Advancing UK Aerospace, Defence, Security & Space Solutions Worldwide
  • Home
  • /
  • Security
  • /
  • NCA leads op to degrade illegal versions of Cobalt Strike

Security

NCA leads op to degrade illegal versions of Cobalt Strike

The National Crime Agency (NCA) has coordinated international action against illicit software which has been used by cybercriminals for over a decade to infiltrate victims’ IT systems and conduct attacks.

Image courtesy NCA

Unlicensed versions of Cobalt Strike, a penetration testing tool used to check for vulnerabilities in a company’s network and help improve cyber security, were targeted during a week of action last week.

Since the mid 2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale.

Advertisement
ODU RT

Due to the range of tools, free training guides and videos that come with legal versions of the software, those adopting it for criminal use require low levels of sophistication and money.

This disruption activity represents more than two-and-a-half years of NCA-led international law enforcement and private industry collaboration to identify, monitor and denigrate its use.

Action was taken against 690 individual instances of malicious Cobalt Strike software located at 129 internet service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

This was achieved through the NCA and law enforcement partners taking down servers and amplified by ‘abuse notifications’ from law enforcement and private industry partners, highlighting to service providers that they may be hosting malware.

Illicit versions of Cobalt Strike have been identified as being used in some of the biggest cyber incidents in recent times. Its use has also been identified in multiple malware and ransomware investigations including those into RYUK, Trickbot and Conti attacks.

The operation was jointly conducted with Europol, who assisted with international coordination, the FBI, Australian Federal Police, Royal Canadian Mounted Police, German Federal Criminal Police Office (Bundeskriminalamt), Netherlands National Police (Politie) and the Polish Central Cybercrime Bureau.

A number of private industry partners, including BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus and Abuse CH also supported law enforcement in identifying malicious instances and use of Cobalt Strike by cybercriminals.

Using a platform known as the Malware Information Sharing Platform, private sector organisations shared real time threat intelligence with law enforcement. More than 730 pieces of threat intelligence containing almost 1.2 million indicators of compromise were shared.

Advertisement
ADS S &P RT

Cyber criminals deploy unlicensed versions of Cobalt Strike via spear phishing or spam emails, which attempt to get a target to click on links or open malicious attachments. When a victim opens the link or document, a Cobalt Strike ‘Beacon’ is installed giving the threat actor remote access, enabling them to profile the infected host, download malware or ransomware and steal data to then extort the victim.

Paul Foster, Director of Threat Leadership at the National Crime Agency, said: “Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes.

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.

“Such attacks can cost companies millions in terms of losses and recovery.

“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations.

“I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”

Cobalt Strike owners Fortra will continue to work with law enforcement to identify and remove older and malicious versions of the programme from the internet.

Advertisement
Babcock LB
Robosys Automation, ACUA Ocean and OREC secure Innovate UK funding

Security

Robosys Automation, ACUA Ocean and OREC secure Innovate UK funding

20 December 2024

Advanced maritime autonomy developer, Robosys Automation, supported by USV manufacturer, ACUA Ocean and Offshore Renewable Energy Catapult (OREC), have jointly secured grant funding through Innovate UK, for a specialist project exploring Collaborative Autonomy in USVs and ROVs across Maritime Autonomous Surface Ships (MASS) operations.

ACUA Ocean launches USV Pioneer

Security

ACUA Ocean launches USV Pioneer

18 December 2024

The UK-based autonomous unmanned surface vessel (USV) developer ACUA Ocean has successfully completed the test launch of the USV Pioneer from its base at Turnchapel Wharf in Plymouth.

ADS welcomes new VPs for Security and Defence

Defence Security

ADS welcomes new VPs for Security and Defence

17 December 2024

ADS Group - the UK trade association for aerospace, defence, security and space organisations (with over 1,400 members) - has welcomed Leonardo’s Clive Higgins as VP for Defence and PA Consulting's Dr Budgie Dhanda MBE as VP of Security and Resilience.

Darktrace named a Leader in 2024 IDC MarketScape for Worldwide NDR

Security

Darktrace named a Leader in 2024 IDC MarketScape for Worldwide NDR

16 December 2024

Darktrace has been recognised as a Leader in the IDC MarketScape: Worldwide Network Detection and Response (NDR) 2024 Vendor Assessment.

Advertisement
ODU RT
CLD appoints Trevor Donlin as Technical Director

Security

CLD appoints Trevor Donlin as Technical Director

16 December 2024

Cheshire headquartered CLD Physical Security Systems (CLD), a design led supplier of perimeter security solutions, has announced the appointment of Trevor Donlin as Technical Director, to head up its US operations.

Lloyd

Security

Lloyd's of London launches cyber insurance consortium with HITRUST certification

13 December 2024

An innovative cyber insurance consortium in collaboration with Lloyd's of London and backed by a network of globally recognised AA-rated insurers, has been unveiled by HITRUST, a provider of cybersecurity assurance.

Advertisement
ODU RT 2