{"id":7543,"date":"2021-05-18T20:30:47","date_gmt":"2021-05-19T03:30:47","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7543"},"modified":"2023-04-05T12:40:19","modified_gmt":"2023-04-05T19:40:19","slug":"darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt\/","title":{"rendered":"DarkSide: The Ransomware that Brought a US Pipeline to a Halt"},"content":{"rendered":"<blockquote>\n<p style=\"text-align: justify;\">On May 07, 2021, the Colonial Pipeline that supplies fuel to the US&#8217;s east coast area went offline after it fell victim to the <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/darkside-ransomware-threat-associations-unearthed.html\" target=\"_blank\" rel=\"noopener\">DarkSide Ransomware<\/a>. <a href=\"https:\/\/www.cnet.com\/news\/colonial-pipeline-reportedly-paid-5m-to-hackers-after-ransomware-attack\/\">A ransom of 75 Bitcoins amounting to $5 M was reportedly paid to the hackers. <\/a>This attack demonstrates again the determined efforts of ransomware attackers to create the maximum disruption by hitting critical sectors.<\/p>\n<\/blockquote>\n<h3 dir=\"ltr\" style=\"text-align: justify;\">Vulnerabilities Exploited by DarkSide<\/h3>\n<p dir=\"ltr\" style=\"text-align: justify;\">DarkSide operates as Ransomware-as-a-Service (RaaS), providing an affiliate service to attackers who wish to purchase ransomware to target victims. Colonial Pipeline became a victim through two vulnerabilities, and here is our analysis:<\/p>\n<ul dir=\"ltr\">\n<li style=\"text-align: justify;\" role=\"presentation\"><strong>CVE-2019-5544<\/strong>\u00a0is an open-source vulnerability that exists in VMware ESXi 6.5.0 and Red Hat Linux.<\/li>\n<li style=\"text-align: justify;\" role=\"presentation\"><strong>CVE-2020-3992<\/strong> exists in VMware ESXi 6.7.0, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.<\/li>\n<li style=\"text-align: justify;\" role=\"presentation\">Both vulnerabilities have Remote Code Execution (RCE) capabilities that allow an attacker on the same network to send malicious service location protocol (SLP) requests to an ESXi device and take control of it.<\/li>\n<li style=\"text-align: justify;\" role=\"presentation\">These vulnerabilities are rated critical with a CVSS V3 score of 9.8.<\/li>\n<li style=\"text-align: justify;\" role=\"presentation\">The Common Weakness Enumeration (CWE) that introduced these vulnerabilities into the product are CWE-787 and CWE-416.<\/li>\n<li style=\"text-align: justify;\" role=\"presentation\">They also feature in MITRE&#8217;s Top 25 as the most dangerous weaknesses.<\/li>\n<li style=\"text-align: justify;\" role=\"presentation\">These vulnerabilities were highlighted in our recent <a href=\"https:\/\/cybersecurityworks.com\/resources\/whitepapers\/ransomware-index-update-q1-2021.html\">Ransomware Spotlight Report.<\/a><\/li>\n<li style=\"text-align: justify;\" role=\"presentation\">Our research also shows that both vulnerabilities are used by another ransomware family, the RansomExx family.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 800px; height: 230px; margin: 1px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/img1(12).png\" alt=\"\" \/><\/a><\/p>\n<ul dir=\"ltr\">\n<li aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">It is now known that DarkSide is being used by three APT groups, <strong>UNC2628<\/strong>, <strong>UNC2659<\/strong>, and <strong>UNC2465,<\/strong>\u00a0that are currently uncategorized. These uncategorized APT groups are still under research and are yet to be mapped to existing threat groups.<\/p>\n<\/li>\n<\/ul>\n<blockquote>\n<p style=\"text-align: justify;\">Patches for both the vulnerabilities (<a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2019-0022.html\">CVE-2019-5544<\/a> and <a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2020-0023.html\">CVE-2020-3992<\/a>) have been available for months and yet they are not being remediated.<b> <\/b><\/p>\n<\/blockquote>\n<h3 dir=\"ltr\" style=\"text-align: justify;\">Global Exposure Analysis<\/h3>\n<p dir=\"ltr\" style=\"text-align: justify;\">Our exposure analysis using Shodan indicates there are still 23,095 and 30,998 instances of VMware ESXi exposed to the internet and may be vulnerable to these attacks if they are not patched.