Incidents affecting Hong Kong organisations
In the last two months DarkLab Incident Response and Threat Intelligence teams observed multiple incidents in Hong Kong involving the Phobos ransomware variant.
There is no explicit indications that these incidents are part of a campaign targeting Hong Kong. Rather, they are likely due to Phobos’ prevalence in the cybercriminal underground. Nonetheless, the similarities in observed tactics, techniques and procedures (TTPs), and in the ransomware deployed prompted us to release this alert to help companies improve their timely detection and response to this threat.
Phobos shares many similarities with the Dharma ransomware, and has been sold as ransomware-as-a-service on the cybercriminal underground since at least December 2018. This means that even low skilled threat actors can rent the malware from its developers and spread it via whatever means they have access to.
According to our DarkLab’s incident investigations, exploitation of remote desktop protocol (RDP) servers and their credentials are the most common infection vectors. In particular, we observed RDP bruteforcing and exploitation of weak password policies as the most frequent attack vectors. Such TTPs match previously reported instances of Phobos intrusions worldwide.
Once inside the victims’ network, we have seen criminals creating a local account with netplwiz, deploying a malicious network share scanner called 5-NS new.exe, and deleting event logs prior to executing the main payload.
Several hours after the initial intrusion threat actors triggered the ransomware in the form of a malicious executable. Other than encrypting the files, the ransomware also tampered with infected hosts to disable the firewall and other security configurations.
Attackers did not employ particularly sophisticated tradecraft and PwC was able to help clients contain the incidents quickly. Nonetheless, the intrusions impaired systems availability and created operational disruption among victim companies. This can be particularly damaging when most organisations’ staff connect remotely to the corporate network due to the COVID-19 pandemic.
To protect against ransomware incidents via RDP exploitation, DarkLab recommends companies to:
- Ensure visibility over public-facing RDP servers via external scans
- Limit exposure of public-facing systems whenever possible
- Enforce use of multi-factor authentication for remote access, particularly RDP
- Ensure your organisation has and follows an effective back-up policy
|Mouse Lock_v22.exe||fc9c80e1767e1266056b1b2c89a74ce5||Blocks mouse cursor on screen|
|5-NS new.exe||597de376b1f80c06d501415dd973dcec||Network shares scanner|
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.