- New Information Supplement: Payment Page Security and Preventing E-Skimming
- 7 reasons Kindles are still a great buy, even without downloads
- How to clear the cache on your Windows 11 PC (and why it's important to do so)
- Meta's latest limited edition Ray-Ban smart glasses are here - and they're fancy
- Surge in Malicious Software Packages Exploits System Flaws
Number of Unauthorized Cobalt Strike Copies Plummets 80%
Efforts to tackle unauthorized, legacy copies of pen testing tool Cobalt Strike have gathered pace over the past two years, leading to an 80% reduction of the software observed in the wild, according to Fortra.
The Cobalt Strike developer provided an update on Friday to a two-year campaign it has been running with Microsoft and the Health Information Sharing and Analysis Center (Health-ISAC) to prevent cybercriminals abusing the popular tool.
Cobalt Strike is a legitimate pen testing and threat emulation tool often used by threat actors to find weaknesses in target networks, gain unauthorized access and perform various post-exploitation activities.
Although Fortra has taken steps in the past to ensure that the tool’s use is regulated and that it is only sold to legitimate customers, threat actors have been able to steal older versions and create cracked copies for distribution.
Read more on Cobalt Strike: Attackers Target Japanese Firms with Cobalt Strike
However, the firm said that Cobalt Strike is now “abused far less often” thanks to its actions. Fortra also claimed that:
- It has seized and sinkholed over 200 malicious domains, in a bid to prevent further exploitation by cybercriminals
- Average dwell time between initial detection and takedown has been reduced to under a week in the US and less than a fortnight worldwide
The fight against Cobalt Strike abuse gained momentum in the three years to 2024, when the UK’s National Crime Agency (NCA) led Operation Morpheus.
Thanks to these efforts, 690 IP addresses were flagged to online service providers in 27 countries, with a total of 593 of these taken down to disable unauthorized versions of Cobalt Strike.
Fortra claimed that it continues to send takedown notices like these to hosting providers, in an attempt to raise awareness of Cobalt Strike abuse.
“We actively track these activities to the point of origin, identifying root causes to prevent reoccurrence. We concurrently issue notices on a persistent basis until these illegal versions are removed from web properties. Compliant web properties are also passively monitored in case of reappearance,” it explained.
“These efforts are gaining momentum and have entered a new phase of heightened efficacy. Automation processes have been put into place to further increase efficiency and simplify the takedown process. Additionally, just as cybercriminals adapt their techniques, Fortra continuously updates Cobalt Strike’s security controls to thwart cracking attempts and protect legitimate users.”
