The National Crime Agency has coordinated a global crackdown on illegal software that cybercriminals have used for more than a decade to infiltrate victims’ IT systems and carry out attacks.
Unlicensed versions of Cobalt Strike, a penetration testing tool used to check corporate network vulnerabilities and improve cyber security, were targeted during a week of action last week (t/c June 24).
Since the mid-2010s, pirated and unlicensed versions of software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as a network penetration tool for those looking to create a cyberattack, allowing them to deploy ransomware. in speed and scale.
Due to the number of tools, free training manuals and videos that come with legal versions of the software, those who adopt it for criminal purposes require a low level of sophistication and money.
The breach represents more than two and a half years of international law enforcement and private industry collaboration led by the NCA to identify, track and denigrate its use.
Actions were taken against 690 individual instances of the Cobalt Strike malware at 129 ISPs in 27 countries. By the end of the week, 593 of these addresses had been removed.
This was achieved by the NCA and law enforcement partners taking down servers and amplifying “notifications of abuse” from law enforcement and private industry partners highlighting to service providers that they may be hosting malware.
Illegal versions of Cobalt Strike have been found to have been used in some of the biggest cyber incidents in recent times. Its use has also been identified in numerous malware and ransomware investigations, including investigations into the RYUK, Trickbot and Conti attacks.
The operation was carried out together with Europol, which assisted with international coordination, the FBI, the Australian Federal Police, the Royal Canadian Mounted Police, the German Federal Criminal Police Office (Bundeskriminalamt), the Dutch National Police (Politie) and the Polish Central Cybercrime Office.
A number of private industry partners, including BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus and Abuse CH, also supported law enforcement in identifying malicious cases and the use of Cobalt Strike by cybercriminals.
Using a platform known as the Malware Information Sharing Platform, private sector organizations shared real-time threat information with law enforcement agencies. More than 730 threat intelligences containing nearly 1.2 million indicators of compromise were shared.
Cybercriminals deploy unlicensed versions of Cobalt Strike through spear phishing or spam emails that attempt to trick the target into clicking on links or opening malicious attachments. When the victim opens the link or document, the Cobalt Strike “Beacon” is installed, giving the threat actor remote access and allowing them to profile the infected host, download malware or ransomware, and steal data to blackmail the victim.
Paul Foster, Director of Threat Leadership at the National Crime Agency, said: “While Cobalt Strike is legitimate software, unfortunately cybercriminals have misused its use for nefarious purposes.
“Illegitimate versions have helped lower the barrier to entry for cybercrime, making it easier for online criminals to launch malicious ransomware and malware attacks with little or no technical expertise.
“Such attacks can cost companies millions in losses and recovery.
“International breaches like this are the most effective way to disable the most malicious cybercriminals by removing the tools and services that support their operations.
“I would encourage all businesses that may have been victims of cybercrime to come forward and report such incidents to law enforcement.”
Cobalt Strike Fortra owners will continue to work with law enforcement to identify and remove older and malicious versions of the program from the Internet.
July 3, 2024