Law enforcement task force disrupts infrastructure used for Cobalt Strike cyberattacks – SiliconANGLE

An international task force has taken down hundreds of IP addresses and domain names that were used by hackers to launch cyberattacks.

The task force, which was coordinated by Europol, disclosed the development on Wednesday. The UK’s National Crime Agency led the group. It was joined by law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the US.

The IP addresses and domain names the task force disrupted were associated with malicious servers that hosted Cobalt Strike, a cybersecurity testing tool. Many hacking groups use illegal copies of the software to distribute malware.

According to Europol, this week’s Cobalt Strike infrastructure takedown was the fruit of an investigation that began in 2021. The effort included the participation of not only law enforcement officials but also several cybersecurity companies. Those companies collected data that was used to identify the hackers’ infrastructure. 

Over the course of the investigation, the task force participants shared more than 730 pieces of threat intelligence with one another. Those records contained about 1.2 million individual indicators of compromise. An indicator of compromise is a piece of data, such as an unusual network request, that is produced by hacker activity.

After the task force collected all the required technical information, it launched a week-long effort to find the hackers’ malicious infrastructure. Officials uncovered 690 IP addresses associated with the malicious Cobalt Strike servers along with multiple domain names. From there, the task force shared its findings with the server providers that hosted the hackers’ infrastructure. 

“A total of 690 IP addresses were flagged to online service providers in 27 countries,” Europol stated. “By the end of the week, 593 of these addresses had been taken down.”

Cobalt Strike, the application that the malicious servers hosted, is a legitimate software product designed to help companies test the security of their networks. The tool can be used to launch cyberattacks if it falls into the wrong hands. Multiple hacking groups leverage cracked, or illicitly obtained, copies of Cobalt Strike to spread malware. 

Many cybersecurity testing tools include modules that can scan a company’s network for vulnerabilities. Cobalt Strike also allows users to launch simulated cyberattacks that target those vulnerabilities. In the hands of hackers, the software can be used to carry out real cyberattacks.

Cobalt Strike ships with a tool called Beacon that makes it possible to install malware in a company’s network. That malware can be configured to breach user accounts, download data and perform related tasks. Moreover, Cobalt Strike can modify the network traffic generated by hacker activity to make detection more difficult.

Fortra LLC, the developer of Cobalt Strike, teamed up with Microsoft Corp. in 2023 to take down illegal installations of the software. The companies received approval from a New York distinct court to seize the domain names and IP addresses used by such installations. Fortra and Microsoft began disrupting unauthorized Cobalt Strike servers last April.

Image: Unsplash