Collaborative Effort Decreases Cobalt Strike Abuse by 80%
Efforts have been ongoing for several years to crack down on illegal use of Cobalt Strike. Those efforts appear to have paid off, with misuse of the tool down 80% over the past two years. The Cobalt Strike adversary simulation tool has been designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors. The tool’s post-exploit capabilities cover the full range of ATT&CK tactics, which can be executed within a single, integrated system. The tool is used by red teams to identify vulnerabilities within a company’s network, allowing proactive steps to be taken to improve cybersecurity; however, pirated and unlicensed versions of the tool are sold and shared on cybercriminal marketplaces for use by threat actors in their offensive campaigns.
Cobalt Strike has become one of the most widely used tools in cyber attacks, allowing threat actors to deploy ransomware at speed and scale. Unlicensed versions of Cobalt Strike are commonly deployed in spear phishing campaigns that trick users into opening a malicious attachment or otherwise installing a Cobalt Strike Beacon, which gives the threat actor remote access to the system, allowing malware and ransomware to be deployed.
In a recent blog post, Bob Erdman, Fortra’s Associate Vice President, Research and Development, provided an update on the two-year anniversary of its collaboration with the Microsoft Digital Crimes Unit and Health-ISAC to combat misuse of the Cobalt Strike tool. Those efforts have resulted in the seizure and sinkholing of more than 200 malicious domains, preventing them from accepting legitimate traffic and further exploitation by threat actors, and the dwell time from initial detection to take down has been reduced to one week in the US and less than 2 weeks worldwide.
In July 2024, a three-year investigation coordinated by the UK’s National Crime Agency (Operation Morpheus) targeted 690 instances of malicious Cobalt Strike software at 129 Internet service providers in 29 countries, and resulted in the takedown of 593 IP addresses. The investigation involved law enforcement partners from several countries and private industry partners, including Fortra.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
These collaborative efforts have been a tremendous success and will continue in 2025. Fortra continues to regularly send requests to hosting providers to take down IP addresses hosting illegal copies of the software, and tracks the activity associated with those IPs to identify the root cause to prevent recurrences. “The nature of the modern cybersecurity landscape makes the critical need for red team solutions undeniable. However, these tools inherently carry some risk of misuse,” explained Fortra. “By proactively sharing our disruption techniques through conference talks and webinars, we have provided the broader security community with a proven roadmap that other solution providers can follow to engage in public/private disruption partnerships when faced with similar challenges.”
