c0mmando

A suspected developer of a new malware strain called Styx Stealer made a “significant operational security error” and leaked data from his computer, including details about clients and earnings, researchers have found.

Styx Stealer is “a powerful malware” capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. The Israel-based cybersecurity firm Check Point, which analyzed the malware, said that it was used against its customers, though further details were not provided.

“The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” researchers said in a report published last week.

The developer of Styx Stealer was found to be linked to one of the Agent Tesla threat actors known as FucosReal, who was involved in a spam campaign also targeting the company’s customers. Agent Tesla is a remote access malware that has been targeting Windows systems since 2014.

According to Check Point, the creator of Styx Stealer revealed his personal details, including Telegram accounts, emails and contacts, by debugging the stealer on his own computer using a Telegram bot token provided by a customer involved in the Agent Tesla campaign in March 2024.

“This critical OpSec failure not only compromised Styx Stealer's anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign,” researchers said.

Following the analysis, researchers were able to link Styx Stealer to a Turkish hacker known as Sty1x. This, in turn, allowed Check Point to track down FucosReal to an individual in Nigeria.

“The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights,” researchers said.

One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked.

In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.

“The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024. We conducted an investigation and subsequent information has come to light,” the Florida-based company said.

“The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”

National Public Data said it “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records.”

The company plans to notify those affected if there are other updates. It is unclear how someone would know they are affected by the breach, but the company urged people to monitor their financial accounts for unauthorized activity.

Cybersecurity experts have known about the leaks since April, but since then the company has refused to respond to repeated requests for comment from Recorded Future News. The company stayed tight-lipped about the incident until this week, when concern about the troves of Social Security numbers (SSNs) exposed went viral on social media.

Companies and private investigators pay National Public Data to obtain criminal records, background checks and more — with the company allowing them to search billions of records instantly.

On April 7, a well known hacker going by the name USDoD posted a database on the criminal marketplace Breached claiming it contained 2.9 billion records on U.S. citizens. The cybercriminal — best known for leaking data stolen from European aerospace giant Airbus — said it came from another hacker named “SXUL" and offered the information for $3.5 million.

While it is unclear whether anyone paid for the information, the hacker began leaking parts of the database in June and others continued to offer it for sale throughout the summer.

Several cybersecurity experts, including data breach expert Troy Hunt, have confirmed that while the database contains duplicates, much of the information is accurate.

The data contains a person’s first and last name, three decades of address history and Social Security number. Some experts said they were also able to find a person’s parents, siblings and immediate relatives. The database includes people living and dead.

Some have noted that people who use data opt-out services were not included in the database.

While some news outlets and social media platforms have erroneously reported that 2.9 billion people had information in the breach, Hunt estimated that the database included about 899 million unique SSNs.

The FBI and other U.S. cybersecurity agencies did not respond to requests for comment.

National Public Data is already facing lawsuits over the breach. A complaint was filed in the U.S. District Court for the Southern District of Florida two weeks ago after a California resident said he got a notice from his identity-theft protection service provider in July about the breach.

DataGrail vice president Chris Deibler said the breach shows we “are reaching the limits of what individuals can reasonably do to protect themselves in this environment.”

“The balance of power right now is not in the individual's favor. [The European Union’s] GDPR and the various state and national regulations coming online are good steps, but the prevention and consequence models in place today clearly do not disincentivize mass aggregation of data,” he said.

Akhil Mittal of Synopsys Software Integrity Group added that the number of records will draw headlines but the long tail of effects on people could last years. Millions of real people will be dealing with identity theft, fraud and more for years to come due to the breach, he said.

Mittal echoed Deibler’s comments, arguing that a larger conversation needs to be started about data privacy and protection.

“It’s time for stricter regulations and better enforcement to make sure companies are really protecting our information,” Mittal said.

Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users' data for more than three years.

It made the admission via a notification filed last week with Rob Bonta, California's attorney general, saying the leak began on January 1, 2021, but was only detected on July 25 of this year.

The incident was blamed on an unspecified configuration error. It led to the exposure of personal information, passwords, and various other personal data points you'd expect to see in a breach, depending on what information the user provided in their account.

