The US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a stark warning. The Phobos ransomware-as-a-service (RaaS) model is now being widely used by threat actors of all kinds to attack a wide variety of critical infrastructure across America.
“Since May 2019, Phobos ransomware targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities,” says the joint cybersecurity advisory document.
Phobos RaaS is particularly dangerous as it is an off-the-shelf software that can be deployed by even relatively unskilled threat actors in conjunction with other open-source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making Phobos the obvious go-to choice for a wide variety of threat actors.
Threat actors using Phobos RaaS typically gain initial access to vulnerable networks by leveraging phishing campaigns to deliver hidden payloads. According to the advisory, threat actors also send innocent-appearing email attachments embedded with hidden payloads such as SmokeLoader, which acts as a backdoor trojan and is often used in conjunction with Phobos RaaS. Once SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the victim organization’s system, which has by then been fully compromised.
Fake voice calls used to initiate attacks
While most attacks are conducted via malicious emails, the FBI and CISA also report that some cybercriminal groups have also been using voice calls to instigate attacks on US critical infrastructure. This trend is particularly concerning as threat actors are becoming increasingly adept at deepfake voice calls. Widely available deepfake software now enables attackers to easily make calls that mimic the voices of key personnel within the target organization.
This could, for example, take the form of a call made to an employee pretending to come from a trusted colleague or from a senior member of staff. There are also recent cases not referred to in the advisory where not only deepfake voice has been used by threat actors but also deepfake videos where staff members have been duped by highly convincing video conferences where they are convinced they are in contact with their colleagues and superiors.
The advisory also details the steps that organizations should now take to protect themselves against threat actors using Phobos RaaS. These include implementing a recovery plan to retain and maintain multiple backup copies of sensitive proprietary data and servers in physically separate locations such as the cloud, hard drives, and other storage devices. This data should be regularly backed up and stored, preferably on at least a daily basis.
