A concerted law enforcement operation dubbed MORPHEUS has taken down nearly 600 servers used by cybercriminals as part of an attack infrastructure linked to Cobalt Strike.
Europol reported that the crackdown targeted older, unauthorized versions of the Cobalt Strike red teaming architecture between June 24 and 28.
Of the 690 IP addresses reported as connected with criminal behavior by online service providers in 27 countries, 590 are no longer available.
You might be interested in: Intel CPUs Affected by New UEFI Vulnerability
The multinational effort, which began in 2021, was led by the UK National Crime Agency (NCA) and included officials from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea also provided assistance.
Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (previously Help Systems) that allows IT security professionals to uncover flaws in security operations and incident response.
However, as previously noted by Google and Microsoft, cracked versions of the program have found their way into the hands of criminal actors, who have repeatedly used it for post-exploitation purposes.
According to a recent report from Palo Alto Networks Unit 42, this entails the deployment of a payload called Beacon, which uses text-based profiles known as Malleable C2 to vary the features of Beacon’s web traffic in order to evade detection.
“Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes,” said Paul Foster, director of threat leadership at the NCA, in a statement.
“Illegal versions of it have lowered the barrier to entry into cybercrime, allowing internet criminals to launch damaging ransomware and malware attacks with little or no technical knowledge. Such attacks can cost businesses millions in terms of losses and recovery.”
The development comes as Spanish and Portuguese law enforcement arrested 54 people for committing crimes against elderly people through vishing schemes in which they posed as bank employees and duped them into disclosing personal information under the guise of resolving a problem with their accounts.
The information was then shared with other members of the criminal network, who would pay unannounced visits to the victims’ residences and coerce them into disclosing their credit cards, PIN passwords, and bank account information. Some cases also involved the theft of money and jewels.
The illicit strategy eventually allowed the miscreants to gain control of the targets’ bank accounts, make unauthorized cash withdrawals from ATMs, and conduct other pricey transactions.
“Using a blend of fraudulent phone calls and social engineering, the criminals are responsible for β¬2,500,000 in losses,” Europol warned earlier this week.
“The funds were deposited into multiple Spanish and Portuguese accounts controlled by the fraudsters, which were then funneled into a complex money laundering scheme.” To conceal the source of the illicit payments, the organization deployed a large network of money mules controlled by professional members.
The arrests follow INTERPOL’s previous efforts to dismantle human trafficking rings in numerous countries, including Laos, where several Vietnamese nationals were lured with promises of high-paying jobs only to be forced into creating bogus online accounts for financial fraud.
“Victims worked 12-hour days, extended to 14 hours if they failed to recruit others, and had their documents confiscated,” said the law enforcement organization. “Families were extorted up to USD $10,000 to secure their return to Vietnam.”
INTERPOL announced last week that it had confiscated $257 million in assets and frozen 6,745 bank accounts as part of a worldwide police operation spanning 61 nations to disrupt internet scams and organized criminal networks.
Operation First Light aimed to combat phishing, financial fraud, bogus internet retail sites, romance, and impersonation schemes. It resulted in the arrests of 3,950 people and the identification of 14,643 additional possible suspects across all continents.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.