The full list of potentially impacted data points is below:

• User ID
• Password
• Email address
• Full name
• Billing address
• Shipping address
• IP address
• Social media accounts
• Telephone numbers
• Year of birth
• Last four digits of your credit card number
• Information about aircraft owned
• Industry
• Title
• Pilot status (yes/no)
• Account activity (such as flights viewed and comments posted)
• Social Security Number

How was this data exposed? We asked FlightAware and will update the story if it responds.

The downside of filing data leak notifications in California is that the state doesn't require companies to publicly disclose how many people were affected, unlike Maine, for example, which does.

Although we cannot determine the exact number of affected users, FlightAware reports having 12 million registered users. If all were affected, that would be quite the security snafu indeed.

"FlightAware values your privacy and deeply regrets that this incident occurred," it wrote in a letter being sent to affected individuals.

"Once we discovered the exposure, we immediately remedied the configuration error. Out of an abundance of caution, we are also requiring all potentially impacted users to reset their password. You will be prompted to do so at your next log-in to FlightAware."

It's typical with these types of breach notifications to comment on whether the data in question had been accessed and/or misused by unauthorized third parties. The letter to affected users did not address this matter.

It's also typical for companies to offer free credit monitoring for users and the same is the case here. Anyone who receives a letter from FlightAware saying they may be affected was offered two years of service via Equifax.

A Kentucky man who hacked into a state registry and faked his own death to avoid paying child support was sentenced on Monday to 81 months in prison.

In January 2023, Jesse Kipf used stolen login credentials belonging to a physician to access the Hawaii Death Registry System, where he submitted and “certified” his own death — thereby avoiding paying more than $116,000 in owed child support.

He also hacked into other state death registry systems, as well as “governmental and corporate networks” using stolen credentials, and tried to sell access to those entities on the darkweb.

“Working in collaboration with our law enforcement partners, this defendant who hacked a variety of computer systems and maliciously stole the identity of others for his own personal gain, will now pay the price,” said Michael E. Stansbury, special agent in charge at the FBI’s Louisville Field Office. Kipf was convicted of computer fraud and aggravated identity theft.

In March 2023, Hawaii’s Department of Health began sending out breach notification letters after it was notified by the cybersecurity firm Mandiant that credentials belonging to an external medical death certifier account had been sold on the dark web. The account belonged to a medical certifier who worked for a local hospital but had left the job in 2021.

According to the Health Department release, the hacker accessed the account on January 20, 2023 — the same month Kipf breached the system.

That same year, Kipf also used stolen credentials to access networks belonging to Guest-Tek Interactive Entertainment Ltd. and Milestone, Inc. — specifically to networks related to the companies’ work with hotel chains, including internet connectivity services.

According to a sentencing memo from Assistant U.S. Attorney Kathryn M. Dieruf, Kipf offered for sale on darknet forums tips for how to access death registry systems, and he sold access to at least one company’s hacked databases to Russian customers. Other international buyers of stolen personal information were from Algeria and Ukraine, according to court documents.

While calling for a seven-year sentence — three more months than the one Kipf received — Dieruf asked the judge to send a message to cybercriminals.

“Similarly situated individuals must see the real danger they present to victims and be deterred from engaging in online criminal conduct by the fear of punishment,” she wrote.

“The cloak of anonymity afforded by the dark web is too alluring without the persistent threat of being brought to justice and serving a significant sentence.”

CrowdStrike – a company that advertises itself as stopping breaches using “AI-native cybersecurity” – recently failed to deliver in a spectacular fashion.

One of its faulty updates (for Windows) caused a massive global outage across different industries and services, including hospitals and airports.

This latest poster child for “single point of failure,” and why IT systems should not be centralized to the degree they are, now apparently sees making false copyright claims, thus abusing the DMCA, as one way of damage control.

The recipient of the takedown attempt is a parody site, ClownStrike. Created by IT consultant David Senk, clownstrike.lol went online on July 24, in the wake of the embarrassing and costly (damages are said to run into billions) episode caused by CrowdStrike.

But despite ostensibly having more pressing issues to deal with, a week later Cloudflare (that hosted the parody site) sent Senk a DMCA notice issued on behalf of CrowdStrike by CSC Digital Brand Services.

CrowdStrike wanted its logo, which is seen “fading into a cartoon clown” on Senk’s site removed, and threatened that otherwise the site would be shut down, writes Ars Technica.

But the site is clearly a parody one, which would protect Senk’s display of the logo as fair use under the DMCA. However, this story has two “bad guys” – in addition to CrowdStrike, there’s Cloudflare.

