Threats Feed|Storm-0270 (DEV-0270)|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date07/09/2022

DEV-0270's Cyber Offensive: A Profiling of Their Ransomware Operations

  • Actor Motivations: Espionage,Exfiltration,Extortion,Financial Gain
  • Attack Vectors: Vulnerability Exploitation,Ransomware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The DEV-0270 group, believed to be linked to the Iranian organization Secnerd/Lifeweb, has been conducting ransomware operations primarily by exploiting known vulnerabilities in Exchange and Fortinet. The group typically targets organizations with exposed and vulnerable servers. Their tactics involve account discovery, credential dumping, account creation, process injection, privilege escalation, and data encryption. They also use evasion techniques like disabling antivirus tools, and masquerading malicious activities under legitimate processes. Notably, the group uses lateral movement methods like Remote Desktop Protocol and WMIExec for propagation across networks.

Reference and Credit: Microsoft - September 2022

Profiling DEV-0270: PHOSPHORUS’ ransomware operations

Extracted IOCs

  • lifeweb[.]ir
  • secnerd[.]ir
download

Tip: 2 related IOCs (0 IP, 2 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

Cobalt MirageUnveiling the Actors behind COBALT MIRAGE: A Ransomware Incident Analysis

Source: Secureworks - September 2022

Detection (two cases): lifeweb[.]ir, secnerd[.]ir

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Storm-0270
View Storm-0270's Insights