The Iran-based Cobalt Mirage threat group investigation uncovered several critical details about their infrastructure, including being attributed to some known groups in the cybercrime landscape, such as the APT35.
First surfacing in June 2020, Cobalt Mirage primarily conducts its attacks via phishing campaigns to access victims’ networks. Researchers linked the group to APT35 since they use similar attack procedures and are suspected of having been sharing tradecraft in espionage campaigns.
Two attack clusters of Cobalt Mirage were listed from incident response activities, categorised as Cluster A and Cluster B.
For Cluster A, the threat operators were seen utilising DiskCryptor and BitLocker to execute financially motivated ransomware attacks. Meanwhile, a targeted intrusion is the primary attack procedure on Cluster B, aiming to invade victims’ networks and collect intelligence. In some cases, the threat operators also involve ransomware for Cluster B.
The main victims of the Cobalt Mirage group are firms from the US, Europe, Australia, and Israel, primarily using file-encrypting ransomware in their campaigns.
Based on previous reports, Microsoft Exchange Servers had a history of being victimised by the notorious threat group via a scan-and-exploit attack. The malicious group had also exploited ProxyShell critical flaws last March to intrude on a US government server.
Several American humanitarian organisations were also the targets of the threat group, with a record of attacking them earlier this year.
Internet-exposed servers are the most prone to being targeted by Cobalt Mirage because these servers have easily detectable vulnerabilities that the group can use as initial access routes. Based on the group’s past attack campaigns, Microsoft Exchange servers and Fortinet were two of the most flawed platforms they hit.
Once the hackers have detected the flaws to exploit, they will immediately drop web shells as a channel for lateral movement on different networks to finally launch the ransomware. Ransom notes are also sent to the victims through a local printer enclosing the attackers’ contact details.
As of now, cybersecurity experts are yet to identify how the gang’s encryption feature is activated.
