An Iran-linked APT group DEV-0270 (Nemesis Kitten) has been abusing the BitLocker Windows feature to encrypt victims’ devices, Microsoft Security Intelligence report says.
The researchers tracked multiple attacks conducted by the DEV-0270 group, which is a unit of the Iranian actor PHOSPHORUS. This group exploits popularly availabile high severity vulnerabilities to gain initial access to devices, it also extensively uses living-off-the-land binaries to harvest credentials.
The most exploited Vulnerabilities belongs to Exchange(ProxyLogon) Fortinet (CVE-2018-13379). There have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities, Microsoft has not observed this activity used against customers to deploy ransomware.
DEV-0270 usually obtains initial access to administrator or system-level privileges by injecting a web shell into a privileged process on a vulnerable web server, in the alternative, it creates or activates a user account to provide it with administrator privileges.
To maintain persistence in a compromised network, the DEV-0270 APT group adds or creates a new user account. The the attackers modify the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall to allow RDP connections, and add the user to the remote desktop users group. The threat actors use scheduled tasks to maintain access to a device.
DEV-0270 has been seen using setup.bat commands to enable BitLocker encryption. For workstations, the group uses DiskCryptor, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive.
The group drops DiskCryptor from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.
Internet available devices are at risk of getting scanned and abused by this group.