When Senk contested the takedown notice on fair use grounds, Cloudflare ignored it, and then sent him another email reiterating the copyright infringement accusations – and then, again ignored the site creator’s counterclaim.

Senk has switched to a server in Finland, where he feels companies are “less susceptible to DMCA takedown requests.”

Now the site also features the CSC logo (with a clown wig). And it’s been updated with Senk’s thoughts on corporate cyberbullies, Cloudflare’s “hilariously ineffective” system of countering copyright notices, and other rant-worthy topics.

Ars Technica suggests that ClownStrike may have simply got caught up in as many as 500 notices CrowdStrike has been sending left and right these days to ensure “proactive fraud management activities (…) to help prevent bad actors from exploiting current events.”

Senk’s description of this statement? “Typical corporate bullshit (taking) zero accountability.”

Local authorities in Crimea are warning of internet disruptions from distributed denial-of-service (DDoS) attacks targeting telecommunication providers.

The “massive” DDoS attacks, which overwhelm targeted networks with a flood of junk internet traffic, were launched against Crimean telecom companies on Wednesday and are still ongoing, according to Crimean officials.

“Work is underway to repel attacks. There may be interruptions in providing internet services,” said Oleg Kryuchkov, the advisor to the Crimea region, which has been occupied by Russian forces since 2014.

In Crimea’s largest city, Sevastopol, the attackers mostly targeted local internet provider Miranda Media, which is connected to Russian national telecom provider Rostelecom. Miranda Media was sanctioned by the European Union in 2023 for providing services to illegal authorities and institutions in Crimea in the interests of Russia.

Several local subscribers complained on the company’s Telegram channel that their internet connection has been “terrible” for the past two days, but Miranda Media hasn’t released an official statement about the disruptions. The company did not respond to a request for comment.

“The enemy attacks this particular operator for a reason,” a spokesperson for Sevastopol’s government said on Telegram. Miranda Media provides “core communication channels” for the city’s emergency call center, they added.

The attack temporarily disrupted the call center's operations, but local authorities announced on Thursday that they have restored its functionality.

Ukraine’s military intelligence (HUR) claimed responsibility on Wednesday for the cyberattacks on “several of Russia's largest internet providers” operating in Crimea but did not provide additional details.

An anonymous source at HUR told the Ukrainian public broadcaster that the agency "systematically" attacks Russian digital infrastructure, including internet providers.

In May, Ukraine’s military hackers claimed responsibility for an attack on a major internet provider in the Russian city of Belgorod, located about 20 miles north of the Ukrainian border. The targeted company allegedly provides services to state and military institutions.

The attacks on Russian internet providers are also carried out by other Ukraine-linked hacker groups. Last October, a group of cyber activists known as the IT Army claimed responsibility for bringing down Miranda Media and two other Russian internet providers operating in Crimea.

At that time, Miranda Media stated that the attack was "carefully planned by cybercriminals."

Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services.

The man was investigated after an airline "reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight."

The AFP subsequently arrested a man who was found with "a portable wireless access device, a laptop and a mobile phone" in his hand luggage.

That haul led the force to also search the 42-year-old's home – after securing a warrant – and then to his arrest and charging.

It's alleged the accused's collection of kit was used to create Wi-Fi hotspots with SSIDs confusingly similar to those airlines operate for in-flight access to the internet or streamed entertainment. Airport Wi-Fi was also targeted, and the AFP also found evidence of similar activities "at locations linked to the man's previous employment."

Wherever the accused's rig ran, when users logged in to the network, they were asked to provide credentials.

The AFP alleges that details such as email addresses and passwords were saved to the suspect's devices.

The charges laid against the man concern unauthorized access to devices and dishonest dealings. None of the charges suggest the accused used the data he allegedly accessed.

However, three charges of "possession or control of data with the intent to commit a serious offence" suggest the alleged perp was alive to the possibilities of using the data for nefarious purposes.

AFP Western Command Cybercrime detective inspector Andrea Coleman pointed out that free Wi-Fi services should not require logging in through an email or social media account.

Perhaps curiously, she advocated users of public Wi-Fi should "install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet." She also recommended disabling file sharing, avoiding sensitive apps like banking while using public networks, and manually forgetting connections after use so that devices don't automatically reconnect to naughty networks.

