{"id":7533,"date":"2021-06-30T20:19:41","date_gmt":"2021-07-01T03:19:41","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7533"},"modified":"2023-04-05T12:39:58","modified_gmt":"2023-04-05T19:39:58","slug":"darkside-ransomware-threat-associations-unearthed","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/darkside-ransomware-threat-associations-unearthed\/","title":{"rendered":"DarkSide Ransomware: Further Threat Associations Unearthed"},"content":{"rendered":"<blockquote>\n<p style=\"text-align: justify;\">DarkSide Ransomware has added two more CVEs to its arsenal alongside two additional APT group associations. Check out our analysis and patch these vulnerabilities before they strike again!<\/p>\n<\/blockquote>\n<p style=\"text-align: justify;\">Last month, DarkSide ransomware went down in history for causing the single largest disruption in gasoline supply in the United States. The attack was so crippling that fuel prices peaked, panic buying was induced, and almost 45% of the East Coast\u2019s fuel supply was cut off. It took a week of reconstruction, alongside the FBI&#8217;s interference and a <a href=\"https:\/\/www.cnet.com\/news\/colonial-pipeline-reportedly-paid-5m-to-hackers-after-ransomware-attack\/\" target=\"_blank\" rel=\"noopener\">$5M ransom<\/a> payment, to bring the supply back online. Subsequently, the FBI <a href=\"https:\/\/www.cbsnews.com\/news\/colonial-pipeline-ransom-payments-hackers-seized-united-states\/\" target=\"_blank\" rel=\"noopener\">recovered<\/a> about half of the ransom paid after gaining access to the bitcoin account that was used in the transaction.<\/p>\n<h2 style=\"text-align: justify;\">More CVE Findings<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>In our <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt.html\" target=\"_blank\" rel=\"noopener\">previous blog<\/a>, we observed how the DarkSide ransomware group utilized two vulnerabilities, CVE-2019-5544 and CVE-2020-3992, to launch its attacks on the Colonial Pipeline. Since then, we have come across more interesting findings about this ransomware.<\/strong><\/p>\n<blockquote>\n<h4 dir=\"ltr\" style=\"text-align: justify;\">It has come to light that two additional CVEs, CVE-2020-1472 and CVE-2021-20016,\u00a0are part of the DarkSide attack arsenal.<\/h4>\n<\/blockquote>\n<p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 1458px; height: 400px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/darkside-ransomware-cves.jpg\" alt=\"Darkside Ransomware CVEs\" \/><\/p>\n<p><strong>CVE-2021-20016<\/strong><\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">CVE-2021-20016 is a new vulnerability identified earlier this year. It is assigned a CVSS V3 score of 9.8 and tagged as a critical flaw.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerability exists across six SonicWall Secure Mobile Access (SMA) products, which act as an access gateway for organizations to provide remote access to resources hosted on-prem, in cloud, and in hybrid data centers.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The SonicWall advisory has published <a href=\"https:\/\/psirt.global.sonicwall.com\/vuln-detail\/SNWLID-2021-0001\" target=\"_blank\" rel=\"noopener\">workarounds<\/a> for this vulnerability.<\/p>\n<\/li>\n<\/ul>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>CVE-2020-1472<\/strong><\/p>\n<ul style=\"text-align: justify;\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2020-1472, popularly known as the Zerologon vulnerability, is a critical 2020 CVE that has a CVSS V3 score of 10. It can be exploited to gain elevated access to resources.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2020-1472 is seen in 11 products spread across vendors Microsoft, Fedora project, openSUSE, Canonical, Synology, and Samba.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2020-1472\" target=\"_blank\" rel=\"noopener\">Security updates<\/a> are available for patching the vulnerability.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">In our <a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" target=\"_blank\" rel=\"noopener\">Ransomware Report 2020<\/a>, we noted that CVE-2020-1472 was also weaponized by the CryptoMix ransomware family, which is associated with five other ransomware groups.<\/p>\n<\/li>\n<\/ul>\n<blockquote>\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">Two Advanced Persistent Threat (APT) groups, Carbanak and FIN7, are now additionally associated with DarkSide. This brings the total number of APT groups using DarkSide to five.<\/p>\n<\/blockquote>\n<h2 dir=\"ltr\" style=\"text-align: justify;\">Exposure<\/h2>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">From our exposure analysis using Shodan, we can see that 2,911 deployments of SonicWall SMA 200 firmware and 688 products with CVE-2020-1472 are currently in use, making them vulnerable to attacks.