CyberSecurityBoard
Sponsor Register Login

Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News

Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded by criminals from illegal marketplaces and used in cyberattacks. Fortra explained in a blog post Friday that a three-year operation named “Morpheus” culminated in July 2024 with the coordinated global takedown of known IP addresses and domain names associated with criminal activity related to unauthorized versions of Cobalt Strike. Developed in 2012, Cobalt Strike is an adversary simulator and penetration testing software used by red teams to detect vulnerabilities and plan response, but older versions of the program have been widely exploited by cybercriminals, ransomware gangs and nation-state attackers. The number of unauthorized copies of the testing tool Cobalt Strike used in the wild is down 80% over the last two years following the launch of a global crackdown, the security firm Fortra said Friday. “Every unauthorized Cobalt Strike system taken down or domain name that is seized interrupts potential attacks across the globe,” he said. Microsoft previously said they found evidence of nation-state groups from Russia, China, Vietnam and Iran using cracked copies of Cobalt Strike. Experts have seen Cobalt Strike used in dozens of ransomware attacks on healthcare institutions and was deployed in the ransomware attack that impacted the government of Costa Rica in 2022. Fortra associate vice president Bob Erdman told Recorded Future News that collaborating with Microsoft and other partners allowed them to expand the speed and scale of their actions. In March 2023, the U.S. District Court for the Eastern District of New York issued an order allowing Microsoft, Fortra and Health-ISAC to go after the “malicious infrastructure” used in attacks, such as command-and-control servers. The order allowed the three entities to notify relevant internet service providers and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline — severing the connection between criminal operators and infected victim computers. Unlicensed versions of Cobalt Strike are typically used in spearphishing emails that aim to install a beacon on the target’s device.

This Cyber News was published on therecord.media. Publication date: Fri, 07 Mar 2025 19:10:05 +0000


Cyber News related to Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News

Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News - Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded ...
3 months ago Therecord.media
International Operation Takes Down 593 Malicious Cobalt Strike Servers - Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals. Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by ...
11 months ago Cybersecuritynews.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
1 year ago Infosecurity-magazine.com
Europol Announces Crackdown on Cobalt Strike Servers Used by Cybercriminals - European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity. The agency said ...
11 months ago Securityweek.com
Hackers Abuse Cobalt Strike, SQLMap & Other Tools to Target Organizations' Web Applications - These attacks specifically utilize Cobalt Strike, a legitimate adversary simulation tool designed for security professionals, and SQLMap, an open-source utility that automates the detection and exploitation of SQL injection vulnerabilities. The ...
3 months ago Cybersecuritynews.com
Nitrogen Ransomware Actors Attacking Organization With Cobalt Strike & Erases Log Data - The discovered Cobalt Strike watermark 678358251 has been previously associated with multiple threat actors, including the Black Basta ransomware group, highlighting how attack tools are frequently reused across different criminal operations. Their ...
1 month ago Cybersecuritynews.com Black Basta
Identifying Misuse of Cobalt Strike Systems - Google Cloud recently identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect them. The goal is to make it harder for malicious actors to abuse the tool. IronNet believes that a proactive approach to Cobalt Strike server ...
2 years ago Ironnet.com
'Sex life data' stolen from UK government among record number of ransomware attacks - Data on the sex lives of up to 10,000 people was stolen from a British government department in one of the record number of ransomware attacks to have hit Westminster in the first half of this year. It is not known which department the information ...
1 year ago Therecord.media
North Korea's Kimsuky Attacks Rivals' Trusted Platforms - North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along ...
4 months ago Darkreading.com Andariel Kimsuky
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
1 year ago Thedfirreport.com CVE-2023-27350 BianLian
PoC exploit for critical Fortra FileCatalyst MFT vulnerability released - Proof-of-concept exploit code for a critical RCE vulnerability in Fortra FileCatalyst MFT solution has been published. Fortra FileCatalyst is an enterprise managed file transfer software solution that includes several components: FileCatalyst Direct, ...
1 year ago Helpnetsecurity.com CVE-2024-25153
Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released - The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database. FileCatalyst Workflow is a web-based file ...
11 months ago Bleepingcomputer.com CVE-2024-5276 CVE-2023-0669
12 Software Dev Predictions for Future - Predicting the future of software development trends is always a tough call. Such trends will also rule the future of the software development industry. Analyzing these future software development trends will put enthusiasts ahead of the competition. ...
1 year ago Feeds.dzone.com
Cobalt Strike 4.11.1 Released With Fix For ‘Enable SSL’ Checkbox - This rapid out-of-band release demonstrates Fortra’s commitment to quickly addressing critical issues in their red team simulation platform, which has become an essential tool for security professionals conducting advanced adversary emulation ...
1 month ago Cybersecuritynews.com
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com
Alert for GoAnywhere MFT Users Potential ZeroDay Vulnerability Detected - Users of the GoAnywhere secure managed file transfer software have been warned about a potential security risk. This software, created by Fortra (formerly known as HelpSystems), is designed to help organizations securely exchange data with their ...
2 years ago Securityweek.com
Exploit released for Fortra GoAnywhere MFT auth bypass bug - Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT software that allows attackers to create new admin users on unpatched instances via the administration portal. GoAnywhere MFT is a web-based ...
1 year ago Bleepingcomputer.com CVE-2024-0204
US to sign Pall Mall pact aimed at countering spyware abuses | The Record from Recorded Future News - The announcement comes nearly a week after 21 countries signed a voluntary and non-binding Code of Practice outlining how they intend to jointly regulate commercial cyber intrusion capabilities (CCICs) and combat spyware companies whose products have ...
2 months ago Therecord.media
GitHub restores code following malicious changes to tj-actions tool | The Record from Recorded Future News - On Friday, cybersecurity firm StepSecurity warned of a security incident impacting the tj-actions/changed-files GitHub Action, a popular tool used to track file changes and trigger other actions depending on those alterations. Mureinik told Recorded ...
3 months ago Therecord.media CVE-2025-30066
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds - Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud ...
1 year ago Darkreading.com
Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines - The researchers also discovered that the attackers had access to a pre-configured installer script on their C2 server that could deploy a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, indicating ...
3 months ago Cybersecuritynews.com CVE-2024-4577
Water Curupira Hackers Launch Pikabot Malware Attack Windows - Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot's takedown. The surge in Pikabot phishing campaigns was noted recently ...
1 year ago Gbhackers.com Black Basta
AI-Powered Russian Network Pushes Fake Political News - Media organizations including Al-Jazeera, Fox News, the BBC, La Croix and TV5Monde are among those impacted. Sometimes legitimate sites are spoofed and hosted on alternative domains such as bbc-uk[. News, while on other occasions, stories are ...
1 year ago Infosecurity-magazine.com
Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws - Microsoft says that this remote code execution vulnerability is caused by an integer overflow or wraparound in Windows Fast FAT Driver that, when exploited, allows an attacker to execute code. Microsoft says that this remote code execution ...
3 months ago Bleepingcomputer.com
Stolen credentials could unmask thousands of darknet child abuse website users - Thousands of people with accounts on darknet websites for sharing child sexual abuse material could be unmasked using information stolen by cybercriminals, according to research published Tuesday. In a proof-of-concept report, researchers at Recorded ...
11 months ago Therecord.media

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)