The Iran-linked Cobalt Mirage crew is running attacks against America for both financial gain and for cyber-espionage purposes, according to Secureworks’ threat intelligence team.
The cybercriminal gang has been around since June 2020, and its most recent activities have been put into two categories. One, using ransomware to extort money, as illustrated by a strike in January against a US philanthropic organization, according to Secureworks’ Counter Threat Unit (CTU); and two, gathering intelligence, with a local government network in the United States targeted in March, CTU researchers detailed today.
“The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage,” they wrote. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited. At a minimum, Cobalt Mirage’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat.”
Andy Gill, senior security consultant at Lares Consulting, told The Register “threat actors often have multiple focuses however the main one will almost always be financial gain. Conducting espionage can lead to significant financial gain depending on the group’s motives and geopolitical leaning or backing. The focus on both indicates that the group may be state-backed with a focus on gaining long-term cash out with short-term gain via espionage.”
In the financially-motivated “cluster” of attacks, the group is using BitLocker and DiskCryptor to hold victims’ documents to ransom. For the espionage strikes, Cobalt Mirage pulls off targeted intrusions to gain access and collect intelligence, though the snoops appear to be experimenting with ransomware here as well, the threat hunters wrote.
Cobalt Mirage in the past has targeted organizations in America as well as Europe, Israel, and Australia using scan-and-exploit tools to gain initial access into the networks. In November 2021, Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with its counterparts in the UK and Australia as well as the FBI about an unnamed Iranian government-sponsored advanced persistent threat (APT) group exploiting flaws in Fortinet software, and the Microsoft Exchange ProxyShell vulnerability, to gain initial access into networks and deploy malware, including ransomware.
Secureworks is attributing those operations to Cobalt Mirage. The researchers wrote that the group is linked to another Iranian gang, Cobalt Illusion, which tends to use persistent phishing campaigns to gain initial access and it’s likely the two groups share tradecraft and access. In addition, “elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision,” they wrote.
The cybergang is continuing to use a range of high-profile vulnerabilities, including ProxyShell and Log4Shell bugs, for initial access into systems, according to CTU’s latest report. In January, Cobalt Mirage exploited a ProxyShell flaw to get access into a philanthropic organization’s network. CTU researchers noticed scripts used during the attack referenced Python’s Requests library.
“The Python reference is likely due to the threat actors using a Python-based proof-of-concept ProxyShell exploit in their initial attack and potentially additional scripted commands during the intrusion,” they wrote. Within days of the initial access, the group used BitLocker to encrypt three workstations.
“The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer,” CTU researchers wrote. “The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data.”
They also said it appears Cobalt Mirage doesn’t have a website from which it leaks data pilfered from victims; extortionware gangs these days tend to have a dark-web site in which they disclose some stolen documents to encourage organizations to pay up to avoid the whole lot being dumped in public.
The long tail of Log4J
In March, Cobalt Mirage used the widespread Log4j vulnerabilities to gain access into the VMware Horizon infrastructure of a local government network. Horizon – VMware’s virtual desktop infrastructure (VDI) product – has been targeted by other threat groups exploiting Log4Shell to deploy cryptominer malware, according to the analysts.
“Log4J, like many serious vulnerabilities before it, can have a long tail,” Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register. “Active developers will quickly develop patches and organizations that are on top of their security will quickly apply them, but there are often stragglers who either lack the resources or awareness to deal with the issue.”
Given the ubiquitous use of Log4j in production, “we’re apt to see ‘forgotten applications’ being targeted for some time to come even after the majority of installations have been mitigated.” Parkin said.
Once in, the attackers used the DefaultAccount user to move laterally within the environment via RDP, used a compromised system to run Google searches for “upload file for free” and then accessed websites, at least one of which was used to exfiltrate data. In addition, the threat actors downloaded files onto compromised systems using file-sharing services, the analysts wrote.
The threat hunters also said that while they haven’t seen ransomware attacks linked to the cyberespionage intrusions, evidence indicates that the bad actors may be experimenting with extortionware. A file uploaded to VirusTotal seems to be an “unfinished attempt at ransomware,” they wrote. Code in the file also was identified in the PowerlessCLR remote access trojan (RAT) and hosted on an address used by Cobalt Mirage.
“CTU researchers have also observed Cobalt Mirage infrastructure hosting files related to the HiddenTear open-source ransomware family but have not observed the ransomware being deployed to targets,” they wrote. ®