Ransomware, Threat Management, Threat Management

PowerShell used by Iran’s Cobalt Mirage in June ransomware attack

The Iranian flag
The Iranian flag is seen in front of the building of the International Atomic Energy Agency (IAEA) Headquarters in Vienna, Austria. (Photo by Michael Gruber/Getty Images)

Researchers reporting Wednesday on a June ransomware incident found that the Iranian Cobalt Mirage group linked to the Islamic Revolutionary Guard Corp (IRGC) exploited the ProxyShell vulnerabilities, including CVE-2021-34473CVE-2021-34523, and CVE-2021-31207, pointing to the need for security teams to better detect malicious PowerShell activity.

In a blog post, Secureworks researchers said it’s likely that the compromise was opportunistic rather than targeted at any one organization or group. The researchers said in keeping with their established intrusion pattern, Cobalt Mirage deployed multiple web shells and TunnelFish, a customized variant of Fast Reverse Proxy (FRPC).

Once they deployed the web shells and FRPC, the threat actors then enabled the DefaultAccount with a password the researchers said was commonly used by Cobalt Mirage (P@ssw0rd1234) and encrypted several servers using BitLocker.

The TTPs used in the attack are mostly unremarkable across the board and the attack was as the blog said — almost certainly opportunistic — said Geoff Fisher, senior director, integration strategy at Tanium. Fisher said the investigation done by Secureworks is quite good and very thorough in tracing back the activity to the Iranian threat group on a number of fronts.

“Much like the FSB, the IRGC uses subcontractors to troll for IP and allow them to make side money from ransomware,” Fisher said. “The playbook here is tried, true and profitable for the groups. But like many of the eCrime groups they can get sloppy in tradecraft, which is how it was so starkly easy to trace back to the IRGC. From a day-to-day security operations perspective, this poses no more excessive risk than normal. Operators should note the intel presented for C2 here and patch their systems, as both of the enumerated vulnerabilities are very well-known, old and exploited, per the CISA guidance.”

Threat groups continue to abuse legitimate tools, such as PowerShell, said Nicole Hoffman, a senior cyber threat intelligence analyst at Digital Shadows. Hoffman said the industry has gone past the proof-of-concept stage for malicious PowerShell abuse.

“Regardless of the sophistication of the attackers, PowerShell remains a widespread issue,” Hoffman said. “Organizations should ensure they have visibility to detect malicious PowerShell activity. Additionally, there appears to be a larger trend of threat actors abusing BitLocker for encryption capabilities.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.