The accused appeared before a magistrate last week and was released on bail on condition he restrict his use of the internet in certain ways.

Polish prosecutors are investigating a suspected Russian cyberattack on the country’s state news agency.

The likely goal of the May attack on the Polish Press Agency, or PAP, was disinformation “aimed at causing serious disturbances in the system or economy of the Republic of Poland by an undetermined person or persons involved in or acting on behalf of foreign intelligence,” a spokesperson for the Warsaw District Prosecutor's Office told the state outlet.

This offense is punishable by no fewer than eight years in prison under local law. The probe has been assigned to the Internal Security Agency.

During the attack, hackers published fake news on the PAP website claiming the country’s authorities had announced a partial mobilization of 200,000 men who were to be sent to fight in a war in Ukraine.

After the article was deleted by PAP, the hackers reposted it. Polish authorities blamed the attack on Russia.

"Everything indicates that we are dealing with a cyberattack that was directed from the Russian side," Poland’s Digital Affairs Minister Krzysztof Gawkowski said following the incident.

According to him, the hackers got into the news agency’s system by infecting the device of one of PAP's employees with malware. Gawkowski said that the attack was “targeted” and intended to cause panic and "shake up the system."

Poland is “on the frontline of the cyber fight against Russia,” he added.

PAP chief executive officer Marek Błoński condemned the attack, saying it was likely designed to interfere with the European Parliament election in June, echoing the statement of Prime Minister Donald Tusk, who called the incident “another very dangerous hacker attack” that “illustrates Russia's destabilization strategy on the eve of the European elections."

The Russian embassy in Warsaw told Reuters that it was not aware of the incident and declined to comment.

Poland has experienced an increase in Russian cyberattacks over the past few months, leading it to announce a $760 million investment in cyber defenses.

In June, it also signed a deal with the U.S. to strengthen their cooperation against “foreign information manipulation,” including from Russia.

Suspected Russian hackers have previously used legitimate news websites to spread propaganda. In February, they attacked several popular Ukrainian media outlets, posting fake news related to the war.

Russian hacker groups targeting Ukrainian media include notorious state-controlled threat actors like Sandworm, according to Ukraine's Computer Emergency Response Team (CERT-UA).

Software company TeamViewer says that a compromised employee account is what enabled hackers to breach its internal corporate IT environment and steal encrypted passwords in an incident attributed to the Russian government.

In an update on Sunday evening, TeamViwer said a Kremlin-backed group tracked as APT29 was able to copy employee directory data like names, corporate contact information and the encrypted passwords, which were for the company’s internal IT environment.

The company reaffirmed that the hackers were not able to gain access to the company's product environment or customer data, and that the breach, first reported last week, appears to be contained.

“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” the company said.

TeamViewer said it has contacted authorities about the incident. APT29 — associated with Russia’s foreign intelligence service, the SVR — is one of the Kremlin’s highest-profile hacking operations.

“We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state,” the statement said.

TeamViewer’s remote access and remote control software is used to remotely manage fleets of devices. The company has previously faced attacks by alleged Chinese hackers and its products have often been deployed maliciously by hackers themselves during security incidents.

Multiple organizations published warnings last week about the APT29 breach, urging TeamViewer customers to take a range of actions — including reviewing logs for any unusual remote desktop traffic and enabling two-factor authentication. A healthcare security organization urged members to “use the allowlist and blocklist to control who can connect to their devices.”

TeamViewer has not responded to questions about what APT29 appeared to be looking for during the incident.

The theft of encrypted passwords by APT29 matches another incident earlier this year where the same group infiltrated Microsoft’s systems and stole authentication details, credentials and emails from the tech giant’s senior leaders.

Summary

In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the dark web. Data was escalated to law enforcement for further action.

Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

Background

Infostealer malware steals sensitive user information such as login credentials, cryptocurrency wallets, payment card data, OS information, browser cookies, screenshots, and autofill data. Common distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising. A popular infection vector is “cracked” software marketed to users seeking to obtain licensed software illegally. Stolen data, known as “infostealer logs,” often ends up on dark web sources where cybercriminals can purchase it, potentially gaining access to networks or systems.

The anonymity provided by Tor-based websites with .onion domains fosters the production and consumption of CSAM. Studies show that although only a small percentage of .onion websites host CSAM, the majority of dark web browsing activity targets these sites.

