Incidents affecting Hong Kong organisations

In the last two months DarkLab Incident Response and Threat Intelligence teams observed multiple incidents in Hong Kong involving the Phobos ransomware variant.

There is no explicit indications that these incidents are part of a campaign targeting Hong Kong. Rather, they are likely due to Phobos’ prevalence in the cybercriminal underground. Nonetheless, the similarities in observed tactics, techniques and procedures (TTPs), and in the ransomware deployed prompted us to release this alert to help companies improve their timely detection and response to this threat.

Intrusions analysis

Phobos shares many similarities with the Dharma ransomware, and has been sold as  ransomware-as-a-service on the cybercriminal underground since at least December 2018. This means that even low skilled threat actors can rent the malware from its developers and spread it via whatever means they have access to. 

According to our DarkLab’s incident investigations, exploitation of remote desktop protocol (RDP) servers and their credentials are the most common infection vectors. In particular, we observed RDP bruteforcing and exploitation of weak password policies as the most frequent attack vectors. Such TTPs match previously reported instances of Phobos intrusions worldwide.

Once inside the victims’ network, we have seen criminals creating a local account with netplwiz, deploying a malicious network share scanner called 5-NS new.exe, and deleting event logs prior to executing the main payload.

Several hours after the initial intrusion threat actors triggered the ransomware in the form of a malicious executable. Other than encrypting the files, the ransomware also tampered with infected hosts to disable the firewall and other security configurations.

Conclusion

Attackers did not employ particularly sophisticated tradecraft and PwC was able to help clients contain the incidents quickly. Nonetheless, the intrusions impaired systems availability and created operational disruption among victim companies. This can be particularly damaging when most organisations’ staff connect remotely to the corporate network due to the COVID-19 pandemic.

Recommendations

To protect against ransomware incidents via RDP exploitation, DarkLab recommends companies to:

• Ensure visibility over public-facing RDP servers via external scans
• Limit exposure of public-facing systems whenever possible
• Enforce use of multi-factor authentication for remote access, particularly RDP
• Ensure your organisation has and follows an effective back-up policy

File Name	MD5	Description
20.09.2019Taskmgr.exe	b8351ba02dbce02292a01a6e85112e2b	Phobos ransomware
Mouse Lock_v22.exe	fc9c80e1767e1266056b1b2c89a74ce5	Blocks mouse cursor on screen
5-NS new.exe	597de376b1f80c06d501415dd973dcec	Network shares scanner

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.