Latest Update12/12/2024

Threats Feed

  1. Public

    Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

    Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

    read more about Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack
  2. Public

    PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

    Iranian APT group Phosphorus has developed a new PowerShell backdoor, dubbed PowerLess Backdoor, for espionage purposes. Cybereason researchers discovered the backdoor while investigating the group's exploitation of the ProxyShell vulnerability. The backdoor allows for downloading additional payloads, evasive PowerShell execution, and encrypted communication with the command and control server. Connections were also found between the Phosphorus group and the Memento Ransomware.

    read more about PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool
  3. Public

    Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

    In December 2021, PHOSPHORUS exploited the Microsoft Exchange ProxyShell vulnerabilities, using web shells to gain initial access and execute code. The attack closely resembled their previous attacks and due to previous reports and OSINT research, DFIR believes with medium to high confidence that this intrusion would have ended in ransomware. The attackers established persistence through scheduled tasks and a newly created account, and after enumerating the environment, disabled LSA protection and dumped LSASS process memory. The entire attack was likely scripted out, as evidenced by the user agent strings and the similarity between commands.

    read more about Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS
  4. Public

    Phosphorus Targets Munich Security Conference and T20 Summit Attendees

    The Iranian threat actor Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia through a series of cyberattacks. The attackers sent spoofed email invitations to former government officials, policy experts, academics, and leaders from non-governmental organizations. Their goal was intelligence collection, and they successfully compromised several high-profile individuals' accounts.

    read more about Phosphorus Targets Munich Security Conference and T20 Summit Attendees