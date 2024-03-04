



US cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the different tactics and techniques malicious actors have adopted to deploy the file-encrypting malware .

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors targeted entities such as municipal and county governments, emergency services, education, public health, and critical infrastructure to to obtain a ransom of several million US dollars,” the government said.

The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Active since May 2019, several variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind 8Base ransomware were leveraging a variant of Phobos ransomware to carry out their financially motivated attacks.

There is evidence to suggest that Phobos is likely tightly managed by a central authority, which controls the ransomware's private decryption key.

Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are compromised by scanning for exposed RDP services and exploiting them through a brute force attack.

A successful digital intrusion is followed by malicious actors dropping additional remote access tools, leveraging process injection techniques to execute malicious code and evade detection, and making changes to the Windows registry to maintain persistence in compromised environments.

“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process,” the company said. agencies. “Phobos actors attempt to authenticate using password hashes cached on victim machines until they reach domain administrator access.”

The cybercrime group is also known for using open source tools such as Bloodhound and Sharphound to enumerate the Active Directory. File exfiltration is performed via WinSCP and Mega.io, after which volume shadow copies are deleted in an attempt to make recovery more difficult.

This disclosure comes as Bitdefender details a meticulously coordinated ransomware attack affecting two separate companies simultaneously. The attack, described as synchronized and multifaceted, was attributed to a ransomware actor called CACTUS.

“CACTUS continued to infiltrate an organization's network, implanting various types of remote access tools and tunnels on different servers,” said Martin Zugec, director of technical solutions at Bitdefender, in a report published today. last week.

“When they identified an opportunity to join another company, they temporarily disrupted their operations to infiltrate the other network. The two companies are part of the same group, but operate independently, maintaining separate networks and domains without no relationship of trust established.”

The attack is also notable for targeting the company's virtualization infrastructure, indicating that CACTUS actors have expanded their scope beyond Windows hosts to attack Hyper-V hosts. and VMware ESXi.

It also exploited a critical security flaw (CVE-2023-38035, CVSS score: 9.8) in an Ivanti Sentry server exposed on the Internet less than 24 hours after its initial disclosure in August 2023, once again highlighting opportunistic and rapid weaponization of recently published vulnerabilities. .

Ransomware continues to be a major source of revenue for financially motivated threat actors, with initial ransomware demands reaching a median value of $600,000 in 2023, a 20% increase from the year previous, according to Arctic Wolf. In the fourth quarter of 2023, the average ransom payment was $568,705 per victim.

Additionally, paying a ransom demand does not provide future protection. There is no guarantee that a victim's data and systems will be safely recovered and that attackers will not sell the stolen data on underground forums or attack them again.

Data shared by cybersecurity firm Cybereason shows that “a staggering 78% [of organizations] were attacked again after paying the ransom – 82% of them within a year,” in some cases by the same threat actor. Of these victims, 63% were “asked to pay more the second time.”

