Iran is often accused of relying on hacker groups to support its espionage, disruption, or revenue goals. Albania just severed diplomatic ties with the country blaming it for a destructive cyberattack in July. The newest Microsoft blog shines some light on one of the Iran-linked gangs.
Nemesis Kitten (DEV-0270) is a sub-group of Iranian threat actor Phosphorus. Microsoft said that it conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.
“However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.”
Nemesis Kitten exploits newly disclosed as well as high-severity vulnerabilities to gain access to devices. It also abuses the built-in BitLocker, a full volume encryption feature included with Microsoft Windows versions, to encrypt files.
The group launched the ransomware approximately two days after the initial systems access. Nemesis Kitten has been observed demanding around $8,000 for decryption keys. When a victim refuses to pay the ransom, the threat actor opts to post stolen data for sale.
Microsoft assesses that the Nemesis Kitten is operated by a company that functions under two public aliases: Secnerd and Lifeweb. These organizations are also linked to Najee Technology Hooshmand in Karaj, Iran.
“The group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks,” Microsoft said.
Nemesis Kitten exploits known vulnerabilities in Exchange and Fortinet, such as ProxyLogon and Log4j 2.
Once inside the company’s systems, the Nemesis Kitten does reconnaissance of the environment and conducts credential theft. To maintain access in a compromised network, the threat actor adds or creates a new user account and allows remote desktop (RDP) connections for the device. It also uses several defensive evasion techniques to avoid detection, such as turning off Microsoft Defender Antivirus real-time protection.
Last year, Microsoft said it detected and worked to stop a series of cyberattacks from Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.
“Phosphorus, an Iranian actor, has targeted potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia. The Munich Security Conference is the most important gathering on the topic of security for heads of state and other world leaders, and it has been held annually for nearly 60 years. Likewise, T20 is a highly visible event that shapes policy ideas for the G20 nations and informs their critical discussions,” Microsoft said.
On Wednesday, Albania’s prime minister Edi Rama ordered Iranian embassy staff to leave the country, finding out that Iran was behind a heavy yet unsuccessful attempt to hack government systems and paralyze public services.
He said the cyberattack was orchestrated and sponsored by Iran “through the engagement of four groups that enacted the aggression - one of them being a notorious international cyber-terrorism group, which has been a perpetrator and co-perpetrator or earlier cyberattacks targeting Israel, Saudi Arabia, UAE, Jordan, Kuwait, and Cyprus.” Rama did not name the advanced persistent threat (APT) groups behind the attack.
More from Cybernews:
Subscribe to our newsletter