The known Iran-linked threat group, Cobalt Mirage, has been conducting ransomware and espionage attacks on U.S.-based organizations over the past few months, including a local government network and a philanthropic organization.
Cobalt Mirage (which includes elements of threat activity that have previously been reported as Phosphorus and TunnelVision) has been around for years and has focused on organizations in the U.S., Israel, Europe and Australia. The group has historically launched broad scan-and-exploit campaigns, leveraging vulnerabilities like the Microsoft Exchange ProxyShell and Fortinet FortiOS flaws (including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591), said researchers with Secureworks in a Thursday analysis.
Rafe Pilling, senior security researcher with the Secureworks Counter Threat Unit, said Cobalt Mirage’s ransomware-related activities “appear fairly experimental” because they aren't as refined or industrialized as more sophisticated ransomware groups and likely don't have the same organized crime origins.
“Cobalt Mirage campaigns have heavily relied on several widely exploitable vulnerabilities, that have appeared in the last 12 months, to enable their access,” said Pilling. “They may continue to leverage existing access that they obtained during broad exploitation campaigns, however the pool of potential victims will reduce as organizations detect their intrusions or patch the vulnerabilities they favor. The group’s future success will rely on developing additional intrusion options or waiting for the next big vulnerability to drop."
In one incident in January, the group used access obtained through the exploitation of ProxyShell vulnerabilities to enter the network of an unnamed philanthropic organization. From there, they created a webshell in order to drop three files on the web server, aiming to collect system information and set up communication with the command-and-control (C2) server.
“The threat actors then moved laterally and encrypted three user workstations with BitLocker, rendering them inaccessible to the compromised organization's staff,” said researchers. “Due to an absence of logging and forensic artifacts, the methods used to trigger BitLocker in this environment are unclear. However, other Cobalt Mirage ransomware attacks used a script to automate the attack.”
The attackers also leveraged Local Security Authority Server Service (LSASS), a Windows process that stores local usernames and passwords for authenticated users, as part of their attack. They used this service in order to derive valid credentials via brute-force cracking New Technology LAN Manager (NTLM) hashes and stealing passwords stored in plain text. They also utilized Remote Desktop Protocol (RDP) and a built-in user account (DefaultAccount) to access the compromised Exchange server in order to extract locally cached passwords. Finally, attackers sent a ransom note to a local printer, a move that researchers noted was unusual as typically ransom notes are left on device screens.
“The note includes a contact email address and Telegram account to discuss decryption and recovery,” said researchers. “This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data.”
Another attack in March, which targeted a U.S. local government organization to gain access and collect intelligence, was potentially launched through the exploitation of the Log4j vulnerabilities on victims’ VMware Horizon infrastructure as many threat actors were targeting this flaw during this timeframe, said researchers. The malicious activity, which mostly spanned a four-day period in mid-March, began with attackers using the DefaultAccount user to move laterally within the environment via RDP. Attackers then obtained access to multiple accounts and downloaded pxy.zip to several hosts to provide continuous access. Threat actors also downloaded a network scanner.
While researchers said no ransomware was downloaded in this incident, they thought attackers may be experimenting with ransomware after finding a file uploaded to the VirusTotal analysis service from Iran in December that “appears to be an unfinished attempt at ransomware.”
“CTU researchers have also observed Cobalt Mirage infrastructure hosting files related to the HiddenTear open-source ransomware family but have not observed the ransomware being deployed to targets," said researchers.
They recommended that organizations “prioritize patching high-severity and highly publicized vulnerabilities on internet-facing systems, implementing multi-factor authentication, and monitoring for the tools and file-sharing services used by Cobalt Mirage.”