Cybersecurity NewsNews

Iranian Cybercrime Group Uses Ransomware to Capitalize in the Financial Market

Photo of Steel Luiz Steel Luiz Send an email May 13, 2022
1 minute read
WazirX
Anonymous hacker in front of his computer with red light wall backgroundAnonymous hacker in a black hoody with laptop in front of a code background with binary streams cyber security concept

Loading

An Iranian cybercrime group has been discovered launching cyberattacks on entities in the U.S, Europe and Australia.

According to Secureworks, COBALT MIRAGE has been linked to an Iranian group dubbed Cobalt Illusion. The Iranian threat group persistently use phishing campaigns to obtain initial access.

The Iranian APT is Divided

The security firm stated in a report that the ransomware group has divided themselves into two different clusters. Threat actors belonging to the first cluster conduct financially motivated ransomware operations using encryption tools like Bitlocker and Discryptor.

The second cluster tries to gather intelligence and gain access to the targets for intrusions. The threat actors obtain initial access by scanning and exploitation. Fortinet and Microsoft exchange servers were found vulnerable to their methods

In January, a U.S. philanthrophic organization suffered a cyberattack from Cobalt Mirage through a Proxyshell exploitation. The Secureworks Counter Threat Unit (CTU) research team investigated the Iranian APT group and discovered that the proxyshells were being used to deploy web shells.

Also in March, CTU attributed the operation to Cobalt Mirage’s Cluster B. They were involved in the intrusion of the U.S. local government’s network. While it was confirm that this faction did not use ransomware in its latest attack, they conducted activities like the use of a DefaultUser account.

Secureworks stated that crypto mining malware is likely to be part of Cobalt Mirage’s activity. In their report, they said that analysis of Cobalt Mirage attacks is challenging because unrelated threat actors have often also compromised the environment using the same vulnerabilities.

Many of these threat actors use the same publicly available proof-of-concept code and may access the same environment multiple times, dropping redundant web shells. Cryptominer infections are often observed alongside Cobalt Mirage activity, but they may have been deployed by another group.

CTU researchers have not observed any Cluster B operations since the intrusion in March was disrupted, but there is evidence that the threat actors may be experimenting with ransomware.

Tags
Photo of Steel Luiz Steel Luiz Send an email May 13, 2022
1 minute read
Photo of Steel Luiz

Steel Luiz

Related Articles

North Korea

North Korea Found Guilty of Over $41 Billion Ethereum Theft from Upbit

7 hours ago
Bitwise

Bitwise Joins Solana ETF Race Amid Crypto Market Optimism

7 hours ago
Scammer

Kind Scammer Refunds User’s $129M Within an Hour of Transfer.

1 day ago
Yao Qian

China Might Not Unban Crypto Soon as Proponents Faces Backlash on Corruption Allegations

1 day ago
Back to top button