Security News > 2022 > September > Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group

Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "Form of moonlighting" for personal gain.
"DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft said.
The use of BitLocker and DiskCryptor by Iranian actors for opportunistic ransomware attacks came to light earlier this May, when Secureworks disclosed a set of intrusions mounted by a threat group it tracks under the name Cobalt Mirage with ties to Phosphorus and TunnelVision.
DEV-0270 is known to scan the internet to find servers and devices susceptible to flaws in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache Log4j for obtaining initial access, followed by network reconnaissance and credential theft activities.
DEV-0270 then escalates privileges to the system level, allowing it to conduct post-exploitation actions such as disabling Microsoft Defender Antivirus to evade detection, lateral movement, and file encryption.
"The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security," Microsoft said.
News URL
https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html
Related news
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector (source)
- Hunters International ransomware claims attack on Tata Technologies (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Toronto Zoo shares update on last year's ransomware attack (source)
- Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom (source)