{"id":121322,"date":"2022-09-07T14:00:00","date_gmt":"2022-09-07T21:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=121322"},"modified":"2023-09-19T08:17:17","modified_gmt":"2023-09-19T15:17:17","slug":"profiling-dev-0270-phosphorus-ransomware-operations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/07\/profiling-dev-0270-phosphorus-ransomware-operations\/","title":{"rendered":"Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations"},"content":{"rendered":"\n
\n\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.

\u2022 PHOSPHORUS <\/strong>is now tracked as Mint Sandstorm<\/strong>
\u2022 DEV-0270<\/strong> is now tracked as Storm-0270<\/strong>

To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.
<\/p>\n\n<\/blockquote>\n\n\n\n

<\/p>\n\n\n\n

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS<\/a>. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270\/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.<\/p>\n\n\n\n

DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.<\/p>\n\n\n\n

In some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in a SQL database dump.<\/p>\n\n\n\n

Using these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.<\/p>\n\n\n\n

\"Infection
Figure 1. Typical DEV-0270 attack chain<\/figcaption><\/figure>\n\n\n\n

Who is DEV-0270?<\/h2>\n\n\n\n

Microsoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd\/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.<\/p>\n\n\n\n

The group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.<\/p>\n\n\n\n

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.<\/p>\n\n\n\n

Observed actor activity<\/h2>\n\n\n\n

Initial access<\/h3>\n\n\n\n

In many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities<\/a>, Microsoft has not observed this activity used against customers to deploy ransomware.<\/p>\n\n\n\n

Discovery<\/h3>\n\n\n\n

Upon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command wmic<\/em><\/a> computersystem get domain <\/em>obtains the target\u2019s domain name. The whoami<\/em> command displays user information and net user<\/em> command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.<\/p>\n\n\n\n