Suspected Iranian nation-state threat group Cobalt Dickens has launched a new global attack campaign to steal intellectual property, discovered Secureworks Counter Threat Unit (CTU) researchers. The group, also known as Silent Librarian, has been using spoofed library services login pages as part of a campaign targeting academics in order to steal intellectual property.
The Secureworks CTU report found that, despite a March 2018 US Department of Justice indictment of nine Iranian nationals for conducting an earlier "massive cyber theft campaign" on behalf of the Islamic Revolutionary Guard Corps, the Cobalt Dickens group carries on regardless.
"In July and August 2019, CTU researchers discovered a new large global phishing operation. This operation is similar to the threat group's August 2018 campaign, using compromised university resources to send library-themed phishing emails," said the CTU report.
While previous campaigns obfuscated the attack infrastructure with URL link-shorteners; the current one uses spoofed library resource logins with no attempt to hide the URLs. As users become increasingly aware of phishing tactics, becoming more wary if a link is obfuscated, this technique of lateral phishing is not too surprising.
Even if the spoofed resource link isn't quite what it should be, the fact that it's out in the open and close enough will fool many targets. Click on the link and the victim is sent to the spoofed login resource where credentials are scraped.
At least 20 new domains were registered by Cobalt Dickens for this campaign, targeting more than 60 universities in Australia, Canada, Hong Kong, Switzerland, the United Kingdom and the United States. Many used valid SSL certificates issued by free certificate authority Let's Encrypt.
"This isn’t a problem of one certificate authority over another," said Brian Chappell, director of product management at BeyondTrust. "The certificates being issued prove the website is the one you are addressing; whether that’s the site you expect it to be or not, it is the one it claims to be."
Indeed, the greater good of free non-EV SSL certificates far outweighs the credibility enhancement of these malicious pages.
"This almost becomes a moot point," James Houghton, CEO at Phishing Tackle told SC Media UK. "Now the likes of Google have removed the UI indicator for extended validation (EV) certificates from the browser's address bar in release 77, and the same will be true for Firefox 70."
The real problem is not that the Cobalt Dickens group are using freely accessible tools, argued Richard Piccone, senior cybersecurity consultant at ITC Secure. "It's that they were able to use easily foiled attack techniques."
The CTU researchers have so far observed the group attacking at least 380 universities across 30 countries, many of them targeted on multiple occasions. "The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity," the report said.
The campaign seems to gain strength despite several public disclosures, takedowns and well-publicised law enforcement actions, on getting the multi-factor authentication (MFA) message across to universities.
"I wonder if part of the problem is a perception that MFA primarily protects the user," Piccone said. "There's no direct benefit to an organisation compared to, say, a shiny new 'next-gen' firewall."
Moreover, it is perceived that the inconvenience of setting up MFA outweighs the security benefit.
"What's disappointing is that after a few minutes of research I found more than one UK university that doesn't appear to have basic email security in place, leaving their staff and students more vulnerable to these types of phishing attacks. Yet, they're offering NCSC-certified Masters degrees in cyber security," said Piccone.
There needs to be a broader adoption of MFA to help users avoid finding themselves compromised this way, said Chappell.
"Currently, the additional factor is optional for most sites. Moving it toward an opt-out scenario, or even a requirement for access would help ensure its use and consequent reduction in value of credentials stolen in this manner," he suggested.
"MFA is becoming so much easier to implement and safer for everyone involved, that it seems crazy that universities haven’t yet implemented this protection – especially when they have been caught in near carbon copy circumstances in the past," said Jake Moore, cybersecurity specialist at ESET.
"Let’s hope that after this latest attack campaign, some universities will see the potential of adding extra layers of security," he told SC Media UK.