International Operation Takes Down 593 Malicious Cobalt Strike Servers

Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals.
Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by Fortra, is a legitimate cybersecurity tool designed for penetration testing and red team operations.
It allows security professionals to simulate cyberattacks to identify and mitigate vulnerabilities within networks.
Its powerful capabilities have made it a favorite among cybercriminals who use pirated versions to conduct real attacks, including ransomware and data theft.
The key differences between the legal and illegal use of Cobalt Strike lie in the intent, licensing, deployment methods, and resources used.
While legal use aims to strengthen cybersecurity defenses through authorized and ethical testing, illegal use exploits the tool's capabilities for malicious purposes, causing significant harm to organizations and individuals.
The week-long operation, which commenced on June 24, 2024, targeted 690 instances of malicious Cobalt Strike software across 129 internet service providers in 27 countries.
By the end of the operation, 593 of these instances had been neutralized through server takedowns and abuse notifications sent to ISPs, alerting them to malware on their networks.
Operation Morpheus's success was largely due to the extensive collaboration between law enforcement and private industry partners.
Companies such as BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus, and Abuse CH played crucial roles in identifying and reporting malicious instances of Cobalt Strike.
The operation also utilized the Malware Information Sharing Platform to share real-time threat intelligence, contributing to the identification of nearly 1.2 million indicators of compromise.
The takedown of these servers is expected to significantly disrupt the operations of cybercriminals who rely on Cobalt Strike for their attacks.
Experts caution that this may only be a temporary setback.
The disruption of illegal Cobalt Strike operations is a multi-faceted effort involving real-time threat intelligence sharing, network scanning, active probing, collaboration with ISPs, direct server takedowns, and international coordination.
Cybercriminals are known for their resilience and ability to adapt quickly, often setting up new infrastructure soon after takedowns.
Fortra, the company behind Cobalt Strike, has committed to continuing its efforts to prevent the abuse of its software.
This includes working closely with law enforcement to identify and remove older, unlicensed versions of the tool from the internet.
Operation Morpheus represents a major victory in the ongoing battle against cybercrime.


This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 04 Jul 2024 01:25:29 +0000


Cyber News related to International Operation Takes Down 593 Malicious Cobalt Strike Servers

International Operation Takes Down 593 Malicious Cobalt Strike Servers - Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals. Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by ...
4 months ago Cybersecuritynews.com
Europol Announces Crackdown on Cobalt Strike Servers Used by Cybercriminals - European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity. The agency said ...
4 months ago Securityweek.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
9 months ago Infosecurity-magazine.com
Identifying Misuse of Cobalt Strike Systems - Google Cloud recently identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect them. The goal is to make it harder for malicious actors to abuse the tool. IronNet believes that a proactive approach to Cobalt Strike server ...
1 year ago Ironnet.com
The law enforcement operations targeting cybercrime in 2023 - In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful ...
10 months ago Bleepingcomputer.com
New Hunters International ransomware possible rebrand of Hive - A new ransomware-as-a-service brand named Hunters International has emerged using code used by the Hive ransomware operation, leading to the valid assumption that the old gang has resumed activity under a different flag. This theory is supported by ...
11 months ago Bleepingcomputer.com
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
11 months ago Thedfirreport.com
FBI disrupts Blackcat ransomware operation, creates decryption tool - The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka ...
10 months ago Bleepingcomputer.com
Operation Morpheus took down 593 Cobalt Strike servers used by threat actors - Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers. Threat actors may have exploited a zero-day in older iPhones, Apple warns. Nation-state ...
4 months ago Securityaffairs.com
US charged 19 suspects linked to xDedic cybercrime marketplace - The U.S. Department of Justice announced the end of a transnational investigation into the dark web xDedic cybercrime marketplace, charging 19 suspects for their involvement in running and using the market's services. An international operation ...
10 months ago Bleepingcomputer.com
ALPHV ransomware site outage rumored to be caused by law enforcement - A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang's websites over the last 30 hours. The ALPHV negotiation and data leak sites suddenly became unavailable yesterday and continue to remain down today. ...
10 months ago Bleepingcomputer.com
New Hacker Group Uses SQL Injection to Hack Companies - A new threat actor has been discovered to be using SQL injection attacks to gain unauthorized access to organizations in the APAC region. Among the 20, the threat actor successfully infiltrated six organizations with the legacy SQL injection attack. ...
10 months ago Cybersecuritynews.com
Ragnar Locker ransomware developer arrested in France - Law enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group's dark web sites in a joint international operation. Authorities from France, the Czech Republic, Germany, Italy, Latvia, the ...
11 months ago Bleepingcomputer.com
Water Curupira Hackers Launch Pikabot Malware Attack Windows - Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot's takedown. The surge in Pikabot phishing campaigns was noted recently ...
9 months ago Gbhackers.com
Toronto Public Library outages caused by Black Basta ransomware attack - The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack. The Toronto Public Library is Canada's largest public library system, giving access to 12 million books through 100 branch libraries across ...
11 months ago Bleepingcomputer.com
CVE-2022-39197 - An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike ...
2 years ago
Optics giant Hoya hit with $10 million ransomware demand - A recent cyberattack on Hoya Corporation was conducted by the 'Hunters International' ransomware operation, which demanded a $10 million ransom for a file decryptor and not to release files stolen during the attack. Hoya is a Japanese company ...
6 months ago Bleepingcomputer.com
Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit - For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UK's National Crime Agency shut it down this week. Though it's likely that the dozens ...
8 months ago Darkreading.com
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
9 months ago Darkreading.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Europol shutters ransomware operation with kingpin arrests The Register - International law enforcement investigators have made a number of high-profile arrests after tracking a major cybercrime group for more than four years. A joint investigation team, spearheaded by French authorities, formed in 2019 to bring down a ...
11 months ago Theregister.com
International Arrests Over Criminal Crypto Exchange - International law enforcement agencies have recently made multiple arrests over a criminal crypto exchange. The suspects are alleged to have used the platform to facilitate illegal payments, permitted the laundering of funds, and conducted exchange ...
1 year ago Securityweek.com
Hackers Exploiting Poorly Unsecured MS SQL Servers - An ongoing threat campaign dubbed RE#TURGENCE has been observed, which involves targeting MS SQL servers in an attempt to deliver a MIMIC ransomware payload. Turkish threat actors with financial motivations seem to be aiming after the US, EU, and ...
9 months ago Cybersecuritynews.com
Investigation of xDedic cybercrime site reaches 'culmination,' US says - The U.S. Department of Justice said that it has charged nearly 20 individuals for their involvement in the xDedic cybercrime marketplace operation, with more than a dozen already sentenced to prison. Since its takedown in 2019, international law ...
10 months ago Therecord.media
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
1 year ago Heimdalsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)