FBI, CISA Release IoCs for Phobos Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


FBI, CISA Release IoCs for Phobos Ransomware


Threat actors using the malware have infected systems within government, healthcare, and other critical infrastructure organizations since at least 2019.



The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have released details on the tactics and techniques threat actors are using to deploy the Phobos ransomware strain on target networks.
The
advisory
is part of an ongoing stop-ransomware effort by the two entities working in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC). It is similar to several alerts they have issued in recent months on particularly pernicious ransomware threats.
As with previous advisories, the latest one includes indicators of compromise that security and IT administrators can use to quickly spot and respond to potential Phobos infections.
Phobos ransomware first surfaced in 2019. Since then, its authors have been using a ransomware-as-a-service model to distribute the malware, which has helped establish Phobos as one of the more widely distributed ransomware strains in recent years. A Phobos variant dubbed 8Base ranked in Black Fogs list of the
10 most active ransomware threats in 2023
. Phobos victims over the years include state, county, and municipal governments, as well as organizations in healthcare, education, and critical infrastructure sectors.
In one recent incident, a Phobos-affiliated threat actor
infected systems at some 100 hospitals in Romania
with a Phobos variant called Backmydata, by first targeting a central health information system to which they were connected.
The FBI-CISA advisory identified Phobos threat actors as using different tactics to gain initial access on victim networks. One common tactic has been to use phishing emails to drop the payload on victim networks in an opportunistic manner. Another has been to embed a dropper known as SmokeLoader in email attachments and use it to download Phobos on systems belonging to victims that open the attachment.
In addition, researchers have also observed Phobos actors scanning the Internet for exposed RDP ports on which they have then used open source brute-force password-guessing tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies, the advisory noted. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.
Once on a network, Phobos threat actors have often run executables such as 1saas.exe or cmd.exe to escalate privileges and to perform various Windows shell functions, including those for taking control of systems. Additionally, they have taken advantage of built-in Windows API functions to bypass access control, steal authentication tokens, and create new processes to elevate privileges, according to the advisory. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access, the advisory noted.
The ransomwares persistence mechanisms include using Windows Startup folders and using the Windows registry keys to remove or disable functions that enable access to backups or aid in system recovery.
Before encrypting systems on a network, Phobos actors have typically exfiltrated data from it and then used the threat of leaking that data as an additional leverage for extracting payment from victims. In many cases, the threat actors have targeted financial records, legal documents, technical and network-related information, and databases for password management software, the advisory said. After the data-theft phase, the actors hunt for and delete any data backups the victims might have in place to ensure they cant recover without paying for the decryption key.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FBI, CISA Release IoCs for Phobos Ransomware