😡 OpenBLD.net - Phobos Ransomware Attack Mitigations

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024...

Phobos actors run executables like 1saas.exe or cmd.exe to deploy additional Phobos payloads that have elevated privileges enabled. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands.

How to mitigate risks:
- Secure RDP
- Reduce administratiove provigese scoping
- Use OpenBLD.net or similar services

Technical details on CISA site:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

📢 Integration of OpenBLD.net with URLhaus by abuse.ch

URLhaus is a project operated by abuse.ch. Its purpose is to collect, track, and share malware URLs, aiding network administrators and security analysts in safeguarding their networks and customers from cyber threats.

Now, you can check the malicious domain ownership with OpenBLD.net alongside Quad9, AdGuard, Cloudflare, ProtonDNS on abuse.ch.

In addition, you can incorporate abuse.ch lists into your security solutions, just as OpenBLD.net does.

You can check this as example on:
🔹 https://urlhaus.abuse.ch/host/dukeenergyltd.top

Here's to security for us all. Cheers!)