Posted on September 11, 2022 at 8:46 PM

Iranian Hackers Discovered Exploiting Windows Systems Using BitLocker

Microsoft has revealed that an Iranian state-sponsored threat actor has been encrypting victims’ systems by abusing the BitLocker Windows feature. The threat group, known as Nemesis Kitten and tracked as DEV-0270, is quick to exploit recently disclosed security flaws. The group is also known for using living-off-the-land binaries (LOLBINs) in their attacks, according to findings from the threat analysis team at Redmond.

The team also discovered that the threat actors have exploited the vulnerabilities, although it’s not clear how systems have been affected.

DEV-0270 Requests $8,000 As Ransom

Microsoft’s analysis also conforms to the analysis from Redmond that DEV-0270 utilizes BitLocker. It’s a data protection feature that enables complete encryption for devices running on Windows 10, and 11 versions as well as Windows Server 2016 and above.

The threat actor utilizes DiskCryptor for workstations. DiskCryptor is an open-source full disk encryption system that enables easy encryption of the entire hard drive of a device.

According to the report, it takes two days for the time to ransom between the first access and the ransom note planted on the affected system. It has been observed that DEV-0270 requests for a ransom amount of $8,000 to release decryption keys after successful attacks.

DEV-0270 Is A Sub-Group Of Iranian Group Charming Kitten

According to Redmond, the DEV-0270 is a section of the Iranian-backed Phosphorous cyber syndicate, also known as APT35 and Charming Kitten. The threat group is notorious for gathering information from high-profile victims such as defense organizations, NGOs, and governments.

 The researchers also believe that the sub-group seems to be moonlighting for company-specific or personal revenue generation. Microsoft also made a similar assertion, saying that the group could be doing part of a major goal for the main Iranian-backed threat actor.

The tech giant noted that several infrastructure overlaps have shown that the group is being run by an Iranian firm known to have two different licenses: Lifeweb (lifeweb[.]it). and Secnerd (secnerd[.]ir). The organizations have also been connected to the Iranian-based Najee Technology Hooshmand.

The Threat Actors Are Exploiting Known Flaws In Fortnite

The group has also been called a typical opportunist in its kind of targets. They scan the internet to look for vulnerable devices and servers. Once they discover an organization with a vulnerable server or network, they proceed with their exploitation plans using their tools.

The threat actors have been exploiting the known vulnerabilities in Fortinet (CVE-2018-13379) or Exchange (ProxyLogon). As a result, organizations have been advised to apply patches to the vulnerabilities to prevent exposure. They should patch their internet-facing servers as soon as possible to prevent exploitation attempts that could lead to ransomware attacks.

Earlier in May this year, SecureWorks’ Counter Threat Unit (CTU) discovered a similar activity connected to a threat group that Secureworks tracked as COBALT MIRAGE. According to the researcher, the threat group has elements with similar features to the Phosphorus APT group.

Another Iranian Group Exploit Unpatched Log4j2 Bugs

Last month, Iranian hackers were seen exploiting unpatched Log4j 2 vulnerabilities to target Israeli organizations.

Microsoft attributed the exploit to the umbrella threat group tracked as MuddyWater, also known as Static Kitten, Seedworm, Mercury, and Cobalt Ulster. Microsoft said the threat group is linked to the Iranian Ministry of Intelligence and Security (MOIS).

The attackers are notorious for utilizing SysAid Server instances unsecured against the Log4Shell bug as a way of gaining initial access.

After the threat actor has gained access, Mercury starts establishing persistence, dumping credentials, and moving laterally within the targeted organization. The group utilizes both sophisticated tools and customized operating system tools for its hands-on keyboard attack.

The group achieved a successful breach by deploying the web shell to execute commands. This enabled the hackers to establish a presence, conduct reconnaissance, facilitate lateral movement, and steal credentials.

They also employed a remote monitoring and management software known as eHorus during the intrusions, as well as a reverse-engineering tool known as Ligolo for the adversary.

The US Cyber Safety Review Board (CSRB) has always reported that the critical bugs in the open-source Java-based logging framework are always an endemic weakness. It says the vulnerability will continue to impact organizations for years as threat actors continue to evolve in their exploitation techniques. As a result, the security agency has warned organizations to be more conscious of their network to provide stronger protective mechanisms or systems against the threat actors.