These ransomware attackers sent their ransom note to the victim's printer

Cybersecurity researchers detail attacks by 'Cobalt Mirage' that took place this year - and say some of the targeting is very odd, compared with previous campaigns.
Written by Danny Palmer, Senior Writer

A hacking group that conducts cyber-espionage campaigns and ransomware attacks is targeting organisations in Europe and the United States. 

Cybersecurity researchers at Secureworks have detailed a string of cyberattacks involving ransomware and data theft that took place in early 2022 to an Iranian hacking group they refer to as Cobalt Mirage – also known as APT35, Charming Kitten, Phosphorus and TA453 by other research groups. 

Among the attacks is an incident targeting a US local government network in March 2022, which Secureworks researchers have attributed to Cobalt Mirage due to hallmarks of previously uncovered attacks by the group.  

SEE: A winning strategy for cybersecurity (ZDNet special report)

These include exploiting the ProxyShell vulnerabilities to deploy Fast Reverse Proxy client (FRPC) and enable remote access to vulnerable systems, along with the use of infrastructure that matches patterns associated with the threat group. 

While the initial means of compromise in this attack is still unclear, researchers note how the attackers likely exploited unpatched Log4j vulnerabilities despite a patch being available. There's evidence that this initial exploitation may have occurred as early as January 2022. 

Most of the intrusion activity spanned a four-day period in March, with the key aim of the activity based around scanning the network and stealing data. Researchers note that this tactic is strange, as like other attacks detected during the period, the targets had no strategic or political value to Iran. 

After the March 2022 intrusion was detected and disrupted, no further malicious activity was observed. 

Researchers suggest that the main motivation behind this attack, and others is financial gain, but it's unclear how exactly the attackers would look to profit from it. 

"While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited," Secureworks Counter Threat Unit (CTU) researchers wrote in a blog post. 

No ransomware was deployed in the attack against the undisclosed US local government victim, but researchers note that Cobalt Mirage does engage in ransomware attacks – as another victim discovered in January described as a 'U.S. philanthropic organization'. 

According to Secureworks researchers who investigated the incident, attackers used ProxyShell and Microsoft Exhange vulnerabilities to move around the network and remotely gain access to accounts, before eventually triggering a BitLocker ransomware attack. 

SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches

Unusually, the ransom note was sent to a printer on the network and printed out on paper, detailing an email address and contact details. While Cobalt Mirage has links to state-backed hacking operations, in this case, the ransomware is being deployed as a purely financially motivated attack. Ransomware ransom notes are more typically left either on screens or on servers.

"The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer. The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data," the security researchers said. 

In both incidents detailed by researchers, attackers were able to gain access to networks by exploiting unpatched critical cybersecurity vulnerabilities. In order to protect networks against cyberattacks, it's recommended that security patches are applied as quickly as possible in order to prevent potential intruders exploiting known vulnerabilities. 

Researchers also recommend implementing multi-factor authentication, and monitoring for unauthorised or suspicious use of tools and file-sharing services, which could indicate attackers are in the network. 


Editorial standards