A ransomware group with an operational connection with Iran has been associated with a set of ransomware attacks. These attacks are aimed at organizations in the U.S., Israel, Australia, and Europe.
Use of BitLocker and DiskCryptor
Secureworks linked the recent attacks to an attacker named Cobalt Mirage, which is linked with Cobalt Illusion, another Iranian hacking group.
The attackers have carried out two sets of intrusions.
- One relates to opportunistic ransomware attacks, including the use of legitimate tools such as BitLocker and DiskCryptor.
- The second set of attacks seems to be targeted, launched with the main aim of securing access and collecting intelligence, along with the deployment of ransomware in certain cases.
More information on tactics
- Hackers mark initial access by scanning internet-facing servers exposed to publicized flaws in Fortinet appliances and Exchange Servers to drop web shells for moving laterally and activating the ransomware.
- In mid-March, another attack aimed at a U.S. local government network was believed to have abused the Log4Shell flaws in VMware Horizon infrastructure to carry out network scanning and reconnaissance.
Conclusion
Researchers claim that the attackers had a reasonable level of success in gaining initial access to a wide range of targets. However, their ability to make financial gains or collect intelligence seems limited.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_332776940.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_541381777.jpg)
