iran

COBALT FOXGLOVE

Objectives

Espionage

Aliases

Fox Kitten (ClearSky), Parisite (Dragos), Pioneer Kitten (Crowdstrike), UNC757 (Mandiant), Lemon Sandstorm (Microsoft), RUBIDIUM (MIcrosoft)

Tools

POWSSHNET, STSRCheck, Mimikatz, Chisel, Ngrok, Servo, FRP (Fast Reverse Proxy), pay2key ransomware, n3tw0rm ransomware

SUMMARY

Since at least 2017, COBALT FOXGLOVE has been exploiting VPN and network appliance vulnerabilities to gain remote access to targets, usually dropping a webshell shortly after successful exploitation. COBALT FOXGLOVE appears to function as an "access team" or "initial access broker" with compromised targets being handed off to other intrusion teams or potentially sold on underground forums. Details of COBALT FOXGLOVE tradecraft have been reported in open source using the identifiers Parisite, Fox Kitten and Pioneer Kitten, although not until 2020, with prior operations failing to draw significant attention or potentially being mis-attributed.

CTU researchers have observed targeting of media, aviation, manufacturing and governmental organisations. Third party reporting suggests additional targeting of IT, Telecommunication, Oil and Gas, Technology and Security sectors, particularly in Israel and the United States.

COBALT FOXGLOVE uses a combination of open source tools including Mimikatz, Chisel, Fast Reverse Proxy (FRP), Servo, Ngrok and custom tools; STSRCheck and POWSSHNET. This group is adept at efficiently embracing new remote code execution vulnerabilities, as exploit code is made public, and integrating this into their scan and exploit operations within hours. Based on the short time window between exploitation and deployment of an initial webshell, it is likely that at least part of their operation is automated and compromised targets are then triaged for follow-on activity.

COBALT FOXGLOVE has used the string “kharpedar”, with minor variations, in passwords for webshells and compromised accounts since 2017 although this may change as references to this password are emerging in public as of July 2020.

Actions on objective activity focuses on establishing additional access channels, harvesting credentials and opportunistically reviewing files with filenames that suggest they contain sensitive information. COBALT FOXGLOVE has been linked to the Pay2Key ransomware group although the nature of the relationship is unclear.

Contact Us

Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.