CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

COBALT MIRAGE conducts ransomware operations in US

By Maria Henriquez
ransomwarev7-freepik1170x658.jpg

Image via Freepik

May 13, 2022

The Secureworks Counter Threat Unit (CTU) researchers are investigating attacks by the Iranian COBALT MIRAGE threat group, which has been operating since at least June 2020. Linked to the Iranian COBALT ILLUSION threat group, COBALT MIRAGE uses persistent phishing campaigns to gain access. 


Based on Secureworks incident response engagements, CTU researchers identified two distinct clusters of COBALT MIRAGE intrusions one cluster uses BitLocker and DiskCryptor to conduct ransomware attacks for financial gain; the other cluster instead focuses on targeted intrusions to gain access and collect intelligence, as well as to experiment with ransomware. 


COBALT MIRAGE has demonstrated a preference for attacking organizations in Israel, the U.S., Europe, and Australia. 


The threat group has leveraged a broad scan-and-exploit campaign targeting Microsoft Exchange servers, as well as exploited the ProxyShell vulnerabilities, for example, to gain access to a U.S. local government network in March 2022 and a U.S. philanthropic organization in January 2022. 


While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited. 


The threat group’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat. “Conducting espionage can lead to significant financial gain depending on the group’s motives and geopolitical leaning/backing. The focus on both indicates that the group may be state-backed with a focus on gaining long-term cash out with short-term gain via espionage,” says Andy Gill, Senior Security Consultant at LARES Consulting.


Organizations must prioritize patching high-severity and highly publicized vulnerabilities on internet-facing systems, implement multi-factor authentication, and monitor the tools and file-sharing services used by COBALT MIRAGE, CTU researchers suggest. 

KEYWORDS: cybersecurity nation-state security ransomware risk management

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Related Articles

Related Products

See More ProductsSee More Products

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!