Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown Europol just announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike. Fortra's legitimate red-teaming tool is notorious for being widely abused by cybercriminals, who source cracked copies of the tool for use in malware and ransomware operations …
"A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.
Interesting approach, and curious how scaleable this would be. Or how effective in the long term. Techincally it's simple enough to do, ie blackhole those host routes on all border routers. So 690 entries in filter lists to install and maintain. One of those things where some kind of centralised blacklist maintainer, eg RIPE might help because they're mostly trusted. But also risks being compromised or abused. Plus the impact on those routers because the more rules, the slower the processing. And at some point, those addresses may become 'clean' again. That's been one of the challenges in the past with blocklists when addresses have been reassigned to legit customers & used to happen with black holing for spammers.
It'll also be interesting to see how quickly the criminals can adapt and find new hosts, so whether this will start a game of whack-a-route chasing them around the 'net.
A game of Whack-a-route that takes down 600 addresses in 3 years isn't likely to have much impact. Blocking all Chinese IP addresses at gateways would be easier, quicker, and have more impact.
Back in the day, this was a suggestion to deal with spam. Except for minor details like a lot of spam originating from the US, or controlled by US spammers. I haven't seen the list or done any analysis on it to see where the addresses were allocated or assigned from though. But with stuff like this, there's often an issue with hacked PCs being involved anyway. So anywhere where there's a large number of 'net users and weak security tends to end up with those users getting involved.
It may be 600 addresses now, but if this approach is going to be used for other hackers, that list could grow rapidly. Plus there's an IPR angle, ie part of this story is miscreants using unlicensed software for mayhem. Hopefully other widely cracked and distributed software companies won't jump on this and demand unlicensed copies of their software are also blocked. This one is a bit of a special case because of what the software is, and how it's been abused.
When your are getting hit, have fun, if you dare.
On your border, build a nat rule that when coming from that address, send it back.
Fire up Wireshark and see how they react.
If nothing else, it would be at least a learning experience.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