Methodology

In this proof-of-concept report, Recorded Future's Identity Intelligence leveraged infostealer malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and uncover geographic and behavioral trends. Our high-confidence assessments stem from the nature of the infostealer log data and subsequent research.

Sample investigations of three individuals with accounts on multiple CSAM sources suggest that having multiple CSAM accounts may indicate a higher likelihood of committing crimes against children. This study demonstrates that infostealer logs can help law enforcement track child exploitation on the dark web, a challenging area to trace. All relevant findings have been reported to authorities.

Our research involved creating a list of known high-fidelity CSAM domains and querying Recorded Future Identity Intelligence data to identify users with credentials to these domains. Collaborating with non-profit organizations like World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII), Insikt Group expanded this list by querying the Recorded Future Intelligence Cloud. This iterative process helped identify additional CSAM sources.

Insikt Group then queried Recorded Future’s Identity Intelligence, which offers real-time access to infostealer log information, for authentication records linked to known CSAM sources from February 2021 to February 2024. De-duplication was performed by comparing OS usernames and PC names.

Findings

Insikt Group identified 3,324 unique credentials used to access known CSAM websites. This data allowed us to gather statistics on individual sources and users, including their usernames, IP addresses, and system information. This granular data helps law enforcement understand the infrastructure of CSAM websites, uncover techniques used by CSAM consumers to mask their identities, and identify potential CSAM consumers and producers.

In three case studies, Insikt Group used the data contained in infostealer logs and open-source intelligence (OSINT) to identify two individuals and found further digital artifacts, including cryptocurrency addresses, belonging to a third individual.

The PoC study showcases that infostealer logs can be used to identify CSAM consumers and new sources and trends in CSAM communities.

As the cybercriminal demand for infostealer logs and malware-as-a-service (MaaS) ecosystems continues to grow, Insikt Group anticipates that infostealer log datasets will continue to provide current and evolving insights into CSAM consumers.

To read the entire analysis, click here to download the report as a PDF.

A new vulnerability affecting Linux systems has caused alarm over the last 48 hours among security researchers, although some experts have cast doubts about whether widespread exploitation of the bug is likely.

On Monday, researchers from cybersecurity firm Qualys unveiled a report on CVE-2024-6387 — colloquially known as “RegreSSHion.” A patch is available to resolve the issue.

The vulnerability is found in OpenSSH’s server in glibc-based Linux systems.

Saeed Abbasi, product manager of vulnerability research at Qualys, told Recorded Future News the best way to understand the issue is to imagine a very secure lock on your front door that only lets people in if they have the right key.

“This lock is used in many houses worldwide because it is very safe. However, we’ve discovered a flaw in this lock — a hidden way to open it without a key, and someone could sneak in without you noticing,” he said.

Matt Moore, the chief technology officer at the security company Chainguard, explained that OpenSSH is a free open source collection of networking tools used predominantly by system administrators to manage remote systems across platforms.

It is also used for securely transferring files and for accessing services in the cloud without exposing a local machine's ports to the Internet, he said. OpenSSH encrypts all traffic between client and server to prevent eavesdropping, connection hijacking, and other attacks.

“In simpler terms, this is the equivalent of a bank vault being already unlocked during a robbery, attackers can use this to gain access and then laterally move to where the most important information is,” Moore said.

If exploited, the vulnerability would allow for a full system takeover where an attacker could install malware, manipulate data and create backdoors for persistent access. The researchers found that it is actually a version of a bug that was previously resolved — CVE-2006-5051 — and then reintroduced after recent code changes.

Qualys’s Abbasi explained that searches on tools like Censys and Shodan show potentially 14 million internet-facing server instances that may be vulnerable to the bug, although Moore said it appears the blast radius for the bug is smaller than the entirety of the ecosystem using OpenSSH.

Abbasi said the bug was particularly concerning because it affects the default configuration of OpenSSH and doesn't require user interaction.

The ubiquity of OpenSSH as a secure communication method “significantly broadens the potential repercussions of this vulnerability,” he added.

“Within an enterprise setting, OpenSSH is utilized across various platforms, such as on-premise servers, cloud infrastructures, development environments, workstations, laptops, containerized environments, and network devices. This extensive deployment highlights the widespread impact a vulnerability could have,” he said.

Questions about exploitation

While most experts said concerns about the bug were justified, others cast doubt on its severity.

