In a recent development, Microsoft has issued ransomware warnings by the so-called Phosphorous Hacker Group from Iran.
The tech giant has been monitoring such activities. On Wednesday, its threat intelligence division confirmed that a subsection of the group has been carrying out ransomware attacks for personal benefit.
Such activities are under constant observation, and the activity cluster here under the moniker DEV-0270 says the hacker group is operated by an enterprise functioning under aliases Lifeweb and Secnerd.
Microsoft concludes that the DEV-0270 performs malicious network operations with a medium confidence level. Such operations comprise prevalent vulnerability scanning. Such scanning is being carried out on behalf of the Iranian government.
Yet another observation regarding the intensity of scanning is that some of these attacks are moonlighting for enterprise-specific revenue generation. The second observation is based on a judgment, which is in turn based on their sectoral or geographic targeting.
DEV-0270 scans the internet to locate devices and servers vulnerable to flaws in the Microsoft Exchange Server, Apache Log4j, and Fortinet FortiGate SSL-VPN. These flaws are then leveraged for gaining initial access. The next step is network reconnaissance. The last step is stealing the credentials.
“DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices. DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities”, says Microsoft.
Users are advised to retain their exclusive focus on patching exchange servers (internet-facing) as a preventive method. With patching works in place, it would be possible to mitigate the risk involved and limit network appliances such as Fortinet SSL-VPN devices from establishing arbitrary connections to the internet. The other suggestions include enabling strong passwords and maintaining continuous data backups.