Phosphorus Hacker Group Running Ransomware Campaign, Microsoft Warns
Iranian cybercrime group Phosphorus is leading a ransomware campaign for personal gain, Microsoft’s threat intelligence center (MSTIC) researchers disclosed yesterday.
Security experts believe a subgroup, dubbed Nemesis Kitten and tracked as DEV-0270, leads several malicious operations, including extensive vulnerability scanning, on behalf of the Iranian government.
They also suspect that, due to the nature of the attacks, most of which “lacked a strategic value for the regime,” the newly observed campaign may not be coordinated by the government and instead is run for the personal gain of the gang members.
The threat actors attempted to gain access through various known vulnerabilities, such as Exchange, Fortinet, and Log4j 2. After breaching a targeted device or network, the attackers would perform environment discovery and credential theft, achieve persistence, escalate privileges, and deploy evasive techniques to dodge detection.
“The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security,” according to MSTIC’s security advisory. “They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: dllhost.exe, task_update.exe, user.exe, and CacheTask.”
Security experts noticed that DEV-0270 attacks often enable BitLocker encryption through setup.bat commands, rendering the host device unusable. The hacker group deploys DiskCryptor, an open-source encryption tool, on compromised Windows devices through RDP. Upon launch, the tool starts to encrypt the device’s entire disk drive and locks the victim out of the workstation.
In the security advisory, MSTIC included a series of mitigation tips to deter DEV-0270-specific techniques:
- Prioritize patching internet-facing Exchange servers
- Apply security updates and fixes as soon as they become available
- Use a firewall to prevent RPC and SMB communications
- Enforce strong administrator password policies
- Ensure your antivirus software is up to date
- Back up data to prevent damage from destructive attacks
Specialized software such as Bitdefender Ultimate Security can keep you safe against online threats, with features like:
- All-round real-time data protection that works against worms, Trojans, zero-days, ransomware, viruses, spyware, rootkits and other e-threats
- Multi-layer ransomware protection that keeps your files safe from various ransomware attacks
- Advanced threat defense that closely monitors active apps and acts instantly upon detecting suspicious activity
- Rescue environment module that removes sophisticated malicious components before Windows starts
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022