- Microsoft warns organizations about a new emerging threat from Iran, DEV-0270, also known as Nemesis Kitten, is a sub-group of PHOSPHORUS.
- According to Microsoft’s claims, the group is conducting widespread vulnerability scanning, on behalf of the government of Iran.
- The group is known for the early adoption of newly disclosed vulnerabilities, to gain access to devices.
Microsoft announced that its threat intelligence team has been tracking multiple ransomware campaigns and found out that these campaigns are related to DEV-0270. The group, also known as Nemesis Kitten, is a sub-division of PHOSPHORUS. According to Microsoft’s report, the group is conducting widespread vulnerability scanning, on behalf of the Iranian government.
The group is using exploits for known vulnerabilities to gain access to devices, mostly benefiting from newly disclosed vulnerabilities. The group is also using living-off-the-land binaries during the attack chain for discovery and credential access. In some cases, the time to ransom between initial access and the ransom note was approximately two days.
The group demands $8,000 for decryption keys. If the victim denies paying the ransom, the group posts the stolen data for sale as an SQL database dump. Microsoft states that the group is operated by a company that functions under two public aliases: Secnerd and Lifeweb. There are multiple infrastructure overlaps between the group and Secnerd/Lifeweb. The organizations are also linked to Najee Technology Hooshmantd, located in Karaj, Iran.
In most of the instances, the group gained access by exploiting a vulnerability, tracked as CVE-2018-13379, found in Exchange or Fortinet. The Iranian group also tried to exploit Log4j 2 vulnerabilities but didn’t use it against customers to deploy ransomware. Microsoft also stated that the techniques used by DEV-0270 can be mitigated through the following actions:
- Apply the corresponding security updates for Exchange Server, including applicable fixes for CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.
- Use Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.
- Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.
- Enforce strong local administrator passwords. Use tools like LAPS.
- Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.
- Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Microsoft’s threat intelligence team said,
« DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive. The group drops DiskCryptor from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.
Microsoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products. »