Iran-linked DEV-0270 group abuses BitLocker to encrypt victims’ devices

Iran-linked APT group DEV-0270 (aka Nemesis Kitten) is abusing the BitLocker Windows feature to encrypt victims’ devices.

Microsoft Security Threat Intelligence researchers reported that Iran-linked APT group DEV-0270 (Nemesis Kitten) has been abusing the BitLocker Windows feature to encrypt victims’ devices.

The researchers tracked multiple ransomware attacks conducted by the DEV-0270 group, which is a unit of the Iranian actor PHOSPHORUS.

The DEV-0270 group exploits high-severity vulnerabilities to gain initial access to devices, it also extensively uses living-off-the-land binaries (LOLBINs) to harvest credentials. The experts observed the abuse of the built-in BitLocker tool to encrypt files on compromised devices.

“In many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon—this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes.” reads the analysis published by Microsoft. “While there have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities, Microsoft has not observed this activity used against customers to deploy ransomware.”

DEV-0270 usually obtains initial access to administrator or system-level privileges by injecting a web shell into a privileged process on a vulnerable web server, in the alternative, it creates or activates a user account to provide it with administrator privileges.

In some attacks, the time between initial access and the ransom note (aka time to ransom or TTR) was around two days. The group demands USD 8,000 for decryption keys, and in case the victims refuse to pay the ransom, it attempts to monetize its efforts by selling the stolen data.

To maintain persistence in a compromised network, the DEV-0270 APT group adds or creates a new user account (i.e. DefaultAccount with a password of P@ssw0rd1234). The the attackers modify the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall to allow RDP connections, and add the user to the remote desktop users group. The threat actors use scheduled tasks to maintain access to a device.

“DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive.” continues the report. “The group drops DiskCryptor from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.”

Microsoft also provided details about DEV-0270, the group appears to be operated by a company that tracked with two public aliases, Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). The researchers observed multiple infrastructure overlaps between DEV-0270 and the two companies. both companies are also linked to Najee Technology Hooshmand (ناجی تکنولوژی هوشمند), located in Karaj, Iran.

The group is typically opportunistic in its targeting, it scans the internet to find vulnerable servers and devices.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PHOSPHORUS)

[adrotate banner=”5″]

[adrotate banner=”13″]