Microsoft released an advisory about multiple ransomware campaigns tied to DEV-0270 (aka “Nemesis Kitten”), a sub-group of Iranian actor PHOSPHORUS.
According to Tenable Senior Staff Research Engineer Satnam Narang, the details of this group’s activities demonstrate how valuable it is for threat actors to conduct ransomware attacks against companies, as they provide a form of revenue generation. Satnam Narang, senior staff research engineer, Tenable:
"What’s notable, yet unsurprising, is that DEV-0270 is taking advantage of legacy vulnerabilities to gain initial access into victim environments, including CVE-2018-13379, an information disclosure vulnerability in Fortinet’s SSL VPN that was disclosed in the early part of 2019.
Additionally, DEV-0270 is also exploiting the ProxyLogon vulnerabilities against vulnerable Microsoft Exchange Servers, which was exploited en masse in 2021 and continues to be a valuable attack path for threat actors. Though not explicitly noted in this report, ProxyShell, another set of vulnerabilities in Microsoft Exchange Server, are also quite popular with attackers, highlighting the interest by attackers to target vulnerable Exchange Servers.
Vulnerabilities in internet-facing applications are some of the more popular for attackers, so organizations that deploy these applications should ensure that patches are applied in a timely manner. While it may seem like the window of opportunity closes once a patch becomes available, research has shown that this window remains open for the long haul, which is why threat actors continue to find success exploiting legacy vulnerabilities.
The main takeaways are organizations must keep their systems up to date as threat actors continue to find great success exploiting legacy vulnerabilities and threat actors now see moonlighting opportunities through ransomware as a vehicle to earn additional revenue to help fund their operations."