The Iran-linked Cobalt Mirage crew is running attacks against America for both financial gain and for cyber-espionage purposes, according to Secureworks' threat intelligence team.
The cybercriminal gang has been around since June 2020, and its most recent activities have been put into two categories. One, using ransomware to extort money, as illustrated by a strike in January against a US philanthropic organization, according to Secureworks' Counter Threat Unit (CTU); and two, gathering intelligence, with a local government network in the United States targeted in March, CTU researchers detailed Thursday.
"The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," they wrote. "While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited. At a minimum, Cobalt Mirage's ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat."
Andy Gill, senior security consultant at Lares Consulting, told The Register "threat actors often have multiple focuses however the main one will almost always be financial gain. Conducting espionage can lead to significant financial gain depending on the group's motives and geopolitical leaning or backing. The focus on both indicates that the group may be state-backed with a focus on gaining long-term cash out with short-term gain via espionage."
In the financially-motivated "cluster" of attacks, the group is using BitLocker and DiskCryptor to hold victims' documents to ransom. For the espionage strikes, Cobalt Mirage pulls off targeted intrusions to gain access and collect intelligence, though the snoops appear to be experimenting with ransomware here as well, the threat hunters wrote.
Cobalt Mirage in the past has targeted organizations in America as well as Europe, Israel, and Australia using scan-and-exploit tools to gain initial access into the networks. In November 2021, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with its counterparts in the UK and Australia as well as the FBI about an unnamed Iranian government-sponsored advanced persistent threat (APT) group exploiting flaws in Fortinet software, and the Microsoft Exchange ProxyShell vulnerability, to gain initial access into networks and deploy malware, including ransomware.
Secureworks is attributing those operations to Cobalt Mirage. The researchers wrote that the group is linked to another Iranian gang, Cobalt Illusion, which tends to use persistent phishing campaigns to gain initial access and it's likely the two groups share tradecraft and access. In addition, "elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision," they wrote.
The cybergang is continuing to use a range of high-profile vulnerabilities, including ProxyShell and Log4Shell bugs, for initial access into systems, according to CTU's latest report. In January, Cobalt Mirage exploited a ProxyShell flaw to get access into a philanthropic organization's network. CTU researchers noticed scripts used during the attack referenced Python's Requests library.
"The Python reference is likely due to the threat actors using a Python-based proof-of-concept ProxyShell exploit in their initial attack and potentially additional scripted commands during the intrusion," they wrote. Within days of the initial access, the group used BitLocker to encrypt three workstations.
"The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer," CTU researchers wrote. "The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data."
They also said it appears Cobalt Mirage doesn't have a website from which it leaks data pilfered from victims; extortionware gangs these days tend to have a dark-web site in which they disclose some stolen documents to encourage organizations to pay up to avoid the whole lot being dumped in public.
In March, Cobalt Mirage used the widespread Log4j vulnerabilities to gain access into the VMware Horizon infrastructure of a local government network. Horizon – VMware's virtual desktop infrastructure (VDI) product – has been targeted by other threat groups exploiting Log4Shell to deploy cryptominer malware, according to the analysts.
"Log4J, like many serious vulnerabilities before it, can have a long tail," Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register. "Active developers will quickly develop patches and organizations that are on top of their security will quickly apply them, but there are often stragglers who either lack the resources or awareness to deal with the issue."
Given the ubiquitous use of Log4j in production, "we're apt to see 'forgotten applications' being targeted for some time to come even after the majority of installations have been mitigated." Parkin said.
Once in, the attackers used the DefaultAccount user to move laterally within the environment via RDP, used a compromised system to run Google searches for "upload file for free" and then accessed websites, at least one of which was used to exfiltrate data. In addition, the threat actors downloaded files onto compromised systems using file-sharing services, the analysts wrote.
The threat hunters also said that while they haven't seen ransomware attacks linked to the cyberespionage intrusions, evidence indicates that the bad actors may be experimenting with extortionware. A file uploaded to VirusTotal seems to be an "unfinished attempt at ransomware," they wrote. Code in the file also was identified in the PowerlessCLR remote access trojan (RAT) and hosted on an address used by Cobalt Mirage.
"CTU researchers have also observed Cobalt Mirage infrastructure hosting files related to the HiddenTear open-source ransomware family but have not observed the ransomware being deployed to targets," they wrote. ®
Late last month, France's BEA-RI, or Bureau of Investigation and Analysis on industrial risks, issued its technical report on the March 10th, 2021 fire at the OVH datacenter in Strasbourg.
