 to alter the characteristics of Beacon’s web traffic in an attempt to avoid detection.
“Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes,” Paul Foster, director of threat leadership at the NCA, said in a statement.
“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery.”
The development comes as Spanish and Portuguese law enforcement have arrested 54 people for committing crimes against elderly citizens through vishing schemes by posing as bank employees and tricking them into parting with personal information under the guise of rectifying a problem with their accounts.
The details were then passed on to other members of the criminal network, who would visit the victims’ homes unannounced and pressure them into giving away their credit cards, PIN codes, and bank details. Some instances also involved the theft of cash and jewelry.
The criminal scheme ultimately enabled the miscreants to take control of the targets’ bank accounts or make unauthorized cash withdrawals from ATMs and other expensive purchases.
“Using a blend of fraudulent phone calls and social engineering, the criminals are responsible for €2,500,000 in losses,” Europol said earlier this week.
“The funds were deposited into multiple Spanish and Portuguese accounts controlled by the fraudsters, from where they were funneled into an elaborate money laundering scheme. An extensive network of money mules overseen by specialist members of the organization was used to disguise the origin of the illicit funds.”
The arrests also follow similar action undertaken by INTERPOL to dismantle human trafficking rings in several countries, including Laos, where several Vietnamese nationals were lured with promises of high-paying jobs, only to be coerced into creating fraudulent online accounts for financial scams.
“Victims worked 12-hour workdays, extended to 14 hours if they failed to recruit others, and had their documents confiscated,” the agency said. “Families were extorted up to USD $10,000 to secure their return to Vietnam.”
Last week, INTERPOL said it also seized $257 million worth of assets and froze 6,745 bank accounts following a global police operation spanning 61 countries that was conducted to disrupt online scam and organized crime networks.
The exercise, referred to as Operation First Light, targeted phishing, investment fraud, fake online shopping sites, romance, and impersonation scams. It led to the arrest of 3,950 suspects and identified 14,643 other possible suspects in all continents.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.