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0<b id=\"docs-internal-guid-98dffa16-7fff-68c6-7982-3bd5a80440cf\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 450px; height: 300px; margin-left: 100px; margin-right: 100px;\" src=\"https:\/\/lh5.googleusercontent.com\/2xWjytmToLfzw63JKeitfBCZq6dZ8NGL-V5QvcWYMtDS6pXBgN2qhMmNuVDXoXWtuBaCjsrYNcvnw9bOQr8eVnbi0S_h7B9YdozTUb44PKrMWhaUSlTdmEp5BMnEjWYZOdCy29vJ\" \/><\/b><\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\">The DarkSide Attack Methodology<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">The threat actors have been <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-131a\" target=\"_blank\" rel=\"noopener\">identified using<\/a> the Tor browser, which creates a multi-hop proxy network. Messages are encrypted at multiple levels using onion routing, allowing for increased anonymity on the internet. The DarkSide ransomware group has also been observed deploying Cobalt Strike as its command and control weapon. Cobalt Strike is a collection of threat emulation tools that is seeing more and more adoption by malicious groups.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">According to the latest news reports, the Colonial Pipeline attack happened because of <a href=\"https:\/\/www.bloombergquint.com\/business\/hackers-breached-colonial-pipeline-using-compromised-password\" target=\"_blank\" rel=\"noopener\">leaked credentials of a virtual private network (VPN) account<\/a>, through which employees remotely accessed the company\u2019s network. While we may not exactly know what VPN vulnerability led to the breach, a lesson learned is that it is important to ensure the <a href=\"https:\/\/cybersecurityworks.com\/blog\/cyber-risk\/do-vpns-have-our-back.html\" target=\"_blank\" rel=\"noopener\">safety of VPNs<\/a> and other applications we use. Securin has always emphasized and even warned about this in our <a href=\"https:\/\/cybersecurityworks.com\/cyber-risk-series\/\" target=\"_blank\" rel=\"noopener\">Cyber Risk Series<\/a>.<\/p>\n<h2 dir=\"ltr\" style=\"text-align: justify;\">DarkSide Ransomware MITRE ATT&amp;CK Mapping<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\">The following tactics and techniques are in addition to the <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt.html\" target=\"_blank\" rel=\"noopener\">previously published<\/a> MITRE ATT&amp;CK mapping details.<\/p>\n<p>&nbsp;<\/p>\n<table style=\"width: 750px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>MITRE ATT&amp;CK<\/strong><\/td>\n<td style=\"text-align: center;\"><strong>IOC<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\" style=\"text-align: left;\">T1087 &#8211; Account Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1098 &#8211; Account Manipulation<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1027.004 &#8211; Compile After Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1555 &#8211; Credentials From Password Stores<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1555.002 &#8211; Credentials From Registry<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1486 &#8211; Data Encrypted For Impact<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1140 &#8211; Deobfuscate\/Decode Files or Information<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1055.001 &#8211; Dynamic-Link Library Injection<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1190 &#8211; Exploit Public-Facing Application<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1133 &#8211; External Remote Services<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1083 &#8211; File and Directory Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1105 &#8211; Ingress Tool Transfer<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1490 &#8211; Ingress System Recovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1036 &#8211; Masquerading<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1090.003 &#8211; Multi-hop Proxy<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1027 &#8211; Obfuscated Files or Information<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1566 &#8211; Phishing<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1059.001 &#8211; Powershell<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1057 &#8211; Process Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1113 &#8211; Screen Capture<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1569.002 &#8211; Service Execution<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1489 &#8211; Service Stop<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1129 &#8211; Shared Modules<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1082 &#8211; System Information Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1080 &#8211; Taint Shared Content<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\">T1047 &#8211; Windows Management Instrumentation<\/p>\n<\/td>\n<td>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>MD5:<\/strong><\/p>\n<p dir=\"ltr\">978754BAA3A4D39802CDC8AA34DCA578<\/p>\n<p dir=\"ltr\">71367B599A8AB75BA64EC40FD138D650<\/p>\n<p dir=\"ltr\">D79793DD17A85C4F7BB9347D43DC5924<\/p>\n<p dir=\"ltr\">84F97E8028530A90827B6C92E0C083CA<\/p>\n<p dir=\"ltr\">A4064976B08133C11C15FC6DC0FB6F10<\/p>\n<p dir=\"ltr\">B38278344CCF7FFC3818947AE41ECD3C<\/p>\n<p dir=\"ltr\">952C0F33EDE5AFBF8AA58FBDA7AA5A70<\/p>\n<p dir=\"ltr\">AC20EAAC8992F4F7E835BD583DC1F6C5<\/p>\n<p dir=\"ltr\">DB511D27139D193C865A0C5DB192E0CF<\/p>\n<p dir=\"ltr\">417E4F1E69AED14DE8F4A3B4DF3BD0BA<\/p>\n<p dir=\"ltr\">52C91A73CFB979A07697CFECA9150774<\/p>\n<p dir=\"ltr\">71B888DEA662F49F0B0945BBB4DDE5E6<\/p>\n<p dir=\"ltr\">748D28BBBB37DFC2DD0D6D14E8C06FCE<\/p>\n<p dir=\"ltr\">A6F0F346AE042E129D56094E66965256<\/p>\n<p dir=\"ltr\">FB8678BB3F0F33D686145575C75AB304<\/p>\n<p dir=\"ltr\">2D7333BDDD899BAC2C667E913F5E5C0C<\/p>\n<p dir=\"ltr\">60A22A01C8A1DDF5B31FA9A879786761<\/p>\n<p dir=\"ltr\">6C6BA57BE4B7B2FB661A99FEA872F6B8<\/p>\n<p dir=\"ltr\">2BB5D5AA07FA2C8E9874C117C8FA51D6<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\">Has DarkSide Truly Retired? The Question Remains&#8230;<\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\"><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions?&amp;web_view=true\" target=\"_blank\" rel=\"noopener\">Recent research<\/a> highlights a new DarkSide ransomware variant that projects a behavior unseen to date. Found to affect Windows platforms, the new find seeks out partition information on hard disks to identify hidden data and can even compromise multi-boot systems.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Fraudsters have also been observed <a href=\"https:\/\/www.bankinfosecurity.asia\/fake-darkside-ransomware-gang-targets-energy-food-sectors-a-16911\" target=\"_blank\" rel=\"noopener\">impersonating<\/a> the DarkSide ransomware group in more recent activities, trying to capitalize on the impact of the increase in ransomware affairs. The fact is that remediation following a ransomware attack is a cumbersome process. Organizations need to take proactive measures to ensure they do not become a victim of such attacks.<\/p>\n<p style=\"text-align: justify;\"><strong>{Updated on July 13, 2021}<\/strong>:\u00a0As recently as July 2021, the popular fashion brand, Guess, <a href=\"https:\/\/www.zdnet.com\/article\/guess-announces-breach-of-employee-ssns-and-financial-data-after-darkside-attack\/?&amp;web_view=true\" target=\"_blank\" rel=\"noopener\">announced<\/a> that it had fallen victim to an attack by DarkSide back in February and warned of customer data leaks on the dark web. The information released included classified information like the company\u2019s financial details, customers\u2019 Social Security Numbers, driver&#8217;s license numbers, passport numbers, and financial account numbers.<\/p>\n<p><strong>{Updated on August 19, 2021}<\/strong>: Three months after the Colonial Pipeline incident, the repercussions are still being felt. The company <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/colonial-pipeline-reports-data-breach-after-may-ransomware-attack\/\">recently identified<\/a> that the DarkSide operators got their hands on documents containing the personal data of over 5,000 people and has started sending out notification letters to affected individuals.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong>We can help you analyze your assets and prioritize the vulnerabilities that need to be patched. <\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><strong><a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\" target=\"_blank\" rel=\"noopener\">Avoid becoming a victim of ransomware attacks<\/a>!\u00a0<\/strong><\/p>\n<p style=\"text-align: center;\">\n","protected":false},"excerpt":{"rendered":"<p>Darkside Ransomware has added two more CVEs to its arsenal alongside two additional APT group associations. Check out our analysis and patch these vulnerabilities before they strike again!<\/p>\n","protected":false},"author":1,"featured_media":7534,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[82,80,81,117],"tags":[107,352,341,391,389,381,392,390,357,91,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7533"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7533"}],"version-history":[{"count":7,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7533\/revisions"}],"predecessor-version":[{"id":14729,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7533\/revisions\/14729"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7534"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}