Penetration Testing, Threat Intelligence

Cobalt Strike abuse by cybercriminals slashed 80%

Cobalt Strike use by cybercriminals has taken a major hit over the past two years, with 80% fewer unauthorized copies now available on the internet.   

Fortra announced in a blog post Friday that efforts to crack down on misuse of its commercial penetration testing tool are starting to yield tangible results with pirated installations and unauthorized deployments being taken offline by partners.

Designed for use by "red team" security professionals to test the defenses of client organizations, Cobalt Strike utilizes features including command-and-control (C2) infrastructure, remote access beacons, post-exploitation tools for lateral movement and privilege escalation, and more. The aim is to simulate the attack capabilities and tactics of a threat actor within a trusted, controlled environment.

Unauthorized copies of Cobalt Strike are frequently abused by threat actors, who use its redteaming capabilities to facilitate their cyberattacks. The tool is abused by a range of cybercriminals including ransomware gangs and state-sponsored advanced persistent threat (APT) groups.  

Fortra launched concerted efforts, with partners Microsoft and the Health Information Sharing and Analysis Center (Health-ISAC) in April 2023 to reduce the misuse of Cobalt Strike and other legitimate tools, such as compromised Microsoft software, by malicious actors.

These efforts included working with ISPs and computer emergency readiness teams to identify and take down infrastructure used by cybercriminals to distribute unauthorized “cracked” versions of Cobalt Strike.

In the past two years, the campaign has not only reduced the number of unauthorized Cobalt Strike copies in the wild by 80% but also resulted in the seizure and sinkholing of more than 200 malicious domains associated with Cobalt Strike abuse.

“This reduction has had a tangible impact, with these tools now being abused far less often,” Fortra Associate Vice President of Research & Development Bob Erdman and Product Owner Pieter Ceelen wrote.

The average time between initial detection and takedown of these malicious domains has been reduced to less than one week in the United States and less than two weeks globally, Fortra reported.

A major milestone in these efforts was a global law enforcement investigation dubbed Operation MORPHEUS that Fortra participated in, which culminated in the takedown of 593 IP addresses associated with Cobalt Strike misuse. In total, 690 IP addresses were identified and flagged to online service providers in 27 different countries.

Fortra said it continues its efforts to reduce the impact of Cobalt Strike abuse by continuing to monitor for illegal versions across the web and sending takedown notices to hosting providers. The company has also signed onto the Pall Mall Process, an international initiative to combat the exploitation of commercial tools with cyber intrusion capabilities.

“These efforts are gaining momentum and have entered a new phase of heightened efficacy. Automation processes have been put into place to further increase efficiency and simplify the takedown process,” Forta explained.

The company also seeks to raise awareness about misuse of redteaming tools through its public-private partnerships and by sharing its disruption methods with the wider cybersecurity community via conference talks and webinars.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds