Security News > 2022 > September > Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group

Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "Form of moonlighting" for personal gain.
"DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft said.
The use of BitLocker and DiskCryptor by Iranian actors for opportunistic ransomware attacks came to light earlier this May, when Secureworks disclosed a set of intrusions mounted by a threat group it tracks under the name Cobalt Mirage with ties to Phosphorus and TunnelVision.
DEV-0270 is known to scan the internet to find servers and devices susceptible to flaws in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache Log4j for obtaining initial access, followed by network reconnaissance and credential theft activities.
DEV-0270 then escalates privileges to the system level, allowing it to conduct post-exploitation actions such as disabling Microsoft Defender Antivirus to evade detection, lateral movement, and file encryption.
"The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security," Microsoft said.
News URL
https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)