Microsoft warns of hackers using BitLocker for ransom attacks
Microsoft has issued an alert about a new threat from a hacker group dubbed DEV-0270, also known as Nemesis Kitten. The group misuses BitLocker to encrypt files on compromised devices.
DEV-0270 is said to be a spin-off from an Iranian hacking group also known as Phosphorus. Whoever is behind the new threat, the attackers use various vulnerabilities to infiltrate Windows devices and entire networks and then launch a ransomware attack (via Bleeding computer). So the hackers want to extort ransom money for the release of their victims’ data. “DEV-0270 exploits high severity vulnerabilities to gain access to devices and has been known to exploit newly discovered vulnerabilities early on,” Microsoft said in the alert posted in the Security Blog was published.
Search for vulnerable systems
For the Microsoft Security Threat Intelligence team, one factor, in particular, was new and ominous in discovering the group’s activity: the attackers initially targeted victims, their servers, and devices for vulnerabilities in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache -Log4j are vulnerable and then use Windows’ own BitLocker security tool to harm their victims. “DEV-0270 leverages living-off-the-land binaries (LOLBINs) for credential detection and access throughout the attack chain. This extends to abusing the built-in BitLocker tool to encrypt files on compromised devices .” The use of BitLocker and DiskCryptor by Iranian actors was first discovered in early May this year.
The attackers elevate system-level privileges, which also allows them to disable Microsoft Defender and other antivirus software to evade their detection. “The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security,” Microsoft explained. “They also install and disguise their custom binaries as legitimate processes to hide their presence.”
To protect yourself from these attackers, Microsoft recommends installing all patches offered, checking passwords for security, and carrying out regular data backups.
Media coordinator and junior editor at Research Snipers RS-NEWS, I studied mass communication and interested technology business, I have 3 years experience in the media industry.