Darkside Ransomware: Further Threat Associations Unearthed
Posted on 30th Jun, 2021 | By Priya Ravindran
Darkside Ransomware has added two more CVEs to its arsenal alongside two additional APT group associations. Check out our analysis and patch these vulnerabilities before they strike again!
Last month, Darkside ransomware went down in history for causing the single largest disruption in gasoline supply in the United States. The attack was so crippling that fuel prices reached a peak, panic buying was induced, and almost 45% of the East Coast’s fuel supply was cut off. It took a week of reconstruction, alongside FBI interference and a $5M ransom payment, to bring the supply back online. Subsequently, the FBI recovered about half of the ransom paid after gaining access to the bitcoin account that was used in the transaction.
As recently as July 13, 2021, the popular fashion brand, Guess, announced that it had fallen victim to an attack by Darkside back in February, and warned of customer data leaks on the Dark Web. The information released included classified information like the company’s financial details, and customers’ Social Security numbers, driver's license numbers, passport numbers, and financial account numbers.
More CVE Findings
In our previous blog, we observed how the Darkside ransomware group utilized two vulnerabilities - CVE-2019-5544 and CVE-2020-3992 to launch their attacks on the Colonial Pipeline. Since then, we have come across more interesting findings about this ransomware.
It has come to light that two additional CVEs are part of the Darkside attack arsenal - CVE-2020-1472 and CVE-2021-20016.
CVE-2021-20016 is a new vulnerability identified earlier this year. It is assigned a CVSS v3 score of 9.8 and tagged as a critical flaw.
The vulnerability exists across 6 Sonicwall Secure Mobile Access (SMA) products which act as an access gateway for organizations to provide remote access to resources hosted on-prem, in cloud and in hybrid datacenters.
The Sonicwall advisory has published workarounds for this vulnerability.
CVE-2020-1472, popularly known as the Zerologon vulnerability, is a critical 2020 CVE that has a CVSS v3 score of 10. It can be exploited to gain elevated access to resources.
CVE-2020-1472 is seen in 11 products spread across vendors Microsoft, Fedora project, Opensuse, Canonical, Synology and Samba.
Security updates are available for patching the vulnerability.
In our Ransomware Report 2020, we noted that CVE-2020-1472 was also weaponized by the CryptoMix ransomware family, which is associated with five other ransomware groups.
Two Advanced Persistent Threat (APT) groups - Carbanak and FIN7 are now additionally associated with Darkside. This brings the total number of APT groups using Darkside to five.
From our exposure analysis using Shodan, we can see that there are 2911 deployments of Sonicwall SMA 200 firmware and 688 products with CVE-2020-1472 that are currently in use, making them vulnerable to attacks.
The Darkside Attack Methodology
The threat actors have been identified using the Tor browser, which creates a multi-hop proxy network. Messages are encrypted at multiple levels using onion routing, allowing for increased anonymity on the Internet. The Darkside ransomware group has also been observed deploying Cobalt Strike as their command and control weapon. Cobalt Strike is a collection of threat emulation tools that is seeing more and more adoption by malicious groups.
According to the latest news reports, the Colonial pipeline attack happened because of leaked credentials of a virtual private network (VPN) account, through which employees remotely accessed the company’s network. While we may not exactly know what VPN vulnerability led to the breach, a lesson learned is that it is important to ensure safety of the VPNs and other applications we use. This is something CSW has always emphasised upon and even warned about in our Cyber Risk Series.
Darkside Ransomware MITRE ATT&CK Mapping
The below tactics and techniques are in addition to the previously published MITRE attack mapping details.
T1087 - Account Discovery
T1098 - Account Manipulation
T1027.004 - Compile After Discovery
T1555 - Credentials From Password Stores
T1555.002 - Credentials From Registry
T1486 - Data Encrypted For Impact
T1140 - Deobfuscate/Decode Files or Information
T1055.001 - Dynamic-Link Library Injection
T1190 - Exploit Public-Facing Application
T1133 - External Remote Services
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1490 - Ingress System Recovery
T1036 - Masquerading
T1090.003 - Multi-hop Proxy
T1027 - Obfuscated Files or Information
T1566 - Phishing
T1059.001 - Powershell
T1057 - Process Discovery
T1113 - Screen Capture
T1569.002 - Service Execution
T1489 - Service Stop
T1129 - Shared Modules
T1082 - System Information Discovery
T1080 - Taint Shared Content
T1047 - Windows Management Instrumentation
Has Darkside truly retired? The question remains...
Recent research highlights a new Darkside ransomware variant that projects a behaviour unseen to date. Found to affect Windows platforms, the new find seeks out partition information on harddisks to identify hidden data, and can even compromise multi-boot systems.
Fraudsters have also been observed impersonating the Darkside ransomware group in more recent activities, trying to capitalize on the impact of the increase in ransomware affairs. The fact is that remediation following a ransomware attack is a cumbersome process. Organizations need to take proactive measures to ensure they do not become a victim to such attacks.
We can help you analyze your assets and prioritize the vulnerabilities that need to be patched. Avoid becoming a victim to ransomware attacks!