Artifacts exposed personas and companies associated with the Iranian threat group.
Secureworks® Counter Threat Unit™ (CTU) analysis of a June 2022 ransomware incident revealed details about Iranian COBALT MIRAGE threat group operations. Despite CTU™ researchers publicly disclosing COBALT MIRAGE tactics, techniques, and procedures (TTPs) in May 2022, the threat actors continue to demonstrate many of the same behaviors.
In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is likely that the compromise was opportunistic rather than targeted. In keeping with their established intrusion pattern, the threat actors deployed multiple web shells and TunnelFish, a customized variant of Fast Reverse Proxy (FRPC). They then enabled the DefaultAccount with a password commonly used by COBALT MIRAGE (P@ssw0rd1234) and encrypted several servers using BitLocker.
#CTI #Analysis #APT