The coordinated operation took down 593 IP addresses, which were flagged for abuse of the legitimate pen-testing software.
A slew of IP addresses associated with the abuse of Fortra’s legitimate red teaming tool, Cobalt Strike, have been taken down by a coordinated law enforcement operation dubbed “Morpheus.”
The Europol-led operation between June 24 and 28 targeted older, unlicensed versions of the tool and flagged abusive IP addresses operating from multiple countries.
“Law enforcement has teamed up with the private sector to fight against the abuse of a legitimate security tool by criminals who were using it to infiltrate victims’ IT systems,” Europol said in a press statement. “Known as Operation MORPHEUS, this investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States.”
The operation also involved support from a number of private partners, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation, the statement added.
Massive global disruption
By the end of the week of Operation Morpheus, 593 IP addresses were taken down in connection with Cobalt Strike’s criminal abuse.
“Throughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool,” according to the statement. “A total of 690 IP addresses were flagged to online service providers in 27 countries.”
Since September 2021, Europol’s European Cybercrime Centre (EC3) assisted the operation with analytical and forensic support and enabled information exchange among all partners. Additionally, law enforcement operated a “malware information sharing platform,” inviting private partners to add real-time threat intelligence to the effort.
“Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise,” Europol added. “The disruption does not end here. Law enforcement will continue to monitor and carry out similar actions as long as criminals keep abusing older versions of the tool.”
Frequently abused pen-tester
The commercial pen-testing tool, originally designed for red teaming and adversary simulations, has been abused by cybercriminals from time to time to carry out attacks or package a challenging malware. The biggest of its abuses was the SolarWinds supply chain attack reported in December 2020, where attackers dropped customized Cobalt Strike Beacon through legitimate Orion platform updates.
Additionally, Cobalt Strike has been used by many known threat actors in their high-profile campaigns. A few of its frequent abusers include the Ryuk ransomware group, Hafnium nation-state actors, and FIN7. Additionally, modified versions of the tool have been incorporated in well-known malware families such as Emotet and TrickBot for lateral movement and data exfiltration within compromised systems.
