Deep Drive into Darkside Ransomware

0

OVERVIEW

The cyberattack recently threatened the entire US fuel supply infrastructure and demanded a huge Ransome. A Colonial pipeline that supplies fuel to the US’s east coast area over 5,500 miles long and can carry 3 million barrels of fuel per day between Texas and New York. It is operated by Colonial Pipeline Company, which is headquartered in Alpharetta, Georgia.


Attacker targeted the unpatched Vulnerability and successfully exploited the entire infrastructure and made the function offline.

Ransomware are became the new trend of 2021, its been more usual for attacker to leverage the infrastructure and encrypt it and demand huge amount of Ransom according to the recent statistic by Check Point research 

“The ransomware attacks around the globe have gone up by 102 percent in 2021 compared to 2020. Further, the statistics reveal that India is the most impacted country with 213 weekly ransomware attacks per organization which is 17 percent up from the beginning of the year.”

Who Are Darkside

An unidentified East European-based hacker group who typically provides RAAS [Ransomware As A Service] It has been officially started in Aug 2020, A group that has taken responsibility for the recent Colonial Pipeline attack and demanded nearly $90 million in bitcoin.

Vulnerabilities

The attacker who actively exploited the below listed to CVE to successfully intrusion within

  1. CVE-2019-5544

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with maximum CVSSv3 base score of 9.4.

CVE-2019-5544
CVE-2019-5544
  1. CVE-2020-3992

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

CVE-2020-3992

Att&ck Technique

The below listed technique are been observed during the attack

Initial access : 

  1. Phishing
  2. External Remote Access

Execurtion:  

  1. Cobalt strike
  2. PSExec
  3. SystemBC

Defence Evasion:

  1. Powertool64
  2. PCHunter
  3. GMER

Discovery:

  1. ADRecon
  2. ADFind
  3. NetScan
  4. IP Scanner

Persistence:

  1. Windows\sys32\net.exe
  2. GPO
  3. Scheduled Tasks

Lateral movement:

  1. PSExec
  2. RDP
  3. SSH

Exfiltration

  1. Meg.nz
  2. puTTy
  3. Rclone
  4. 7zip:

Impact:

  1. Wwife[.]exe [Ransomeware]
  2. azure_update[.]exe

Command & Control:

  1. Plink
  2. AnyDesk
  3. Combalt Stike

IOC

UNC2659

IndicatorDescription
173.234.155[.]208Login Source

UNC2465

Ngrok Utility

IndicatorDescription
81.91.177[.]54 :7234Remote Access
koliz[.]xyzFile Hosting
los-web[.]xyzEMPIRE C2
sol-doc[.]xyzMalicious Infrastructure
hxxp://sol-doc[.]xyz/sol/ID-482875588Downloader URL
6c9cda97d945ffb1b63fd6aabcb6e1a8Downloader LNK
7c8553c74c135d6e91736291c8558ea8VBS Launcher
27dc9d3bcffc80ff8f1776f39db5f0a4
IndicatorDescription
104.193.252[.]197:443BEACON C2
162.244.81[.]253:443BEACON C2
185.180.197[.]86:443BEACON C2
athaliaoriginals[.]comBEACON C2
lagrom[.]comBEACON C2
ctxinit.azureedge[.]netBEACON C2
45.77.64[.]111Login Source
181ab725468cc1a8f28883a95034e17dBEACON Sample

Reference


Previous articleWhat is Mitre Shield? Active Defense for advanced attacks
Next articleDNS sinkholes to Prevent Malware? How did it work?
A Cyber Security Asperient Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here