Iranian cybercrime group Cobalt Mirage is slowly blurring the line between financially motivated attacks and espionage. The group is running attacks against America for both cyber-espionage and financial gains.
SecureWorks’ Counter Threat unit published a report on Friday covering the group’s attacks and essentially dividing them into two categories. The first is using ransomware attacks to extort money. The most recent example is their attack in January on a US philanthropic organisation. The second is intelligence gathering, as evident by targeting a local government body in March.
Cobalt Mirage uses common vulnerabilities like ProxyShell and Log4Shell to gain initial access to systems. The January attack mentioned above was carried out by exploiting a ProxyShell bug, as evident by the scripts used during the attack. These scripts reference the Python Requests library. The researchers explained this as likely using a Python proof-of-concept exploit.
Once infiltrated, the group used BitLocker to encrypt three workstations. The ransom note was delivered to a local printer, including an email; address and Telegram account to assist in decryption and recovery. Based on this approach, it can be said that operations are currently running on a small scale, relying on manual processes to connect victims with their respective encryption keys.
Attacks in March on the VMware Horizon infrastructure of a local government network were carried out by exploiting the Log4j vulnerability. Horizon has been commonly exploited to deploy crypto miners and malware by several different threat actors.
This time around, the group used the DefaultAccount user to move within the network using RDP and accessed free data sharing websites to extract data. Researchers added that the group downloaded files on the impacted systems using file-sharing services.
The report also adds that the group is closely linked to fellow Iranian threat group Cobalt Illusion. which uses phishing attacks to gain access to target networks. Researchers suspect that the two groups share tradecraft as well as access.
While the group has had success compromising systems, its ability to capitalise that initial access for financial gain or information extraction has been limited. However, the group’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity raises concerns.