SecureWorks cybersecurity researchers have detailed a series of cyberattacks involving ransomware and data theft that took place in early 2022. They are carried out by a group of Iranian hackers they refer to as the Cobalt Mirage name β also known as APT35, Charming Kitten, Phosphorus and TA453.
Among these attacks is an attack targeting a US government network in March 2022, which SecureWorks researchers attributed to Cobalt Mirage due to its characteristics.
These include exploiting ProxyShell vulnerabilities to deploy the Fast Reverse Proxy (FRPC) client and allow remote access to vulnerable systems.
While the initial means of compromise in this attack is not known, researchers note how attackers likely exploited unpatched Log4j vulnerabilities despite the availability of a patch. There is evidence that this initial mining may have taken place as early as January 2022.
An attack in four days
Most of the intrusion activity took place over a four-day period in March. With the primary goal being to scan the network and steal data β the researchers note this is odd, because like other attacks detected during this time, the targets had no strategic or political value to Iran.
After the March 20 intrusion was detected and terminated, no further malicious activity was observed.
The researchers suggest that the primary motivation for this attack, and others, is financial gain. But it’s unclear exactly how the attackers seek to take advantage of this.
“Although the hackers appear to have been successful in gaining initial access to a wide range of targets, their ability to leverage this access for financial gain or intelligence gathering appears to be limited,” the unit’s researchers wrote. Threat Control (CTU) from SecureWorks in a blog post.
Attackers used ProxyShell and Microsoft Exchange vulnerabilities to move around the network
According to SecureWorks researchers investigating the incident, attackers used ProxyShell and Microsoft Exchange vulnerabilities to roam the network and access accounts remotely, before unleashing a BitLocker ransomware attack.
Unusually, the ransom note was sent to a network printer and printed on paper, detailing an email address and contact details. Ransomware ransom notes are more usually left either on screens or on servers.
βThe hackers completed the attack with an unusual tactic of sending a ransom note to a local printer. The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to match victims with the encryption keys used to lock down their data,β the security researchers said.
Attackers were able to gain access to networks by exploiting critical unpatched cybersecurity vulnerabilities. In order to protect networks from cyberattacks, it is recommended to apply security patches as quickly as possible to prevent potential intruders from exploiting known vulnerabilities.
The researchers also recommend implementing multi-factor authentication and monitoring unauthorized or suspicious use of file-sharing tools and services that could indicate the presence of attackers on the network.
Source: ZDNet.com