Cobalt Strike Exploitation by Hackers Drops, Report Reveals

A collaborative initiative involving Microsoft’s Digital Crimes Unit (DCU), Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) has reported a major drop in the use of unauthorized versions of the cyber tool Cobalt Strike by hackers.

Since the partnership began in 2023, these organizations have worked tirelessly to combat the misuse of Cobalt Strike and compromised Microsoft software, which have been weaponized to deploy ransomware and other malware, particularly targeting critical sectors like healthcare.

Progress and Impact

Over the past two years, the number of unauthorized Cobalt Strike copies observed in the wild has plummeted by 80%, significantly limiting their availability to cyber criminals.

This reduction has had a tangible impact on criminal operations, with these tools now being abused far less often.

The campaign has also successfully seized and sinkholed over 200 malicious domains, effectively cutting off their ability to accept legitimate traffic and preventing further exploitation by threat actors.

Moreover, the average dwell time—the period between initial detection and takedown—has been reduced to less than one week in the United States and less than two weeks worldwide.

Global Success with Operation MORPHEUS

In July 2024, Fortra participated in Operation MORPHEUS, a three-year investigation led by the UK’s National Crime Agency with support from law enforcement in several countries, including Australia, Canada, Germany, the Netherlands, Poland, and the United States.

Europol coordinated the international operations, collaborating with private partners like Fortra. This operation resulted in the removal of 593 flagged IP addresses associated with unauthorized Cobalt Strike use.

The campaign to combat unauthorized Cobalt Strike usage is ongoing and continuously evolving. The partners remain committed to providing critical information to law enforcement agencies worldwide to support their investigations.

Additionally, Fortra has joined the Pall Mall Process, an international initiative aimed at developing regulations to combat the unauthorized distribution and usage of commercial cyber intrusion tools.

Efforts to issue takedown notices to hosting providers continue, raising awareness about the illicit use of unauthorized Cobalt Strike copies.

These activities are closely monitored to identify root causes and prevent reoccurrences.

Compliance is passively monitored, and notices are issued persistently until illegal versions are removed from web properties.

Automation processes have been implemented to increase efficiency and simplify the takedown process.

Fortra is also continually updating Cobalt Strike’s security controls to thwart cracking attempts and protect legitimate users.

Strengthening Red Team Tool Security

The modern cybersecurity landscape underscores the need for red team solutions, but these tools carry inherent risks of misuse.

To address this, Fortra proactively shares disruption techniques through conference talks and webinars, providing a roadmap for other solution providers to engage in similar public-private partnerships.

Collaboration is crucial in advancing cybersecurity and strengthening collective defense against cybercriminals.

This partnership ensures that legitimate security tools can be used responsibly and effectively to protect organizations worldwide.

In closing, the success of this initiative is a testament to the power of persistence and partnership in securing the digital ecosystem.

Microsoft DCU, Health ISAC, and other participating organizations are commended for their contributions, and the collaboration is set to continue in the coming years to defend the integrity of critical commercial cybersecurity tools.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.