An Iranian hacking operation combines state-sponsored cyberattacks with financially motivated ransomware heists.
Secureworks researchers dubbed the Advanced Persistent Threat (APT) group “Cobalt Mirage”, linking the team to another Tehran-backed team known as Cobalt Illusion or APT35, which also worked with Iranian government support. .
The security firm said in a blog post on Thursday that the hacking team had split its operations into two groups. In one cluster, hackers executed a conventional ransomware operation in the early months of 2022. The attacks encrypted and extorted data from targets in exchange for ransom payments, much like a traditional ransomware group.
The second cluster, however, operated on a more formal basis. The hackers used some of the same vulnerabilities and intrusion tools to harvest data that would be useful to the Iranian government.
This, Secureworks said, is reflected in Cobalt Mirage’s choice of targets. The Iranian APT was mainly looking for organizations in Israel, the United States and Western Europe, which are regions traditionally opposed to the current government of Iran.
Secureworks told SearchSecurity that while it is difficult to identify the origins of Cobalt Mirage, it is more likely that the hackers are a government-backed operation that has spread to the private sector than a conventional ransomware operation that was co-opted for cyber espionage purposes.
Either way, the Iranian APT is looking to grab some low-hanging fruit. Hackers have sought to break into networks using high-profile ProxyShell and Log4j vulnerabilities, as well as Fortinet security flaws that date back to 2020. In some attacks, hackers have even been spotted using Google to download tools of hacking on compromised machines.
While the attacks are hardly innovative, they are still an effective way to infiltrate poorly maintained networks that are overdue for patch deployment. This, unfortunately, remains a problem for US government agencies where overburdened IT staff often have to manage dozens of redundant and uncatalogued systems.
Fortunately, Secureworks said Iran’s APT may still be experimental with ransomware attacks.
“While threat actors appear to have had a reasonable level of success in gaining initial access to a wide range of targets, their ability to capitalize on this access for financial or intelligence-gathering purposes appears limited,” the report said. blog.
The Secureworks team recommends organizations that are lagging behind in their remediation practices to catch up, by testing and deploying fixes for Log4j, ProxyShell, and Microsoft Exchange bugs as soon as possible.
“At a minimum, COBALT MIRAGE’s ability to use publicly available encryption tools for ransomware operations and mass analysis and exploitation activities to compromise organizations creates an ongoing threat,” he said. declared.
Secureworks researchers “recommend that organizations prioritize patching high-severity, high-profile vulnerabilities on Internet-connected systems, implementing multi-factor authentication, and monitoring sharing tools and services of files used by COBALT MIRAGE”.