Introduction
Efforts to curb the unauthorized use of legacy copies of the penetration testing tool Cobalt Strike have led to a significant reduction in its misuse. This initiative [2] [4] [5] [8] [9], spearheaded by Fortra in collaboration with various partners, aims to prevent cybercriminals from exploiting the tool [2], which is intended for legitimate security testing purposes.
Description
Efforts to reduce unauthorized legacy copies of the pen testing tool Cobalt Strike [2], which was launched in 2012 and acquired by Fortra (formerly HelpSystems) in 2016, have resulted in an impressive 80% decrease in its presence in the wild since 2023. This initiative [2] [4] [5] [8] [9], led by Fortra in collaboration with Microsoft’s Digital Crimes Unit (DCU) and the Health Information Sharing and Analysis Center (Health-ISAC) [2] [4] [5] [9], aims to prevent cybercriminals from exploiting the tool [2], which is designed for red teams to simulate advanced persistent threats (APTs) [7]. The campaign has successfully seized and sinkholed over 200 malicious domains linked to Cobalt Strike activities [3], significantly curtailing the availability of these tools to cybercriminals and disrupting their operations [9].
Despite previous measures to regulate its distribution [2] [4], older versions have been stolen and cracked for unauthorized use [4], with pirated copies reportedly being sold on darknet markets for between $100 and $500. Recent actions [4], including Operation MORPHEUS—a global effort initiated in July 2024 and spearheaded by the UK’s National Crime Agency (NCA)—have led to the identification and dismantling of nearly 600 servers associated with unauthorized Cobalt Strike use across 27 countries, with 593 successfully taken down. This operation flagged 690 IP addresses, contributing to the significant reduction in unauthorized copies. Fortra has reported that the average dwell time for malicious activities has been significantly reduced, with detection and takedown efforts now taking less than one week in the United States and under two weeks globally. This improvement is attributed to enhanced automation processes for identifying and dismantling unauthorized servers.
The success of these initiatives underscores the effectiveness of public-private partnerships in combating cybercrime, although the presence of legacy software and cracked tools in darknet markets continues to pose a threat [6]. The 2024 Verizon Data Breach Investigations Report links ransomware or extortion incidents, often involving Cobalt Strike [7], to 32% of breaches [7]. Fortra remains committed to ongoing efforts to combat the misuse of unauthorized Cobalt Strike copies through continuous monitoring and automation [5]. The company is actively enhancing Cobalt Strike’s security controls to prevent cracking attempts and protect legitimate users [9], while sharing disruption techniques with the broader security community to strengthen overall cybersecurity [5]. Additionally, the ongoing campaign includes efforts to issue takedown notices to hosting providers and raise awareness about the illicit distribution of these tools [9], with compliance being actively monitored. Fortra is also engaged in the Pall Mall Process, an international initiative aimed at developing regulations to combat the illicit use of legitimate cyber intrusion tools [1], anticipating a significant reduction in cyber attacks utilizing Cobalt Strike [1], even as threat actors may adapt their tactics [1].
Conclusion
The concerted efforts to mitigate the unauthorized use of Cobalt Strike have proven effective, significantly reducing its availability to cybercriminals. These initiatives highlight the importance of collaboration between public and private sectors in addressing cyber threats. However, the persistent threat posed by legacy software and cracked tools necessitates ongoing vigilance and adaptation. Fortra’s commitment to enhancing security measures and sharing knowledge with the cybersecurity community is crucial in maintaining the momentum against cybercrime. As regulations continue to evolve, the anticipated reduction in cyber attacks involving Cobalt Strike is promising, though vigilance remains essential as threat actors may continue to adapt their tactics.
References
[1] https://www.itpro.com/security/cyber-crime/cobalt-strike-takedown-fortra-microsoft
[2] https://ciso2ciso.com/number-of-unauthorized-cobalt-strike-copies-plummets-80-source-www-infosecurity-magazine-com/
[3] https://www.cybersecuritydive.com/news/cobalt-strike-takedown-effort-cuts-cracked-versions-by-80/741906/
[4] https://www.infosecurity-magazine.com/news/number-unauthorized-cobalt-strike/
[5] https://securityonline.info/cybercriminals-lose-80-fewer-unauthorized-cobalt-strikes/
[6] https://cybersecuritynews.com/penetration-testing-tool-cobalt-strike/
[7] https://techinsightzone.com/cobalt-strike-in-cyberattacks/
[8] https://informationsecuritybuzz.com/global-slas-cobalt-strike-availability/
[9] https://gbhackers.com/cobalt-strike-exploitation-by-hackers-drops/
