[BreachExchange] Iranian Hackers Target Universities in Global Cyberattack Campaign

Tue Aug 28 00:19:37 EDT 2018

https://latesthackingnews.com/2018/08/26/uk-based-firm-ee-affected-by-two-security-vulnerabilities-in-a-week/

Cobalt Dickens threat group is suspected to be behind a large-scale
cyberattack wave targeting credentials to access academic resources.

The school year has barely begun and things are off to a rocky start
for some colleges: Cobalt Dickens, a threat group linked to the
Iranian government, has been spotted targeting universities worldwide
in a large-scale credential theft campaign.

Researchers in Secureworks' Counter Threat Unit (CTU) uncovered the
cyberattacks after initially spotting an URL spoofing a university
login page. Further analysis on the IP address hosting the page
revealed a massive attack involving 16 domains with more than 300
spoofed websites and login pages for 76 universities across 14
countries.

Attackers targeted schools in the United States, United Kingdom,
Australia, Canada, China, Israel, Japan, and Turkey, among others. The
largest concentration of affected universities was in the US.
Researchers did not disclose which were targeted but are working to
alert them, they report.

Victims who entered their credentials on a fake login page were
redirected to the school's legitimate website, where they were either
logged into a valid browsing session or prompted to enter their
username and password a second time. Several domains referred to the
target institution's online library systems, a sign of attackers
trying to access academic resources.

Most domains in this campaign were tied to the same IP address and DNS
name server. One domain, registered in May 2018, contained subdomains
designed to spoof university targets and redirect visitors to fake
login pages on other domains controlled by the attackers.

Many of the spoofed domains were registered between May and August
2018; the most recent was created on August 19. It seems threat actors
were still building infrastructure to support the campaign at the time
Secureworks' CTU found it, researchers report in a blog post.

This campaign shared infrastructure with earlier Cobalt Dickens
attacks on academic resources, a popular target for the threat group.
In a previous campaign, its actors created lookalike domains to phish
targets and used stolen credentials to steal intellectual property
(IP).

"Cobalt Dickens' motivation is to obtain access to subscriber-only
academic resources as well as mailboxes of university staff and
students," says Rafe Pilling, information security researcher with the
Secureworks CTU, of the August campaign. "Revenue generation is likely
a key motivator, but the resulting access could be used for other
campaigns like onward phishing and intrusion against targets that
might implicitly trust contacts linked to educational institutions."
However, he notes, there has so far been no observation of this type
of activity.

There are several reasons why universities are hot targets for
attackers seeking IP. For starters, they're harder to secure than
financial companies, healthcare organizations, and other institutions
in more regulated industries. They also attract some of the world's
most intelligent researchers and students, making them treasure troves
of new ideas and information.

Post-Indictments

Earlier this year, the US Department of Justice indicted the Mabna
Institute and nine Iranians for their involvement with Cobalt Dickens
activity conducted between 2013 and 2017.

Many threat groups stick with their tactics despite disclosures like
these, and CTU says the August activity could be a sign the group is
continuing its campaigns despite its members' indictments.

"This activity aligns with Cobalt Dickens' previous MO," says Pilling
of the May-August campaign. "Based on our investigation, they haven't
seemed to have modified their tactics significantly when compared to
the campaign they've been running over the past few years."

"If it ain't broke … ' as the saying goes," he adds.

Pilling anticipates the activity will continue as the indictments by
the DoJ don't appear to have been a strong deterrent. The basic rules
of security hygiene apply: phishing awareness is key to defending
against this type of activity, he says, and users should be educated
on what to look for and to avoid entering their credentials in a site
linked within an email.

"Any email that wants you to click a link and enter credentials should
be considered suspect," he says.