A concerted law enforcement operation dubbed MORPHEUS has toppled up to 600 servers that were utilized by cybercriminal gangs and were part of an attack infrastructure related with the Cobalt Strike.
The crackdown targeted earlier, unauthorized versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol.
Of the 690 IP addresses that were notified to internet service providers in 27 countries as related with illegal conduct, 590 are no longer accessible.
The multinational effort, which begun in 2021, was directed by the U.K. National Crime Agency (NCA) and featured authorities from Australia, Canada, Germany, the Netherlands, Poland, and the U.S. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea gave further help.
Cobalt Strike is a popular adversary simulation and penetration testing tool created by Fortra (previously Help Systems), allowing IT security specialists a mechanism to uncover gaps in security operations and incident responses.
However, as previously noted by Google and Microsoft, cracked copies of the software have made their way into the hands of criminal actors, who have time-and-again misused it for post-exploitation reasons.
"Cobalt Strike is the Swiss army knife of cybercriminals and nation-state actors," Don Smith, vice president of threat intelligence at SecureWorks, said in a statement published with The Hacker News.
"Cobalt Strike has long been the instrument of choice for cyber thieves, notably as a forerunner to ransomware. It is also utilized by nation state actors, e.g., Russian and Chinese, to assist incursions in cyber espionage activities. Used as a foothold, it has shown to be particularly successful in providing the persistent back door to victims."
Data given by Trellix reveals that the U.S., India, Hong Kong, Spain, and Canada account for over 70% of the nations targeted by threat actors utilizing Cobalt Strike. A bulk of the Cobalt Strike infrastructure is hosted in China, the U.S., Hong Kong, Russia, and Singapore.
According to a recent study from Palo Alto Networks Unit 42, this entails the deployment of a payload called Beacon, which employs text-based profiles called Malleable C2 to vary the features of Beacon's web traffic in an effort to evade detection.
"Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes," Paul Foster, head of threat leadership at the NCA, said in a statement.
"Illegal versions of it have helped reduce the barrier of entry into cybercrime, making it simpler for internet criminals to launch destructive ransomware and malware assaults with little or no technical experience. Such assaults may cost firms millions in terms of costs and recovery."
The development comes as Spanish and Portuguese law enforcement have arrested 54 people for committing crimes against elderly citizens through vishing schemes by posing as bank employees and tricking them into parting with personal information under the guise of rectifying a problem with their accounts.
The data were then passed on to other members of the criminal network, who would visit the victims' houses unexpectedly and coerce them into handing them their credit cards, PIN passwords, and bank details. Some occurrences also included the theft of cash and jewels.
The illicit plan finally permitted the miscreants to seize control of the targets' bank accounts or conduct unlawful cash withdrawals from ATMs and other pricey expenditures.
"Using a blend of fraudulent phone calls and social engineering, the criminals are responsible for €2,500,000 in losses," Europol warned earlier this week.
"The proceeds were placed into several Spanish and Portuguese accounts controlled by the fraudsters, from whence they were channeled into a sophisticated money laundering system. An elaborate network of money mules monitored by expert members of the organization was developed to obscure the origin of the unlawful monies."
The arrests also follow similar action done by INTERPOL to destroy human trafficking networks in numerous countries, including Laos, where several Vietnamese citizens were attracted with promises of high-paying professions, only to be pressured into opening bogus internet accounts for financial schemes.
"Victims worked 12-hour workdays, extended to 14 hours if they failed to recruit others, and had their documents confiscated," the agency stated. "Families were extorted up to USD $10,000 to secure their return to Vietnam."
Last week, INTERPOL claimed it also confiscated $257 million worth of assets and blocked 6,745 bank accounts during a worldwide police operation spanning 61 nations that was designed to disrupt internet fraud and organized criminal networks.
The exercise, known to as Operation First Light, targeted phishing, investment fraud, bogus internet shopping sites, romance, and impersonation schemes. It resulted to the arrest of 3,950 people and identified 14,643 more prospective suspects across all continents.
