A string of malware file-encrypting attacks against organizations in Israel and the U.S. has been tied to an Iranian ransomware organization.
Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).
“Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision,” Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.
The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.
The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.
Initial access routes can be facilitated by scanning the internet for vulnerable flaws in Microsoft Exchange Servers or Fortinet appliances. These web shells are dropped to allow users to use them to activate ransomware laterally.
However, the exact means by which the full volume encryption feature is triggered remains unknown, Secureworks said, detailing a January 2022 attack against an unnamed U.S. philanthropic organization.
Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target’s VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.
” The January and March attacks are examples of the various styles used by Cobalt mirage to attack,” researchers concluded.
” While the threat actors seem to have been able to gain access to large numbers of targets with reasonable success, it seems that they were unable to make a profit or collect intelligence to exploit this access. “
