A coordinated law enforcement operation, codenamed MORPHEUS, destroyed approximately 600 servers used by cybercriminal groups and part of the attack infrastructure associated with Cobalt Strike.
The repression According to Europol, between June 24 and 28, old unlicensed versions of the red team Cobalt Strike were targeted.
Of the 690 IP addresses that were flagged by Internet service providers in 27 countries as being associated with criminal activity, 590 are no longer available.
The joint operation, which began in 2021, was led by the UK’s National Crime Agency (NCA). It was attended by government officials from Australia, Canada, Germany, the Netherlands, Poland, as well as US officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea provided additional support.
Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems) that offers IT security experts a way to identify weaknesses in security operations and incident response.
However, as previously noted by Google and Microsoftcracked versions of the software fell into the hands of attackers who abused it again and again for post-exploitation purposes.
“Cobalt Strike is the Swiss army knife of cybercriminals and national statesmen,” said Don Smith, vice president of threat intelligence at SecureWorks, in a statement shared with The Hacker News.
“Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors such as Russia and China to facilitate intrusions in cyber-espionage campaigns. Used as a springboard, it has proven to be very effective in providing a persistent reverse for victims.’
data general by Trellix shows that the US, India, Hong Kong, Spain and Canada account for more than 70% of the countries targeted by threats using Cobalt Strike. Most of Cobalt Strike’s infrastructure is located in China, the United States, Hong Kong, Russia and Singapore.
According to A a recent report by Palo Alto Networks Unit 42, it involves the use of a payload called Beacon that uses text profiles called Malleable C2 to alter the characteristics of Beacon web traffic in an attempt to avoid detection.
“While Cobalt Strike is legitimate software, it has unfortunately been used by cybercriminals for nefarious purposes,” said Paul Foster, director of threat management at the NCA. said in the statement.
“Illegal versions of it have helped lower the barrier to entry for cybercrime, making it easier for cybercriminals to unleash malicious ransomware and malware attacks with little or no technical knowledge. Such attacks can cost companies millions in terms of damage and recovery.”
It comes after Spanish and Portuguese law enforcement arrested 54 people for committing crimes against senior citizens through tracing schemes, posing as bank employees and tricking them into parting with personal information under the guise of fixing a problem with their accounts.
The information was then passed on to other members of the criminal network, who visited the victims’ homes unannounced and forced them to hand over their credit cards, PINs and bank details. In some cases, there were also thefts of cash and jewelry.
The criminal scheme ultimately allowed the attackers to take control of the targets’ bank accounts or make unauthorized ATM cash withdrawals and other expensive purchases.
“Using a mix of fake phone calls and social engineering, the criminals are responsible for €2,500,000 in damages,” Europol said. said earlier this week.
“The funds were deposited into several Spanish and Portuguese accounts controlled by the fraudsters, from where they were channeled into a sophisticated money laundering scheme. An extensive network of money mules, overseen by specialist members of the organization, was used to disguise the origin of the illicit funds.”
The arrests also followed similar Interpol crackdowns on human trafficking rings in several countries, including Laos, where several Vietnamese nationals were lured with promises of high-paying jobs only to be forced to create fake online accounts for financial fraud.
“The victims worked 12-hour days, which increased to 14 hours when it was not possible to recruit others, and their documents were taken away,” the agency notes. said. “Families were extorted up to US$10,000 to secure their return to Vietnam.”
Last week, Interpol said it had also seized $257 million in assets and frozen 6,745 bank accounts following a global police operation spanning 61 countries aimed at cracking down on online fraud and organized crime networks.
An exercise called Operation First Light., targeted phishing, investment scams, fake online shopping sites, romance and impersonation scams. This led to the arrest of 3,950 suspects and identified 14,643 other possible suspects on all continents.
