Iran-linked Cobalt Mirage extracts money, info from US orgs – report

Khamenei, can you just not? Not right now, fam


The Iran-linked Cobalt Mirage crew is running attacks against America for both financial gain and for cyber-espionage purposes, according to Secureworks' threat intelligence team.

The cybercriminal gang has been around since June 2020, and its most recent activities have been put into two categories. One, using ransomware to extort money, as illustrated by a strike in January against a US philanthropic organization, according to Secureworks' Counter Threat Unit (CTU); and two, gathering intelligence, with a local government network in the United States targeted in March, CTU researchers detailed Thursday.

"The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," they wrote. "While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited. At a minimum, Cobalt Mirage's ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat."

Andy Gill, senior security consultant at Lares Consulting, told The Register "threat actors often have multiple focuses however the main one will almost always be financial gain. Conducting espionage can lead to significant financial gain depending on the group's motives and geopolitical leaning or backing. The focus on both indicates that the group may be state-backed with a focus on gaining long-term cash out with short-term gain via espionage."

In the financially-motivated "cluster" of attacks, the group is using BitLocker and DiskCryptor to hold victims' documents to ransom. For the espionage strikes, Cobalt Mirage pulls off targeted intrusions to gain access and collect intelligence, though the snoops appear to be experimenting with ransomware here as well, the threat hunters wrote.

Cobalt Mirage in the past has targeted organizations in America as well as Europe, Israel, and Australia using scan-and-exploit tools to gain initial access into the networks. In November 2021, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with its counterparts in the UK and Australia as well as the FBI about an unnamed Iranian government-sponsored advanced persistent threat (APT) group exploiting flaws in Fortinet software, and the Microsoft Exchange ProxyShell vulnerability, to gain initial access into networks and deploy malware, including ransomware.

Secureworks is attributing those operations to Cobalt Mirage. The researchers wrote that the group is linked to another Iranian gang, Cobalt Illusion, which tends to use persistent phishing campaigns to gain initial access and it's likely the two groups share tradecraft and access. In addition, "elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision," they wrote.

The cybergang is continuing to use a range of high-profile vulnerabilities, including ProxyShell and Log4Shell bugs, for initial access into systems, according to CTU's latest report. In January, Cobalt Mirage exploited a ProxyShell flaw to get access into a philanthropic organization's network. CTU researchers noticed scripts used during the attack referenced Python's Requests library.

"The Python reference is likely due to the threat actors using a Python-based proof-of-concept ProxyShell exploit in their initial attack and potentially additional scripted commands during the intrusion," they wrote. Within days of the initial access, the group used BitLocker to encrypt three workstations.

"The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer," CTU researchers wrote. "The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data."

They also said it appears Cobalt Mirage doesn't have a website from which it leaks data pilfered from victims; extortionware gangs these days tend to have a dark-web site in which they disclose some stolen documents to encourage organizations to pay up to avoid the whole lot being dumped in public.

The long tail of Log4J

In March, Cobalt Mirage used the widespread Log4j vulnerabilities to gain access into the VMware Horizon infrastructure of a local government network. Horizon – VMware's virtual desktop infrastructure (VDI) product – has been targeted by other threat groups exploiting Log4Shell to deploy cryptominer malware, according to the analysts.

"Log4J, like many serious vulnerabilities before it, can have a long tail," Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register. "Active developers will quickly develop patches and organizations that are on top of their security will quickly apply them, but there are often stragglers who either lack the resources or awareness to deal with the issue."

Given the ubiquitous use of Log4j in production, "we're apt to see 'forgotten applications' being targeted for some time to come even after the majority of installations have been mitigated." Parkin said.

Once in, the attackers used the DefaultAccount user to move laterally within the environment via RDP, used a compromised system to run Google searches for "upload file for free" and then accessed websites, at least one of which was used to exfiltrate data. In addition, the threat actors downloaded files onto compromised systems using file-sharing services, the analysts wrote.

The threat hunters also said that while they haven't seen ransomware attacks linked to the cyberespionage intrusions, evidence indicates that the bad actors may be experimenting with extortionware. A file uploaded to VirusTotal seems to be an "unfinished attempt at ransomware," they wrote. Code in the file also was identified in the PowerlessCLR remote access trojan (RAT) and hosted on an address used by Cobalt Mirage.

"CTU researchers have also observed Cobalt Mirage infrastructure hosting files related to the HiddenTear open-source ransomware family but have not observed the ransomware being deployed to targets," they wrote. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022