DEV-0270's Cyber Offensive: A Profiling of Their Ransomware Operations
- Actor Motivations: Espionage,Exfiltration,Extortion,Financial Gain
- Attack Vectors: Vulnerability Exploitation,Ransomware
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
The DEV-0270 group, believed to be linked to the Iranian organization Secnerd/Lifeweb, has been conducting ransomware operations primarily by exploiting known vulnerabilities in Exchange and Fortinet. The group typically targets organizations with exposed and vulnerable servers. Their tactics involve account discovery, credential dumping, account creation, process injection, privilege escalation, and data encryption. They also use evasion techniques like disabling antivirus tools, and masquerading malicious activities under legitimate processes. Notably, the group uses lateral movement methods like Remote Desktop Protocol and WMIExec for propagation across networks.
Tip: 2 related IOCs (0 IP, 2 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Source: Secureworks - September 2022
Detection (two cases): lifeweb[.]ir, secnerd[.]ir
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.