US cyber and law enforcement agencies warn of Phobos ransomware attacks
US cyber and law enforcement agencies warn of Phobos ransomware attacks
March 02, 2024
US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024
US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.
The attacks were observed as recently as February 2024, they targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.
Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019.
Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.
Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.
“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.” reads the joint CSA. “Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in…
