Cracking Cobalt Strike

Taking Down Malicious Cybercriminal Infrastructure with Threat Intelligence

By Joao Marques, John Fokker and Leandro Velasco · July 3, 2024

Introduction

In a significant global effort to combat cybercrime, law enforcement agencies from around the world have joined forces to dismantle parts of the infrastructure running Cobalt Strike, a powerful post-exploitation framework often exploited by cybercriminals and nation-states. This tool has been central to numerous cyberattacks, facilitating malicious activities through its advanced capabilities.

Cyber defense is a shared responsibility across both public and private sectors. The combined efforts of Trellix, law enforcement agencies, and other private companies underscore the power of unified action against cyber threats. Trellix’s Advanced Research Center played a pivotal role in this operation by providing extensive analysis and threat intelligence, crucial in identifying and dismantling the malicious Cobalt Strike infrastructure. Specifically, Trellix provided deep knowledge about the threat, as well as daily threat intelligence data gathered and enriched through our systems. To facilitate this, custom sharing mechanisms were developed and maintained to ensure timely and accurate data delivery.

Many cybercriminals rely heavily on Cobalt Strike for its advanced features, including payload delivery, evasion techniques, and ease of use. The takedown of this infrastructure disrupts their operations, forcing them to reconsider their reliance on Cobalt Strike. This increased risk and operational difficulty can slow down their activities, reduce the efficiency of their attacks, and increase their overall operational risks.

Data points

Trellix maintains an extensive Cobalt Strike tracker that gathers infrastructure information from both open and closed sources. This tracker not only checks the status of the infrastructure to ensure it is online but also extracts and analyzes configuration details. By enriching this data, Trellix provides a more comprehensive picture of Cobalt Strike usage across various sectors and regions. The threat reports generated from this data highlight the widespread exploitation of Cobalt Strike by cybercriminals, underlining the significance of disrupting this malicious infrastructure to enhance global cybersecurity.

Throughout the 2 years this collaboration with law enforcement has been running, Trellix has found 12,314 unique cobalt strike server instances serving the beacons from which our tracker extracts the configurations and enriches the threat intelligence gathered.

The donut chart shows the global distribution of Cobalt Strike infrastructure tracked by Trellix, with China (43.85%) and the United States (19.08%) hosting the majority of these servers. Other significant locations include Hong Kong (8.39%), Russia (4.77%), and several other countries, reflecting the widespread nature of this cyber threat.

Furthermore, over the past six months, Trellix's products have yielded extensive insights into the prevalence of Cobalt Strike usage. The data collected includes 2,375,294,028 detections of activity, 45,198,820 unique MD5 hashes, 515,145 unique domains, and 1,632,620 unique IP addresses. While these figures encompass both legitimate uses, such as penetration testing and security research, as well as malicious activities, they illustrate the significant presence and impact of Cobalt Strike on the global cybersecurity landscape. This emphasizes the importance of our collaborative efforts to identify and mitigate the malicious use of this tool.

This pie chart shows the top 15 countries that have been targeted by threat actors employing Cobalt Strike. The United States leads with 45.04% of the targeted attacks, followed by India (13.11%), and Hong Kong (8.36%). This data underscores the global reach of Cobalt Strike and highlights the diverse geographic impact of these cyber threats. Understanding the distribution of targeted countries helps in crafting region-specific defensive strategies and emphasizes the need for international cooperation in cybersecurity efforts.

This pie chart shows the distribution of various sectors targeted by threat actors using Cobalt Strike. The Wholesale sector is the most targeted at 29.8%, followed by Banking/Financial/Wealth Management (11.7%), and Manufacturing (10.18%). This data provides insight into the specific industries that are most at risk from Cobalt Strike-related attacks, emphasizing the need for heightened security measures and awareness in these critical sectors. Understanding sector-specific targeting helps organizations tailor their defense strategies to better protect their assets.

The data presented in these graphs underscores the widespread and varied use of Cobalt Strike by threat actors around the globe. By analyzing both the infrastructure distribution and the prevalence of different targeted countries, and sectors, we gain a comprehensive understanding of the threat landscape. This multi-faceted approach to tracking and analyzing Cobalt Strike usage highlights the importance of collaborative efforts between private companies like Trellix and law enforcement agencies. Together, we can disrupt malicious activities, enhance global cybersecurity, and better protect critical infrastructure and sensitive data from cyber threats.

Call to action

The dismantling of Cobalt Strike infrastructure sends a powerful message to cybercriminals and nation-state actors about the repercussions of malicious cyber activities. For the public, this operation underscores the importance of staying informed about cybersecurity threats and adopting best practices to safeguard personal and professional data.

Organizations are urged to implement robust cybersecurity measures and actively collaborate with cybersecurity vendors to strengthen their defenses. Governments should support and participate in joint efforts between law enforcement and private sector companies to combat cyber threats. Policymakers need to develop and enforce regulations that facilitate public-private partnerships and promote proactive cybersecurity strategies.

We are very content to see that Fortra, the current owners of Cobalt Strike, have collaborated in the operation and are implementing more sophisticated measures to prevent cracking their software. However, It is important to address the longstanding stance of Cobalt Strike under previous ownership, regarding its restrictions to purchase a license for cybersecurity vendors. Many cybersecurity vendors believe this decision has inadvertently fostered a precarious environment where cybercriminals exploit cracked versions of Cobalt Strike for malicious activities and vendors are not able to defend against its misuse.

Although these new measures are a very good step in the right direction, we are eager to do more. This situation underscores the need for more integral collaborative efforts to protect organizations against the abuse of Cobalt Strike. We call on Cobalt Strike to reconsider its policies and collaborate with cybersecurity vendors to enhance products and combat the misuse of these powerful tools.

Conclusion

Trellix’s pivotal role in disrupting the malicious use of Cobalt Strike underscores our unwavering commitment to global cybersecurity. This successful collaboration with law enforcement agencies and private sector partners highlights the power of unified action against sophisticated cyber threats. By providing extensive analysis and threat intelligence, Trellix has significantly contributed to the dismantling of malicious infrastructure, protecting both consumers and enterprises worldwide.

This collective effort showcases the importance of industry collaboration and proactive measures in combating cybercrime. As we move forward, it is imperative that organizations, governments, and policymakers continue to work together, leveraging shared expertise and resources to enhance our global cyber defenses. Trellix remains dedicated to leading these efforts, ensuring a safer digital landscape for all.