{"id":121322,"date":"2022-09-07T14:00:00","date_gmt":"2022-09-07T21:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=121322"},"modified":"2023-09-19T08:17:17","modified_gmt":"2023-09-19T15:17:17","slug":"profiling-dev-0270-phosphorus-ransomware-operations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/07\/profiling-dev-0270-phosphorus-ransomware-operations\/","title":{"rendered":"Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations"},"content":{"rendered":"\n
\n\nApril 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.
\u2022 PHOSPHORUS <\/strong>is now tracked as Mint Sandstorm<\/strong>
\u2022 DEV-0270<\/strong> is now tracked as Storm-0270<\/strong>
To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.
<\/p>\n\n<\/blockquote>\n\n\n\n<\/p>\n\n\n\n
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS<\/a>. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270\/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.<\/p>\n\n\n\n
DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.<\/p>\n\n\n\n
In some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in a SQL database dump.<\/p>\n\n\n\n
Using these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.<\/p>\n\n\n\n
Figure 1. Typical DEV-0270 attack chain<\/figcaption><\/figure>\n\n\n\n Who is DEV-0270?<\/h2>\n\n\n\n
Microsoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd\/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.<\/p>\n\n\n\n
The group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.<\/p>\n\n\n\n
As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.<\/p>\n\n\n\n
Observed actor activity<\/h2>\n\n\n\n
Initial access<\/h3>\n\n\n\n
In many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities<\/a>, Microsoft has not observed this activity used against customers to deploy ransomware.<\/p>\n\n\n\n
Discovery<\/h3>\n\n\n\n
Upon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command wmic<\/em><\/a> computersystem get domain <\/em>obtains the target\u2019s domain name. The whoami<\/em> command displays user information and net user<\/em> command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.<\/p>\n\n\n\n
\n
- wmic computersystem get domain<\/li>\n\n\n\n
- whoami<\/li>\n\n\n\n
- net user<\/li>\n<\/ul>\n\n\n\n
On the compromised Exchange server, the actor used the following command to understand the target environment.<\/p>\n\n\n\n
Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders<\/pre>\n\n\n\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.<\/p>\n\n\n\n
<\/figure>\n\n\n\nCredential access<\/h3>\n\n\n\n
DEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.<\/p>\n\n\n\n
\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 \/f<\/pre>\n\n\n\nThe actor then uses rundll32.exe<\/em> and comsvcs.dll<\/em> with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (ssasl.dmp)<\/em>:<\/p>\n\n\n\n
<\/figure>\n\n\n\nPersistence<\/h3>\n\n\n\n
To maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named DefaultAccount <\/em>with a password of P@ssw0rd1234,<\/em> to the device using the command net user \/add.<\/em> The DefaultAccoun<\/em>t account is typically a pre-existing account set up but not enabled on most Windows systems.<\/p>\n\n\n\n
The attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using netsh.exe<\/em> to allow RDP connections, and adds the user to the remote desktop users group:<\/p>\n\n\n\n
\"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" \/v TSEnabled \/t REG_DWORD \/d 1 \/f<\/pre>\n\n\n\n\"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" \/v fDenyTSConnections \/t REG_DWORD \/d 0<\/pre>\n\n\n\n\"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v UserAuthentication \/t REG_DWORD<\/pre>\n\n\n\n\"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389<\/pre>\n\n\n\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed dllhost.exe<\/em>, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.<\/p>\n\n\n\n
Figure 2. Scheduled task used in DEV-0270 attacks<\/figcaption><\/figure>\n\n\n\n Privilege escalation<\/h3>\n\n\n\n
DEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket\u2019s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.<\/p>\n\n\n\n
Another form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses powershell.exe<\/em> and net.exe<\/em> commands to create or enable this account and add it to the administrators\u2019 group for higher privileges.<\/p>\n\n\n\n
Defense evasion<\/h3>\n\n\n\n
DEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the DefaultAccount<\/em> account to add it to the Administrators and Remote Desktop Users groups. The modification of the DefaultAccount<\/em> provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses powershell.exe<\/em> to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.<\/p>\n\n\n\n
Additionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: dllhost.exe<\/em>, task_update.exe<\/em>, user.exe<\/em>, and CacheTask<\/em>. Using .bat files and powershell.exe<\/em>, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.<\/p>\n\n\n\n
Lateral movement<\/h3>\n\n\n\n
DEV-0270 has been seen creating defaultaccount<\/em> and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.<\/p>\n\n\n\n
Along with RDP, Impacket<\/a>\u2019s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.<\/p>\n\n\n\n
An example of a command using Impacket\u2019s WMIExec from a remote device:<\/p>\n\n\n\n
cmd.exe \/Q \/c quser 1> \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2>&1<\/pre>\n\n\n\nImpact<\/h3>\n\n\n\n
DEV-0270 has been seen using setup.bat<\/em> commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses DiskCryptor<\/em>, an open-source full disk encryption system for Windows that allows for the encryption of a device’s entire hard drive. The group drops DiskCryptor<\/em> from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.<\/p>\n\n\n\n
The following are DEV-0270\u2019s PowerShell commands using BitLocker:<\/p>\n\n\n\n
<\/figure>\n\n\n\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.<\/p>\n\n\n\n
Recommended mitigation steps<\/h2>\n\n\n\n
The techniques used by DEV-0270 can be mitigated through the following actions:<\/p>\n\n\n\n
\n
- Apply the corresponding security updates for Exchange Server<\/a>, including applicable fixes for CVE-2021-26855<\/a>, CVE-2021-26858<\/a>, CVE-2021-26857<\/a> and CVE-2021-27065<\/a>. While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.\n
\n
- For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.<\/li>\n\n\n\n
- If you don’t have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.<\/li>\n\n\n\n
- Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates does not<\/em> remove implanted malware or evict the actor.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Use Microsoft Defender Firewall<\/a>, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.<\/li>\n\n\n\n
- Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.<\/li>\n\n\n\n
- Enforce strong local administrator passwords. Use tools like LAPS<\/a>.<\/li>\n\n\n\n
- Ensure that Microsoft Defender Antivirus<\/a> is up to date and that real-time behavior monitoring is enabled.<\/li>\n\n\n\n
- Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.<\/li>\n\n\n\n
- Turn on the following attack surface reduction rules<\/a> to block or audit activity associated with this threat:\n
\n
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)<\/li>\n\n\n\n
- Block process creations originating from PsExec and WMI commands<\/li>\n\n\n\n
- Block persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is up to date and that real-time behavior monitoring is enabled<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Detection details<\/h2>\n\n\n\n
Microsoft Defender for Endpoint<\/h3>\n\n\n\n
Alerts with the following titles in the security center can indicate threat activity on your network:<\/p>\n\n\n\n
\n
- Malware associated with DEV-0270 activity group detected<\/li>\n<\/ul>\n\n\n\n
The following additional alerts may also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n\n\n\n