CyberWire Daily - Getting an education on Cobalt Dickens. [Research Saturday]
Episode Date: December 1, 2018Researchers from Secureworks' Counter Threat Unit have been tracking a threat group spoofing login pages for universities. Evidence suggests the Iranian group Cobalt Dickens is likely responsible. All...ison Wikoff is a senior researcher at Secureworks, and she joins us to share what they've found. The original research is here: https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So we discovered a URL that spooked a university login and essentially worked our way back from
there. That's Allison Wyckoff. She's a senior security researcher with
SecureWorks Counter Threat Unit. The research we're discussing today is titled Back to School,
Cobalt Dickens Targets Universities. And just by looking at passive DNS records for that domain
hosting the URL and other aspects of the site, we were able to identify that this activity was much
larger than just one university being
spoofed. Yeah, so give us an idea of the scope here. How many folks were they going after?
So in the initial reporting that you've read, we had a much smaller scope than what actually
came to be. So overall, since public reporting, we have discovered that about 154 universities
in 20 different countries had been targeted by this
particular campaign. Now, take us through, how did they go about it? What were they up to?
So initially, we just had the URLs. And in looking at the URLs, they nearly exactly mimicked
login pages for various university resources. Mainly, it appeared that they were targeting library resources.
However, the end part of that URL was, in fact, the adversary domain.
So for an untrained eye, it would look like you're clicking on a link that belongs to
a university where you should be logging in.
But that wasn't, in fact, the case.
And looking at this, we believed that they were using these URLs to fish the university targets. And after publishing our research publicly, one of the really great things happens when you publish research publicly lot of folks who had observed the activity and were able to learn even more about what exactly was going on here.
So we actually were able to get some of the contents of some of the phishing messages that were used, which was really intriguing.
So we were able to confirm that Cobalt Dickens leveraged these domains and phishing messages sent to folks
associated with the universities whose webpages are being spoofed. And in the messages themselves,
they were generally library-themed, which we sort of guessed from the way the URLs were structured.
But we saw that instead of using the URL that we had discovered, they were using shortened links to
mask this fake domain or this fake login page
that they created. And there was actually two levels of redirection, which was fairly interesting.
The phishing message had, and some of the messages that we reviewed had a Google shortened link,
which then resolved to another shortened link and then resolved to the actual domain that was
created by the adversaries.
So taking several hops to get to the final destination.
Absolutely. Yeah, we think they were doing that as a layer of obscurity.
Now, when you say targeting libraries at these universities, what does that mean in a university context?
What's the implication of that?
You know, it's hard to say because a lot of these library resources are shared among universities. They're not always specific to the particular university that these folks were targeting, but we're assuming that they were going after these resources for
some sort of intellectual property gain. And what kind of things would they be after?
We're talking about university research primarily? Could be university research. It could just be the online academic journals.
It's really hard to say what the specifics were that they were going after.
The interesting piece of this is that we think they were going after not just university faculty,
but potentially students as well, which is a real challenge for universities in defending their networks.
They don't own student devices.
It's a challenge. How do you educate these folks and students on phishing tactics?
We talk about it a lot.
It's really hard to protect students and people who aren't a part of the corporate domain
but who are accessing your resources.
Now, you mentioned that you were able to get your hands on some of the phishing messages.
How targeted were they?
Was this a shotgun
approach or did it seem like they're going after specific individuals? It was really hard to say
because we only got a very small sample size of some messages that were sent out. So it was
difficult for us to determine whether it was one specific type of user within the university or if
it was limited to a particular subset of the university. Very hard to say.
Was there anything to be gleaned from the targets that they chose? Was there any pattern to that?
Were they going after specific European countries or North American countries? Was there anything
from there or was it fairly random? The targeting was fairly random, I'd say.
There was a pretty large smattering of
universities targeted in the U.S., but I'm not sure if that was because there's just
a lot more land space in the U.S. and there's a lot more universities to go after. We couldn't
determine if there was a specific type of university that they were going after either.
So tell me about Cobalt Dickens. What is this group? Who do you think is behind this?
So Cobalt Dickens is a nomenclature that SecureWorks used to identify the cluster of threat activity, but we believe it's associated with the Iranian government.
The activity that we saw was very similar to activity that was reported on earlier in the year by the U.S. Department of Justice.
earlier in the year by the U.S. Department of Justice. They actually issued an indictment on an Iranian company and several Iranian individuals associated with that company
that performed similar activity over the course of 2013 to 2017.
Now, have you seen any shift in their activities since your research has been published?
Have they backed off any or are they still seem to be at it? Well, the days following the publishing of our research, we did see a couple
more domains being created, which was interesting. But the more intriguing aspect of this particular
campaign is that it's nearly identical to a lot of campaigns that were associated with this
adversary prior to the public disclosure by the Department of Justice.
And are those campaigns that you all were tracking as well?
This is the first time we've directly observed this activity, but we were aware of the activity happening prior.
I see. And so in terms of advice for the folks who are targeted here, how can they protect themselves?
So I think it's a real challenge for universities to protect
themselves from this kind of threat. Again, they don't own their student resources. And in this
case, we think that some students may have been targeted, again, because it doesn't matter if it's
student or faculty in terms of getting access to the resources, they just wanted them.
So I think it's a twofold approach. One, training. And I think that's sort of old news in the
industry.
Security professionals talk so much about end user training, particularly when it comes to phishing. And unfortunately, training is really not enough. All you need is, we always say,
one person to click. But I think really considering multi-factor authentication
on sensitive resources, anything that can be accessed remotely outside of the university
network with a username and password, if it's really important to the university,
we really need to consider some additional factor outside of the password to secure that resource.
Now, in the process that they used here to steal these credentials, they would send you to a duplicate site, but then
often they would just loop you back into the actual original university site? Correct. And so
for the user, you may not know that anything had happened? Absolutely. Yeah, that's interesting.
Yeah. And the sites were very tricky too. So we learned that in addition to moving folks to the legitimate site, on the spoof site, the adversaries created certificates.
So the average end user doesn't look to see what certificates issued to the site that they're logging into.
They just look for that little lockbox or HTTPS in the URL to think, okay, well, I'm at a secure site.
This must be the site I'm logging into.
So we think that those certificates were created to make the sites appear more legitimate.
Yeah, no, it's interesting.
It's almost camouflage.
Like you said, it's the shorthand.
And as you said earlier, I would imagine, especially for students who may not be as sophisticated,
they see that lock and they think, I'm logged into my university portal here and everything's fine.
Agreed.
So before we went public with this particular piece of research, we worked really hard to notify the registrars who were hosting the malicious domains.
hosting the malicious domains. We also got in touch with law enforcement in many of the affected countries, as well as a lot of the national search just to make sure that we could actually disrupt
this campaign. So we found it very early on in the stages, so much so that infrastructure was
still being created around it. We are hoping that we were able to disrupt this campaign in some way,
shape, or form. Now, how about, have you gotten any feedback from the universities themselves?
Any contact and responses from them?
We haven't, and I wouldn't expect to for ones that aren't SecureWorks clients.
But I'm sure that in light of the dollar amount of content that was stolen initially by this group,
I'm sure that they're grateful that these domains have been turned off.
Right, right. They benefit from the attention from law enforcement and the,
I guess, the interruption of the campaign in general.
Absolutely.
Our thanks to Alison Wyckoff for joining us. She's from the SecureWorks Counter Threat Unit
Research Team. The research is titled Back to School, Cobalt Dickens Targets Universities.
You can find it on the SecureWorks website.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.