{"id":7543,"date":"2021-05-18T20:30:47","date_gmt":"2021-05-19T03:30:47","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7543"},"modified":"2023-04-05T12:40:19","modified_gmt":"2023-04-05T19:40:19","slug":"darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt\/","title":{"rendered":"DarkSide: The Ransomware that Brought a US Pipeline to a Halt"},"content":{"rendered":"
\nOn May 07, 2021, the Colonial Pipeline that supplies fuel to the US’s east coast area went offline after it fell victim to the DarkSide Ransomware<\/a>. A ransom of 75 Bitcoins amounting to $5 M was reportedly paid to the hackers. <\/a>This attack demonstrates again the determined efforts of ransomware attackers to create the maximum disruption by hitting critical sectors.<\/p>\n<\/blockquote>\n
Vulnerabilities Exploited by DarkSide<\/h3>\n
DarkSide operates as Ransomware-as-a-Service (RaaS), providing an affiliate service to attackers who wish to purchase ransomware to target victims. Colonial Pipeline became a victim through two vulnerabilities, and here is our analysis:<\/p>\n
\n
- CVE-2019-5544<\/strong>\u00a0is an open-source vulnerability that exists in VMware ESXi 6.5.0 and Red Hat Linux.<\/li>\n
- CVE-2020-3992<\/strong> exists in VMware ESXi 6.7.0, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.<\/li>\n
- Both vulnerabilities have Remote Code Execution (RCE) capabilities that allow an attacker on the same network to send malicious service location protocol (SLP) requests to an ESXi device and take control of it.<\/li>\n
- These vulnerabilities are rated critical with a CVSS V3 score of 9.8.<\/li>\n
- The Common Weakness Enumeration (CWE) that introduced these vulnerabilities into the product are CWE-787 and CWE-416.<\/li>\n
- They also feature in MITRE’s Top 25 as the most dangerous weaknesses.<\/li>\n
- These vulnerabilities were highlighted in our recent Ransomware Spotlight Report.<\/a><\/li>\n
- Our research also shows that both vulnerabilities are used by another ransomware family, the RansomExx family.<\/li>\n<\/ul>\n
<\/a><\/p>\n
\n
- \n
It is now known that DarkSide is being used by three APT groups, UNC2628<\/strong>, UNC2659<\/strong>, and UNC2465,<\/strong>\u00a0that are currently uncategorized. These uncategorized APT groups are still under research and are yet to be mapped to existing threat groups.<\/p>\n<\/li>\n<\/ul>\n
\nPatches for both the vulnerabilities (CVE-2019-5544<\/a> and CVE-2020-3992<\/a>) have been available for months and yet they are not being remediated. <\/b><\/p>\n<\/blockquote>\n
Global Exposure Analysis<\/h3>\n
Our exposure analysis using Shodan indicates there are still 23,095 and 30,998 instances of VMware ESXi exposed to the internet and may be vulnerable to these attacks if they are not patched.<\/p>\n
<\/p>\n
DarkSide MITRE ATT&CK Mapping<\/h3>\n