The French report [PDF] and summary [PDF] echo the findings of the Bas-Rhin fire service in March, 2022 that the lack of an automatic fire extinguisher system, the delay of electrical cutoff and the building design contributed to the spread of the blaze.
The BEA-RI findings also hint at a possible cause – a water leak on an inverter – while stating that the cause has not been conclusively determined.
Analysis For all the pomp and circumstance surrounding Apple's move to homegrown silicon for Macs, the tech giant has admitted that the new M2 chip isn't quite the slam dunk that its predecessor was when compared to the latest from Apple's former CPU supplier, Intel.
During its WWDC 2022 keynote Monday, Apple focused its high-level sales pitch for the M2 on claims that the chip is much more power efficient than Intel's latest laptop CPUs. But while doing so, the iPhone maker admitted that Intel has it beat, at least for now, when it comes to CPU performance.
Apple laid this out clearly during the presentation when Johny Srouji, Apple's senior vice president of hardware technologies, said the M2's eight-core CPU will provide 87 percent of the peak performance of Intel's 12-core Core i7-1260P while using just a quarter of the rival chip's power.
Microsoft has forgotten to renew the certificate for the web page of its Windows Insider software testing program.
Attempting to visit the Windows Insider portal was returning the familiar "Your connection is not private" warning – as if webpages larded with scripts and trackers can truly be called "private." The problem has now been fixed, and someone's no doubt getting an earful.
Browsers like Chrome, Firefox, and Safari will attempt to deter visitors from accessing the webpage, but will provide a link for those who ignore the warnings and persist on clicking through to advanced options.
RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.
The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.
The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.
As compelling as the leading large-scale language models may be, the fact remains that only the largest companies have the resources to actually deploy and train them at meaningful scale.
For enterprises eager to leverage AI to a competitive advantage, a cheaper, pared-down alternative may be a better fit, especially if it can be tuned to particular industries or domains.
That’s where an emerging set of AI startups hoping to carve out a niche: by building sparse, tailored models that, maybe not as powerful as GPT-3, are good enough for enterprise use cases and run on hardware that ditches expensive high-bandwidth memory (HBM) for commodity DDR.
Review The Reg FOSS desk took the latest update to openSUSE's stable distro for a spin around the block and returned pleasantly impressed.
As we reported earlier this week, SUSE said it was preparing version 15 SP4 of its SUSE Linux Enterprise distribution at the company's annual conference, and a day later, openSUSE Leap version 15.4 followed.
The relationship between SUSE and the openSUSE project is comparable to that of Red Hat and Fedora. SUSE, with its range of enterprise Linux tools, is the commercial backer, among other sponsors.
Oracle is planning to build a national database of individuals' health records for the whole United States following its $28.3 billion acquisition of electronic health records specialist Cerner.
In a presentation, CTO and founder Larry Ellison said electronic health records for individual patients were stored by hospitals and physicians, and not replicated or shared between providers.
"We're going to solve this problem by putting a unified national health records database on top of all of these thousands of separate hospital databases," Ellison said.
Analysis The European Parliament this week voted to support what is effectively a ban on the sale of cars with combustion engines by 2035, and automakers are not happy.
MEPs backed a plenary vote on Wednesday for "zero-emission road mobility by 2035" – essentially meaning no more diesel and gasoline-fueled vehicles on the road.
The ambitious target means the automotive battery industry will have to service a much larger demand over the coming years, and electric carmakers stand to benefit hugely – that is, if they can source the requisite semiconductors and batteries.
Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.
Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.
The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil.
Microsoft has treated some of the courageous Dev Channel crew of Windows Insiders to the long-awaited tabbed File Explorer.
"We are beginning to roll this feature out, so it isn't available to all Insiders in the Dev Channel just yet," the software giant said.
The Register was one of the lucky ones and we have to commend Microsoft on the implementation (overdue as it is). The purpose of the functionality is to allow users to work on more than one location at a time in File Explorer via tabs in the title bar.
Over recent years, Uncle Sam has loosened its tight-lipped if not dismissive stance on UFOs, or "unidentified aerial phenomena", lest anyone think we're talking about aliens. Now, NASA is the latest body to get in on the act.
In a statement released June 9, the space agency announced it would be commissioning a study team, starting work in the fall, to examine unidentified aerial phenomena or UAPs, which it defined as "observations of events in the sky that cannot be identified as aircraft or known natural phenomena."
NASA emphasized that the study would be from a "scientific perspective" – because "that's what we do" – and focus on "identifying available data, how best to collect future data, and how NASA can use that data to move the scientific understanding of UAPs forward."
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022