CyberSecurityBoard
Sponsor Register Login

Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News

Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded by criminals from illegal marketplaces and used in cyberattacks. Fortra explained in a blog post Friday that a three-year operation named “Morpheus” culminated in July 2024 with the coordinated global takedown of known IP addresses and domain names associated with criminal activity related to unauthorized versions of Cobalt Strike. Developed in 2012, Cobalt Strike is an adversary simulator and penetration testing software used by red teams to detect vulnerabilities and plan response, but older versions of the program have been widely exploited by cybercriminals, ransomware gangs and nation-state attackers. The number of unauthorized copies of the testing tool Cobalt Strike used in the wild is down 80% over the last two years following the launch of a global crackdown, the security firm Fortra said Friday. “Every unauthorized Cobalt Strike system taken down or domain name that is seized interrupts potential attacks across the globe,” he said. Microsoft previously said they found evidence of nation-state groups from Russia, China, Vietnam and Iran using cracked copies of Cobalt Strike. Experts have seen Cobalt Strike used in dozens of ransomware attacks on healthcare institutions and was deployed in the ransomware attack that impacted the government of Costa Rica in 2022. Fortra associate vice president Bob Erdman told Recorded Future News that collaborating with Microsoft and other partners allowed them to expand the speed and scale of their actions. In March 2023, the U.S. District Court for the Eastern District of New York issued an order allowing Microsoft, Fortra and Health-ISAC to go after the “malicious infrastructure” used in attacks, such as command-and-control servers. The order allowed the three entities to notify relevant internet service providers and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline — severing the connection between criminal operators and infected victim computers. Unlicensed versions of Cobalt Strike are typically used in spearphishing emails that aim to install a beacon on the target’s device.

This Cyber News was published on therecord.media. Publication date: Fri, 07 Mar 2025 19:10:05 +0000


Cyber News related to Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News

Malicious use of Cobalt Strike down 80% after crackdown, Fortra says | The Record from Recorded Future News - Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded ...
1 week ago Therecord.media
International Operation Takes Down 593 Malicious Cobalt Strike Servers - Law enforcement agencies from around the world have successfully shut down 593 rogue servers running unauthorized versions of Cobalt Strike, a tool often misused by cybercriminals. Cobalt Strike, developed in 2012 by Raphael Mudge and now owned by ...
8 months ago Cybersecuritynews.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
1 year ago Infosecurity-magazine.com
Europol Announces Crackdown on Cobalt Strike Servers Used by Cybercriminals - European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity. The agency said ...
8 months ago Securityweek.com
Hackers Abuse Cobalt Strike, SQLMap & Other Tools to Target Organizations' Web Applications - These attacks specifically utilize Cobalt Strike, a legitimate adversary simulation tool designed for security professionals, and SQLMap, an open-source utility that automates the detection and exploitation of SQL injection vulnerabilities. The ...
1 day ago Cybersecuritynews.com
'Sex life data' stolen from UK government among record number of ransomware attacks - Data on the sex lives of up to 10,000 people was stolen from a British government department in one of the record number of ransomware attacks to have hit Westminster in the first half of this year. It is not known which department the information ...
1 year ago Therecord.media
Identifying Misuse of Cobalt Strike Systems - Google Cloud recently identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect them. The goal is to make it harder for malicious actors to abuse the tool. IronNet believes that a proactive approach to Cobalt Strike server ...
2 years ago Ironnet.com
North Korea's Kimsuky Attacks Rivals' Trusted Platforms - North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along ...
1 month ago Darkreading.com Andariel Kimsuky
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
1 year ago Thedfirreport.com CVE-2023-27350 BianLian
12 Software Dev Predictions for Future - Predicting the future of software development trends is always a tough call. Such trends will also rule the future of the software development industry. Analyzing these future software development trends will put enthusiasts ahead of the competition. ...
1 year ago Feeds.dzone.com
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com
GitHub restores code following malicious changes to tj-actions tool | The Record from Recorded Future News - On Friday, cybersecurity firm StepSecurity warned of a security incident impacting the tj-actions/changed-files GitHub Action, a popular tool used to track file changes and trigger other actions depending on those alterations. Mureinik told Recorded ...
2 days ago Therecord.media CVE-2025-30066
PoC exploit for critical Fortra FileCatalyst MFT vulnerability released - Proof-of-concept exploit code for a critical RCE vulnerability in Fortra FileCatalyst MFT solution has been published. Fortra FileCatalyst is an enterprise managed file transfer software solution that includes several components: FileCatalyst Direct, ...
1 year ago Helpnetsecurity.com CVE-2024-25153
Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released - The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database. FileCatalyst Workflow is a web-based file ...
8 months ago Bleepingcomputer.com CVE-2024-5276 CVE-2023-0669
Alert for GoAnywhere MFT Users Potential ZeroDay Vulnerability Detected - Users of the GoAnywhere secure managed file transfer software have been warned about a potential security risk. This software, created by Fortra (formerly known as HelpSystems), is designed to help organizations securely exchange data with their ...
2 years ago Securityweek.com
Exploit released for Fortra GoAnywhere MFT auth bypass bug - Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT software that allows attackers to create new admin users on unpatched instances via the administration portal. GoAnywhere MFT is a web-based ...
1 year ago Bleepingcomputer.com CVE-2024-0204
AI-Powered Russian Network Pushes Fake Political News - Media organizations including Al-Jazeera, Fox News, the BBC, La Croix and TV5Monde are among those impacted. Sometimes legitimate sites are spoofed and hosted on alternative domains such as bbc-uk[. News, while on other occasions, stories are ...
10 months ago Infosecurity-magazine.com
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds - Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud ...
1 year ago Darkreading.com
Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines - The researchers also discovered that the attackers had access to a pre-configured installer script on their C2 server that could deploy a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, indicating ...
1 week ago Cybersecuritynews.com CVE-2024-4577
DOGE access to Social Security, IRS data could create privacy and security risks, experts say | The Record from Recorded Future News - Concerns about DOGE’s activities at the IRS are being amplified by the lack of transparency about what exactly is being accessed and why, especially since the executive order creating DOGE indicated the group would be attempting to modernize IT and ...
1 month ago Therecord.media
Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws - Microsoft says that this remote code execution vulnerability is caused by an integer overflow or wraparound in Windows Fast FAT Driver that, when exploited, allows an attacker to execute code. Microsoft says that this remote code execution ...
1 week ago Bleepingcomputer.com
Stolen credentials could unmask thousands of darknet child abuse website users - Thousands of people with accounts on darknet websites for sharing child sexual abuse material could be unmasked using information stolen by cybercriminals, according to research published Tuesday. In a proof-of-concept report, researchers at Recorded ...
8 months ago Therecord.media
Western Alliance Bank says nearly 22,000 impacted by file transfer software breach | The Record from Recorded Future News - The Clop gang — which has conducted global data theft campaigns targeting file sharing tools MOVEit, GoAnywhere and Accellion over the last five years — initially named 66 companies in the fall of 2024 but has slowly been releasing the names of ...
1 day ago Therecord.media
CISA says it will continue to monitor Russian cyber threats | The Record from Recorded Future News - Both The Guardian and Washington Post bolstered the claims about CISA by saying a recent speech on critical infrastructure cyber threats by a senior State Department official did not mention Russia. The story emerged on Friday around the same time as ...
2 weeks ago Therecord.media
Ghost Ransomware Compromised Organisations Across 70+ Countries - By adhering to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and adopting a layered defense strategy encompassing timely patching, network segmentation, and rigorous access controls, organizations can mitigate risks that Ghost and ...
1 month ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)