An Iranian hacking operation is melding state-sponsored cyber attacks with financially motivated ransomware heists.
Researchers with Secureworks have dubbed the advanced persistent threat (APT) group “Cobalt Mirage,” linking the outfit to another Tehran-backed outfit known as Cobalt Illusion or APT35, which also worked with the support of the Iranian government.
The security firm said in a blog post Thursday that the hacking crew divided its operations into two clusters. In one cluster, the hackers ran a conventional ransomware operation over the early months of 2022. The attacks encrypted and extorted data from targets in exchange for ransom payments, much like a traditional ransomware group.
The second cluster, however, operated on a more official basis. The hackers used some of the same vulnerabilities and intrusion tools to harvest data that would be of use to the Iranian government.
This, Secureworks said, is reflected in Cobalt Mirage’s choice of targets. The Iranian APT was primarily seeking out organizations in Israel, the U.S. and Western Europe, which are regions that have traditionally been opposed to Iran’s current government.
Secureworks told SearchSecurity that while it’s difficult to pinpoint the origins of Cobalt Mirage, it is more likely that the hackers are a government-backed operation that expanded into the private sector than a conventional ransomware operation that was co-opted for cyberespionage purposes.
In both cases, the Iranian APT is looking to grab low-hanging fruit. The hackers looked to break into networks using the well-publicized ProxyShell and Log4j vulnerabilities, as well as Fortinet security flaws that date back to 2020. In some attacks, the hackers were even spotted using Google to download hacking tools onto compromised machines.
While the attacks are hardly innovative, they remain an effective way to infiltrate networks that are poorly maintained and lagging on patch deployment. This, unfortunately, remains a problem for U.S. government agencies where overextended IT staff are often left to manage dozens of redundant and uncataloged systems.
Luckily, Secureworks said the Iranian APT might still be in the experimental phase with ransomware attacks.
“While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited,” the blog post said.
The Secureworks team recommends that enterprises that are lagging on their patching practices catch up, testing and deploying fixes for Log4j, ProxyShell and Microsoft Exchange bugs as soon as possible.
“At a minimum, COBALT MIRAGE’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat,” it said.
Secureworks researchers “recommend that organizations prioritize patching high-severity and highly publicized vulnerabilities on internet-facing systems, implementing multi-factor authentication, and monitoring for the tools and file-sharing services used by COBALT MIRAGE.”