Headline
Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group, whereas Cobalt Mirage’s activities have been reported as TunnelVision and Phosphorus.
SecureWorks® Counter Threat Unit™ (CTU) researchers are investigating an Irani threat group known as the Cobalt Mirage group. This group first surfaced in June 2020 and is linked to another Irani threat group Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster.
The group primarily uses phishing campaigns to gain access to networks. Researchers suspect that the two groups are interconnected and might share access and tradecraft.
It is worth noting that previously, Charming Kitten was also accused of its involvement in some highly sophisticated social engineering attacks including bypassing Gmail and Yahoo’s 2FA (Two-Factor Authentication (2FA) in December 2018.
Furthermore, Charming Kitten was the talk of the town in March 2019 when Microsoft seized 99 websites used by Iranian hackers for large-scale phishing attacks. In July 2020, the same group exposed 40GB of videos exposing its entire modus operandi.
Cobalt Mirage Attack Tactics
Based on information obtained via incident response activities and public reporting, the researchers identified two clusters of Cobalt Mirage attacks, labeled Cluster A and Cluster B.
According to researchers, threat actors used DiskCryptor and BitLocker in Cluster A for conducting ransomware attacks that are mainly profit-driven. On the other hand, Cluster B entails targeted intrusions to invade a network and collect intelligence. But sometimes, Cluster B attacks may also involve ransomware in selected cases.
COBALT MIRAGE’s attack vector (Image: SecureWorks)
Primary Targets of Cobalt Mirage
According to SecureWorks’s blog post published on May 12th, Cobalt Mirage’s victims are primarily organizations in the USA, Australia, Europe, and Israel. The group mainly uses file-encrypting ransomware to target its victims.
Some of its previous campaigns include the scan-and-exploit attack against Microsoft Exchange Servers and exploiting the ProxyShell vulnerabilities in March 2022 to access a US local government network.
The group also targeted a philanthropic organization in the USA in January 2022. Research reveals that the group has limited ability to capitalize on the access they gain to a network and use it for financial gains or intelligence data collection.
How does Cobalt Mirage Attack its Victims?
Research revealed that Cobalt Mirage scans internet-exposed servers to detect vulnerable servers and identify initial access routes. They often look for flaws in Microsoft Exchange servers and Fortinet appliances.
In 2021, SecureWorks’ blog post revealed that the threat group scanned ports 4443, 8443, and 10443 to find flaws in devices vulnerable to FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591).
In September 2021, they targeted the MS Exchange servers and deployed the Fast Reverse Proxy Client by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to enable access to vulnerable devices.
Once they identify a loophole, they drop web shells and use them as a conduit for lateral movement across the network and launch the ransomware. They complete their attack with a rather unusual way of sending ransom notes, which they send to a local printer.
This note contains the email address and Telegram account details for victims to contact the attacker. However, researchers couldn’t identify how the encryption feature is triggered. The group uses publicly available encryption tools for launching ransomware attacks.
COBALT MIRAGE’s ransom note (Image: SecureWorks)
“CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.”
More Iranian Security News on Hackread.com
- Iran-linked hackers hit Israeli, US and EU defense tech firm
- Irani and Chinese State Hackers Exploiting Log4j Vulnerability
- Watch as hackers disrupt Iran’s prison computers; leak live footage
- Exposed: 6 year old Iranian espionage campaign using Android backdoor
- Iranian APT group hits schools, universities in global spear phishing attacks
Related news
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. "Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.
The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.
While the ransomware-for-hire group works to create ever more efficient exploits, companies can protect themselves with structured vulnerability management processes. Prioritize threats based on severity and risk.
The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to
By Waqas Going by the name of Witchetty; the hacker group is targeting countries in Africa and the Middle East. This is a post from HackRead.com Read the original post: Chinese Hackers Hiding Malware in Windows Logo
APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
By Deeba Ahmed Worok is primarily targeting organizations in banking, telecommunication, marine, military, energy, public sectors, and government in its current campaign. This is a post from HackRead.com Read the original post: Worok Hackers Targeting Orgs, Govts in Asia, Middle East and Africa
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide.
The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.
The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers. The post IIS extensions are on the rise as backdoors to servers appeared first on Malwarebytes Labs.
The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.
Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive
Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday – our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.