COBALT MIRAGE conducts ransomware operations in U.S.

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Used Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, CVE-2019-5591) and ProxyShell to compromise targets. “scanned ports 4443, 8443, and 10443 for devices vulnerable to Fortinet FortiOS vulnerabilities …” and later targeted Exchange servers via ProxyShell.
• [T1090] Proxy – FRPC-based remote access and tunneling to C2 servers. “FRPC is routinely deployed by COBALT MIRAGE” and the binary establishes a tunnel to the defined C2 servers. …”establish a tunnel to the defined command and control (C2) servers.”
• [T1021.001] Remote Desktop Protocol – Lateral movement and hands-on access via RDP using a DefaultAccount. “The threat actors then used Remote Desktop Protocol (RDP) and a built-in user account (DefaultAccount) to log onto the compromised Exchange server.”
• [T1059.001] PowerShell – Use of PowerShell commands and a pwsh.exe variant. “There are two versions of the same PowerShell command. One version uses an older PowerShell binary filename. The other uses the pwsh.exe filename implemented in PowerShell Core 6.0.”
• [T1003.001] LSASS – Credential access via LSASS dump to derive credentials after initial access. “LSASS dump soon after dllhost.exe executed its commands.”
• [T1136] Create Account – Privilege escalation and persistence by adding a new user and adding it to groups. “creates a ‘MSSQL’ user account on the compromised system with password … and adds it to the administrators and Remote Desktop Users groups.”
• [T1567.002] Exfiltration to Cloud Storage – Data exfiltration via cloud/file-sharing services. “Logs indicate that one or more of these sites may have been used to exfiltrate data from the environment.”