U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.
美国的网络安全和情报机构已经警告称,Phobos勒索软件针对政府和关键基础设施实体发动攻击,概述了威胁行为者采用的各种策略和技术来部署文件加密恶意软件。
"Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government said.
“作为勒索软件即服务(RaaS)模型,Phobos勒索软件行动者已经瞄准了包括市政和县政府、应急服务、教育、公共卫生以及关键基础设施在内的实体,成功勒索了数百万美元,”政府表示。
The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
这一警报来自美国网络安全和基础设施安全局(CISA)、联邦调查局(FBI)和多州信息共享与分析中心(MS-ISAC)。
Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.
自2019年5月以来,迄今已确认多个Phobos勒索软件变种,包括Eking、Eight、Elbie、Devos、Faust和Backmydata。去年底,思科塔洛斯透露,8Base勒索软件背后的威胁行为者正在利用Phobos勒索软件变种进行金钱驱动的攻击。
There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware's private decryption key.
有证据表明,Phobos很可能由一个中央管理机构密切控制,该机构控制着勒索软件的私密解密密钥。
Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.
涉及这种勒索软件链条的攻击通常利用钓鱼作为初始访问向量,以释放SmokeLoader等隐蔽载荷。另外,通过搜索暴露的RDP服务并利用暴力攻击手段利用漏洞网络来实现入侵。
A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.
成功的数字入侵后,威胁行为者会释放其他远程访问工具,利用进程注入技术执行恶意代码并规避检测,并对Windows注册表进行修改以在受损环境中保持持久性。
"Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process," the agencies said. "Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access."
“此外,已经观察到Phobos行动者使用内置的Windows API函数来窃取令牌、绕过访问控制,并使用SeDebugPrivilege进程提升权限来创建新进程,”这些机构表示。“Phobos行动者尝试使用受害机器上的缓存密码哈希进行身份验证,直到获得域管理员访问权限为止。”
The e-crime group is also known to use open-source tools such as Bloodhound and Sharphound to enumerate the active directory. File exfiltration is accomplished via WinSCP and Mega.io, after which volume shadow copies are deleted in an attempt to make recovery harder.
犯罪团伙也已知使用开源工具,如Bloodhound和Sharphound,来枚举活动目录。文件外泄通过WinSCP和Mega.io完成,之后删除卷影拷贝以使恢复变得更加困难。
The disclosure comes as Bitdefender detailed a meticulously coordinated ransomware attack impacting two separate companies at the same time. The attack, described as synchronized and multifaceted, has been attributed to a ransomware actor called CACTUS.
这一披露发生在Bitdefender详细描述了一次精心协调的勒索软件攻击同时影响两家不同公司的事件。该攻击被描述为同步和多方面,已被归因于一个名为CACTUS的勒索软件行动者。
"CACTUS continued infiltrating the network of one organization, implanting various types of remote access tools and tunnels across different servers," Martin Zugec, technical solutions director at Bitdefender, said in a report published last week.
“CACTUS继续渗透一个组织的网络,植入各种类型的远程访问工具和隧道到不同的服务器,”Bitdefender的技术解决方案总监Martin Zugec在上周发布的一份报告中表示。
"When they identified an opportunity to move to another company, they momentarily paused their operation to infiltrate the other network. Both companies are part of the same group, but operate independently, maintaining separate networks and domains without any established trust relationship."
“当他们发现机会转移到另一家公司时,他们暂时停止了他们的操作,以渗透其他网络。这两家公司都是同一集团的一部分,但是独立运营,维护着没有建立信任关系的独立网络和域。”
The attack is also notable for the targeting of the unnamed company's virtualization infrastructure, indicating that CACTUS actors have broadened their focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts.
这次攻击还值得注意的是针对未透露名称公司的虚拟化基础设施,表明CACTUS行动者已将焦点扩大到超越Windows主机,打击Hyper-V和VMware ESXi主机。
It also leveraged a critical security flaw (CVE-2023-38035, CVSS score: 9.8) in an internet-exposed Ivanti Sentry server less than 24 hours after its initial disclosure in August 2023, once again highlighting opportunistic and rapid weaponization of newly published vulnerabilities.
它还利用了一个关键的安全漏洞(CVSS评分:9.8)在2023年8月首次披露不到24小时的时间内就在一个暴露在互联网上的Ivanti Sentry服务器上利用,再次突出了对新发布漏洞的机会主义和快速武器化。
Ransomware continues to be a major money spinner for financially motivated threat actors, with initial ransomware demands reaching a median of $600,000 in 2023, a 20% jump from the previous year, according to Arctic Wolf. As of Q4 2023, the average ransom payment stands at $568,705 per victim.
勒索软件继续成为金钱驱动的威胁行为者的主要盈利来源,根据Arctic Wolf的数据,2023年的初步勒索软件要求中值达到60万美元,比前一年增长了20%。截至2023年第四季度,每个受害者的平均赎金支付额达到了568,705美元。
What's more, paying a ransom demand does not amount to future protection. There is no guarantee that a victim's data and systems will be safely recovered and that the attackers won't sell the stolen data on underground forums or attack them again.
此外,支付赎金要求并不意味着未来得到保护。没有保证受害者的数据和系统将被安全恢复,并且攻击者不会在地下论坛上出售窃取的数据或再次攻击他们。
Data shared by cybersecurity company Cybereason shows that "a staggering 78% [of organizations] were attacked again after paying the ransom – 82% of them within a year," in some cases by the same threat actor. Of these victims, 63% were "asked to pay more the second time."
参考资料
[1]https://thehackernews.com/2024/03/phobos-ransomware-aggressively.html
原文始发于微信公众号(知机安全):美国关键基础设施遭到Phobos勒索软件的侵袭
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论