Iran-linked DEV-0270 group abuses BitLocker to encrypt victims’ devices

Iran-linked APT group DEV-0270 (aka Nemesis Kitten) is abusing the BitLocker Windows feature to encrypt victims’ devices.

Microsoft Security Threat Intelligence researchers reported that Iran-linked APT group DEV-0270 (Nemesis Kitten) has been abusing the BitLocker Windows feature to encrypt victims’ devices.

The researchers tracked multiple ransomware attacks conducted by the DEV-0270 group, which is a unit of the Iranian actor PHOSPHORUS.

The DEV-0270 group exploits high-severity vulnerabilities to gain initial access to devices, it also extensively uses living-off-the-land binaries (LOLBINs) to harvest credentials. The experts observed the abuse of the built-in BitLocker tool to encrypt files on compromised devices.

“In many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon—this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes.” reads the analysis published by Microsoft. “While there have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities, Microsoft has not observed this activity used against customers to deploy ransomware.”

DEV-0270 usually obtains initial access to administrator or system-level privileges by injecting a web shell into a privileged process on a vulnerable web server, in the alternative, it creates or activates a user account to provide it with administrator privileges.

In some attacks, the time between initial access and the ransom note (aka time to ransom or TTR) was around two days. The group demands USD 8,000 for decryption keys, and in case the victims refuse to pay the ransom, it attempts to monetize its efforts by selling the stolen data.

To maintain persistence in a compromised network, the DEV-0270 APT group adds or creates a new user account (i.e. DefaultAccount with a password of P@ssw0rd1234). The the attackers modify the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall to allow RDP connections, and add the user to the remote desktop users group. The threat actors use scheduled tasks to maintain access to a device.

“DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive.” continues the report. “The group drops DiskCryptor from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.”

Microsoft also provided details about DEV-0270, the group appears to be operated by a company that tracked with two public aliases, Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). The researchers observed multiple infrastructure overlaps between DEV-0270 and the two companies. both companies are also linked to Najee Technology Hooshmand (ناجی تکنولوژی هوشمند), located in Karaj, Iran.

The group is typically opportunistic in its targeting, it scans the internet to find vulnerable servers and devices.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PHOSPHORUS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.