Security News > 2022 > September > Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group
Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "Form of moonlighting" for personal gain.
"DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft said.
The use of BitLocker and DiskCryptor by Iranian actors for opportunistic ransomware attacks came to light earlier this May, when Secureworks disclosed a set of intrusions mounted by a threat group it tracks under the name Cobalt Mirage with ties to Phosphorus and TunnelVision.
DEV-0270 is known to scan the internet to find servers and devices susceptible to flaws in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache Log4j for obtaining initial access, followed by network reconnaissance and credential theft activities.
DEV-0270 then escalates privileges to the system level, allowing it to conduct post-exploitation actions such as disabling Microsoft Defender Antivirus to evade detection, lateral movement, and file encryption.
"The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security," Microsoft said.
News URL
https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html
Related news
- North Korean govt hackers linked to Play ransomware attack (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean hackers pave the way for Play ransomware (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)