Moore noted the exploits for the vulnerability appear to only be viable for a certain kind of Linux server, most of which are relegated to 15-year-old systems.

While it is not difficult to install the patch, the larger issue according to Moore is identifying what instances are using vulnerable versions. Organizations should focus on upgrading to the latest version of OpenSSH, with a priority placed on publicly exposed instances.

Some tools identifying vulnerable systems have been created to help those in need.

Experts at the cybersecurity firms Wiz and Palo Alto Networks said widespread exploitation is unlikely. Wiz said an attacker would need to know the version of Linux they are targeting in order to tailor the exploit, making the bug “inappropriate for widespread opportunistic exploitation.”

Palo Alto Networks said proof of concept code released on Monday has not worked in their exploit attempts, and as of Tuesday they have seen no exploit attempts in the wild.

Contrast Security co-founder Jeff Williams added that attacks involving the vulnerability are “a bit noisy” and may take thousands of attempts to succeed — allowing defenders to detect and prevent the attacks before they are successful. Wiz echoed that assessment, explaining that successful exploitation “usually takes several hours of login attempts in total.”

“No need to hit the panic button at this time,” said Ben Lister, threat research engineer at NetSPI.

“Due to its complexity, it would take an attacker between six hours and a week of persistent effort to successfully exploit the condition and gain a root shell — making it highly unlikely that we’ll experience mass exploitation, as we've seen with similar vulnerabilities. However, organizations should remain proactive and vigilant against the exploit.”

An international coalition of law enforcement agencies have taken action against hundreds of installations of the Cobalt Strike software, a penetration testing tool notoriously abused by both state-sponsored and criminal hackers involved in the ransomware ecosystem.

Britain’s National Crime Agency (NCA) announced on Wednesday that it coordinated global action against the tool, tackling 690 IP addresses hosting illegal instances of the software in 27 countries.

Cobalt Strike, now owned by a company called Fortra, was developed in 2012 to simulate how hackers break into victims’ networks. However, it works so well — easing the processes involved in trying to break into a victim’s network — that pirated versions of the tool have been widely deployed by real malicious actors over the last decade.

The action comes as law enforcement agencies continue to tackle ransomware gangs by targeting the ecosystem’s weak points — hitting the links in the chain that could have cascading effects, such as the seizure of bulletproof hosting provider LolekHosted.

Alongside its legitimate users and those in the ransomware space, Cobalt Strike has also been used by hackers linked to the Russian, Chinese and North Korean governments.

“Since the mid 2010s, pirated and unlicensed versions of the software downloaded by criminals from illegal marketplaces and the dark web have gained a reputation as the ‘go-to’ network intrusion tool for those seeking to build a cyber attack, allowing them to deploy ransomware at speed and at scale,” stated the NCA.

Most commonly, the unlicensed versions of Cobalt Strike are used in spear phishing emails that aim to install a beacon on the target’s device. This beacon then allows the attacker to profile and remotely access the victim’s network.

However its multifunctional nature, including a framework for managing the hackers' command and control infrastructure, makes the tool “the Swiss army knife of cybercriminals and nation state actors,” as described by Don Smith, the vice president of threat research at Secureworks Counter Threats Unit.

“Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation state actors, e.g. Russian and Chinese – to facilitate intrusions in cyber espionage campaigns. Used as a foothold, it has proven to be highly effective at providing the back door to victims to facilitate intrusions in cyber espionage campaigns,” Smith said.

According to the NCA, the action tackling the rogue uses of the software took place last week and involved server takedowns as well as sending “abuse notifications” to ISPs to warn them that they could be hosting malware.

Paul Foster, the director of threat leadership at the NCA, stressed that Cobalt Strike was “a legitimate piece of software,” but that “sadly cybercriminals have exploited its use for nefarious purposes.”

“Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” Foster said.

“International disruptions like these are the most effective way to degrade the most harmful cyber criminals, by removing the tools and services which underpin their operations,” added the NCA director.

Despite the law enforcement action, “the threat from ransomware remains omnipresent and whilst this disruption is to be welcomed, criminals and nation state actors will almost certainly have a Plan B,” said Secureworks’ Smith.

Fortra has pledged to continue to work with law enforcement to identify and remove older versions of its software from the internet. The NCA retracted an earlier statement that the company had released a new version of the software with “enhanced security measures.”

“Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.

“However, in rare circumstances, criminals have stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and deploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.”