The CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an advisory warning of TTPs Phobos ransomware attacks are using to target government and critical infrastructure entities.
“Structured as a ransomware as a service (RaaS) model, […] Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the advisory said.
Attack chains typically leveraged phishing as an initial access vector, or vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.
Once successful, the threat actors deploy additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.
“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access,” the agencies said.
Phobos has been active since May 2019, with multiple variants identified. Cisco Talos disclosed in November that those behind 8Base ransomware are utilizing a variant of Phobos for their attacks.
BullWall Executive, Carol Volk had this to say:
“The recent Phobos advisory from CISA, the FBI, and the MS-ISAC sheds light on the continued rise of ransomware attacks targeting government and critical infrastructure sectors. As with many ransomware attacks, the Phobos attacks employed phishing and exploitation of vulnerable RDP services and highlights the importance of robust cybersecurity measures at every level.
“Organizations must prioritize implementing multi-layered defense mechanisms, including strong email security protocols and regular security awareness training to thwart phishing attempts. Additionally, securing remote access points and promptly patching vulnerabilities in RDP services can significantly reduce the risk of exploitation.
“However, we continue to see that even well prepared defenses will be breached by determined actors, so regular air-gapped backups, a ransomware containment system and MFA to protect RDP sessions should be part of the defense stack for the day your defenses are breached.”
John Benkert, CEO, Cigent follows with this:
“Broken record here. Protecting critical infrastructure from Ransomware-as-a-Service (RaaS) attacks requires a multifaceted approach that spans technological, regulatory, and educational domains. Given the increasing sophistication and accessibility of RaaS platforms, which allow even low-skilled attackers to launch ransomware campaigns, the security of essential services such as healthcare, energy, transportation, and water systems has never been more important.
“The foundational step in defending against these threats involves the implementation of robust cybersecurity measures that already exist. This includes regular software updates and patch management to close vulnerabilities, advanced threat detection systems to identify and neutralize threats early, and comprehensive data backup strategies to ensure data integrity in the event of a breach.
“Let me be clear, solutions already exist in the commercial sector to protect against these threats. Instead of cultivating these commercial solutions, the government is more concerned with putting out regulations and standards that take years to approve and become obsolete before they are published.”
This should be a clear warning that defences for critical infrastructure specifically, but all organizations and sectors in general need to be a priority. The question is, how many warnings will it take for organizations to get the message?
Like this:
Like Loading...
Related
This entry was posted on March 5, 2024 at 8:20 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
US Agencies warn of ransomware gang targeting critical infrastructure
The CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an advisory warning of TTPs Phobos ransomware attacks are using to target government and critical infrastructure entities.
“Structured as a ransomware as a service (RaaS) model, […] Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the advisory said.
Attack chains typically leveraged phishing as an initial access vector, or vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.
Once successful, the threat actors deploy additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.
“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access,” the agencies said.
Phobos has been active since May 2019, with multiple variants identified. Cisco Talos disclosed in November that those behind 8Base ransomware are utilizing a variant of Phobos for their attacks.
BullWall Executive, Carol Volk had this to say:
“The recent Phobos advisory from CISA, the FBI, and the MS-ISAC sheds light on the continued rise of ransomware attacks targeting government and critical infrastructure sectors. As with many ransomware attacks, the Phobos attacks employed phishing and exploitation of vulnerable RDP services and highlights the importance of robust cybersecurity measures at every level.
“Organizations must prioritize implementing multi-layered defense mechanisms, including strong email security protocols and regular security awareness training to thwart phishing attempts. Additionally, securing remote access points and promptly patching vulnerabilities in RDP services can significantly reduce the risk of exploitation.
“However, we continue to see that even well prepared defenses will be breached by determined actors, so regular air-gapped backups, a ransomware containment system and MFA to protect RDP sessions should be part of the defense stack for the day your defenses are breached.”
John Benkert, CEO, Cigent follows with this:
“Broken record here. Protecting critical infrastructure from Ransomware-as-a-Service (RaaS) attacks requires a multifaceted approach that spans technological, regulatory, and educational domains. Given the increasing sophistication and accessibility of RaaS platforms, which allow even low-skilled attackers to launch ransomware campaigns, the security of essential services such as healthcare, energy, transportation, and water systems has never been more important.
“The foundational step in defending against these threats involves the implementation of robust cybersecurity measures that already exist. This includes regular software updates and patch management to close vulnerabilities, advanced threat detection systems to identify and neutralize threats early, and comprehensive data backup strategies to ensure data integrity in the event of a breach.
“Let me be clear, solutions already exist in the commercial sector to protect against these threats. Instead of cultivating these commercial solutions, the government is more concerned with putting out regulations and standards that take years to approve and become obsolete before they are published.”
This should be a clear warning that defences for critical infrastructure specifically, but all organizations and sectors in general need to be a priority. The question is, how many warnings will it take for organizations to get the message?
Share this:
Like this:
Related
This entry was posted on March 5, 2024 at 8:20 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.