New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Cobalt Dickens Group Still Using Fake Library Logins

Cobalt Dickens: The Iranian threat actor Cobalt Dickens, who has a track record of targeting universities around the globe, has begun focusing on American universities. According to new research from Proofpoint, the group is still using the same methods, including spoofing emails from university libraries and using fake login pages to harvest the credentials of their victims. Members of the group were previously indicted by the United States Department of Justice in March of 2018 due to damages they caused by their attacks between 2013 and 2017. The indictment charges did not affect the group and did not skew their attacks or timeline in any way that was noticeable. What makes this group so successful is the use of stolen university branding to make their emails and login pages look authentic. The group does research into the university before they target them, using their wording and logos for their attack. Typically, the emails that are sent to people from this group state that they have an overdue library book that they need to turn in. Along with the email will be a link to the fake login page to check the status of the pending overdue book. Once redirected to the fake login page, the attacker can steal all of the credentials that are submitted and then use them to log in to students’ accounts. By logging into accounts, the threat actors will have access to all of the students’ private information and access to their financial aid information.

Analyst Notes

The best way to combat this attack is to enable two-factor authentication. This will stop the attacker from logging in because they will need more than just a password from the victim. Another effective technique for defending against this attack is to recognize phishing campaigns directed at the protected organization, investigate the fake login page, and seed some decoy credentials into the fake login page. If your website can detect when an attacker attempts to use the decoy credentials and either deny that login attempt or redirect them to a “honeypot” environment to study the attacker’s next steps, this can provide valuable threat intelligence information about the attacker’s tools and techniques, which can then be applied to hunt for any other compromised computers in your environment. Binary Defense can assist with attacker deception, active defense and continuous monitoring. This attack style is not new for this group, but the shift to targeting universities in the United States comes at a time when other Iranian threat actors are also targeting entities within the U.S. According to the indictment, the Cobalt Dickens group is controlled by the government of Iran and all likely have the same end goal which is to steal research, academic and proprietary data, and intellectual property from American entities.