Microsoft claims that an Iranian state-sponsored threat group known as DEV-0270 (also known as Nemesis Kitten) has been utilizing assaults to encrypt the systems of victims by abusing the BitLocker Windows functionality.
Living-off-the-land binaries (LOLBINs) are frequently used in attacks by the gang, according to Redmond’s threat intelligence teams, who also discovered that they are quick to exploit recently discovered security flaws.
This is consistent with Microsoft’s discovery that DEV-0270 makes use of BitLocker, a data security feature that offers full volume encryption on hardware running Windows 10, Windows 11, or Windows Server 2016 and above.
According to Microsoft Security Threat Intelligence, “DEV-0270 has been spotted using setup.bat commands to enable BitLocker encryption, which results in the hosts becoming unusable.”
The group uses DiskCryptor, an open-source full disc encryption system for Windows that enables the encryption of an entire device’s hard drive, for workstations.
The time to ransom (TTR) between the initial access and the deployment of the ransom letter on locked systems was approximately two days, and DEV-0270 has been spotted requesting victims pay $8,000 for decryption keys after successful attacks.
Working a Second Job for Money
According to Redmond, this is a division of the Iranian-backed Phosphorus cyberspying organization (also known as Charming Kitten and APT35), which targets and gathers intelligence from prominent targets connected to international governments, non-governmental organizations, and defense organizations.
According to a low confidence assessment from Microsoft, DEV-0270 appears to be working extra hours “for personal or company-specific revenue creation.”
According to Microsoft, the group is run by an Iranian organization using the identities Secnerd (secnerd[.]ir) and Life web, based on “many infrastructure overlaps” (lifeweb[.]it).
“These groups are also connected to Najee Technology Hooshmand ( ), which is based in Karaj, Iran,” Redmond continued.
“The gang often targets enterprises at opportune times: the actor scans the internet to uncover vulnerable servers and devices, putting organizations with vulnerable and discoverable servers and devices open to these attacks.”
Companies are recommended to patch their Internet-facing servers to stop exploitation attempts and subsequent ransomware attacks because many of DEV-0270’s attacks have taken advantage of known vulnerabilities in Fortinet (CVE-2018-13379) and Exchange (ProxyLogon).
In May, SecureWorks’ Counter Threat Unit (CTU) identified similar malicious activities connected to a threat group it monitors known as COBALT MIRAGE (with components that overlap the Phosphorus APT group).