A series of file-encrypting malware attacks affecting institutions in Israel, the United States, Europe, and Australia has been traced to a ransomware group with an Iranian operational connection. Secureworks, a cybersecurity firm, ascribed the incursions to a threat actor known as Cobalt Mirage, which is tied to an Iranian hacker group known as Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).
According to a statement by Secureworks Counter Threat Unit (CTU), Phosphorus and TunnelVision have been reported as elements of Cobalt Mirage activity. The threat actor is claimed to have carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine technologies like BitLocker and DiskCryptor for financial benefit.
The second series of attacks is more focused, with the primary purpose of obtaining access and acquiring intelligence, with some ransomware thrown in for good measure. Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a conduit to move laterally and activate the ransomware, which are vulnerable to widely reported flaws in Fortinet appliances and Microsoft Exchange Servers.
Secureworks detailed a January 2022 cyberattack on an undisclosed US charity organization but claimed the specific mechanism by which the full volume encryption capability is activated is unclear. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell weaknesses in the target’s VMware Horizon architecture to conduct surveillance and network scanning activities.
“The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage,” the researchers concluded. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.”