Iranian threat group Cobalt Mirage has been carrying out ransomware operations in the US

Secureworks researchers are investigating attacks by the Iranian threat group, Cobalt Mirage, which has been conducting ransomware operations in the U.S. since at least June 2020. The hacker group has been linked to the Iranian COBALT ILLUSION threat group, predominantly using persistent phishing campaigns to obtain initial access. It is possible that the two groups share tradecraft and access. Elements of Cobalt Mirage activity have been reported as PHOSPHOROUS and TunnelVision.

Based on intelligence gained from Secureworks incident response engagements and public reporting, Secureworks researchers identified two distinct clusters of Cobalt Mirage intrusions labeled Cluster A and Cluster B. “In Cluster A, the threat actors use BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain. Cluster B focuses on targeted intrusions to gain access and collect intelligence, but some of the activity has experimented with ransomware,” they said in a blog post.

Cobalt Mirage has demonstrated a preference for attacking organizations in Israel, the U.S., Europe, and Australia, according to Secureworks researchers. The threat actors obtain initial access via scan-and-exploit activity. 

In 2021, Cobalt Mirage scanned ports 4443, 8443, and 10443 for devices vulnerable to Fortinet FortiOS vulnerabilities, the researchers said. “From late September 2021, the group used a broad scan-and-exploit campaign targeting Microsoft Exchange servers. The threat actors exploited the ProxyShell vulnerabilities to deploy Fast Reverse Proxy client (FRPC) and enable remote access to vulnerable systems,” they added.

By November, global security agencies released a joint cybersecurity advisory warning of the ongoing malicious cyber activity by an advanced persistent threat (APT) group that has been associated with the Iranian government. The notice about the group, which is actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, also provides observed tactics and techniques, and indicators of compromise (IOCs) that have likely been associated with the Iranian government-sponsored APT activity.

In March 2022, “CTU researchers attributed an intrusion in a U.S. local government network to Cobalt Mirage based on the use of a DefaultUser user account, deployment of FRPC to the victim’s network, and use of infrastructure that matches a pattern associated with Cobalt Mirage,” the post said. However, ransomware was not used in the attack. This activity is part of Cluster B.

The researchers said that analysis of Cobalt Mirage attacks is challenging because unrelated threat actors have often also compromised the environment using the same vulnerabilities, such as ProxyShell and Log4Shell. “Many of these threat actors use the same publicly available proof-of-concept code and may access the same environment multiple times, dropping redundant web shells. Cryptominer infections are often observed alongside Cobalt Mirage activity, but they may have been deployed by another group,” they added.

The initial access vector in the March 2022 engagement is unclear, but the threat actors likely exploited Log4j vulnerabilities on the victim’s VMware Horizon infrastructure, Secureworks researchers said. “In early 2022, CTU researchers observed multiple threat actors exploiting Log4j vulnerabilities on VMware Horizon to deploy cryptominers. The initial exploitation by Cobalt Mirage may have occurred as early as late January 2022. After obtaining access, Cobalt Mirage used the DefaultAccount user to move laterally within the environment via RDP,” they added.

The researchers said that most of the intrusion activity spanned a four-day period in mid-March. 

Secureworks researchers said that in January, Cobalt Mirage used access obtained through ProxyShell exploitation, possibly conducted in late 2021, to enter the network of a U.S. philanthropic organization. “On January 6, the threat actors created and accessed a web shell. The format of this filename matches an established pattern associated with Cobalt Mirage ransomware operations. Attacker-initiated HTTP requests to the web shell used a User-Agent, indicating the use of scripts that leverage the Python Requests library,” they added. 

The Python reference is likely due to the hackers using a Python-based proof-of-concept ProxyShell exploit in their initial attack and potentially additional scripted commands during the intrusion, according to the researchers.

The Secureworks researchers said that after the March intrusion was detected and disrupted, no additional malicious activity was observed. “CTU researchers have not directly observed ransomware attacks linked to Cluster B, but there is evidence that those threat actors may be experimenting with ransomware,” they added.

The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage, the researchers said. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.” 

At a minimum, Cobalt Mirage’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat, the researchers said. “CTU researchers recommend that organizations prioritize patching high-severity and highly publicized vulnerabilities on internet-facing systems, implementing multi-factor authentication, and monitoring the tools and file-sharing services used by Cobalt Mirage,” they added.

To mitigate exposure to the malware, “CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser,” the Secureworks researchers said.

Earlier this year, the U.S. Cyber Command’s Cyber National Mission Force (CNMF) identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group, known as MuddyWater, as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). The Office of the Director of National Intelligence (ODNI) has also warned that ​​Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the U.S. and allied networks and data security.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.