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 700px; height: 445px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/img2(7).png\" alt=\"\" \/><\/p>\n<h3 dir=\"ltr\">DarkSide MITRE ATT&amp;CK Mapping<\/h3>\n<table style=\"display: block; overflow-x: scroll;\" border=\"1\" cellspacing=\"0.5\" cellpadding=\"1\">\n<tbody>\n<tr>\n<td style=\"text-align: center; white-space: nowrap;\"><b id=\"docs-internal-guid-12a166b5-7fff-b8a5-0ca5-a9151db86158\">MITRE ATT&amp;CK<\/b><\/td>\n<td style=\"text-align: center; white-space: nowrap;\"><b id=\"docs-internal-guid-eb4ee568-7fff-db98-d2aa-a6c421fc3e05\">IOC<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"white-space: nowrap;\">\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1112<\/strong> &#8211; Modify Registry<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1012<\/strong> &#8211; Query Registry<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1082<\/strong> &#8211; System Information Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1120<\/strong> &#8211; Peripheral Device Discovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1005<\/strong> &#8211; Data from Local System<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1486<\/strong> &#8211; Data Encrypted for Impact<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1543.003<\/strong> &#8211; Create or Modify System Process: Windows Service<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1490<\/strong> &#8211; Inhibit System Recovery<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1553.004<\/strong> &#8211; Subvert Trust Controls: Install Root Certificate<\/p>\n<p dir=\"ltr\" style=\"text-align: left;\"><strong>T1078<\/strong> &#8211; Valid Accounts<\/p>\n<\/td>\n<td style=\"vertical-align: top; text-align: left; width: 30%;\">\n<p dir=\"ltr\"><strong>MD5<\/strong>: 9d418ecc0f3bf45029263b0944236884<br \/>\n<strong>SHA256<\/strong>: 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<blockquote>\n<p style=\"text-align: justify;\">As of May 17, DarkSide ransomware has shut down its Ransomware-as-a-Service affiliate program, bowing down to political pressure. Its servers have been seized and cryptocurrency account drained by unknown sources.<\/p>\n<\/blockquote>\n<h3 style=\"text-align: justify;\">Can We Prevent Another Disruptive Ransomware Attack?<\/h3>\n<p dir=\"ltr\" style=\"text-align: justify;\">Yes! Organizations need to take a risk-based vulnerability management approach and get a ransomware assessment for their attack surface and ransomware exposure.<\/p>\n<blockquote>\n<p dir=\"ltr\">Our research shows that attackers are using 260 vulnerabilities, out of which 132 are active exploits trending right now, to deploy ransomware.<\/p>\n<\/blockquote>\n<p dir=\"ltr\" style=\"text-align: justify;\">Securin\u2019s path-breaking report <a href=\"https:\/\/cybersecurityworks.com\/pdf\/ransomware\/Spotlight_Ransomware2021.pdf\">Ransomware Spotlight 2021<\/a> is powered by Vulnerability Intelligence (VI), a knowledge base of vulnerabilities used by ransomware, APT groups, and nation-state actors. Enriched by Securin\u2019s security researchers, this data is a single source of truth for ransomware, providing additional context and appropriate remediation information to fix vulnerabilities. This database also powers the <a href=\"https:\/\/cybersecurityworks.com\/resources\/datasheets\/ransomware-defense-review.html\">Ransomware Assessment<\/a> that we offer organizations to proactively identify vulnerabilities that attackers target to mount a ransomware attack!<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 900px; height: 305px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/img3(11).png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Ransomware is evolving in new ways. Its use has become mainstream and now is offered as Ransomware as a Service. When we published our report in February 2021, the vulnerabilities associated with ransomware were 223. This number increased to 260 (17%) during the first quarter of 2021. We are seeing an overall increase in the number of active exploits, ransomware families, CWEs, new products, and vendors that are tied to ransomware.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 600px; height: 305px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/post-1-1.png\" alt=\"\" \/><span style=\"text-align: justify;\">Our recommendation to sectors like energy, power, water, and healthcare would be to assess susceptibility to ransomware and take proactive measures to defend their attack surface from further crippling attacks.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><strong>{Updated on October 18, 2021}:<\/strong> On October 06, 2021, researchers noticed an unnamed gang using a novel method to attack VMware ESXi servers, using an uber-fast Python script-based ransomware. The ransomware attack took less than three hours from initial access to encryption, something previously unheard of. Though the Python ransomware is just 6KB in size, it can do quite a lot of damage.\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\">The use of a Linux variant ransomware on ESXi servers is nothing new. In July, REvil was noted for using a Linux variant to target the much-exploited ESXi vulnerabilities. That was quickly followed by HelloKitty and DarkSide ransomware. The BlackMatter ransomware group, an offspring of the DarkSide gang, was <a href=\"https:\/\/www.govinfosecurity.com\/how-ransomware-attackers-hit-virtual-machine-hypervisors-a-17675\" target=\"_blank\" rel=\"noopener\">reportedly<\/a> still using the Linux variant of the malware used by DarkSide to target ESXi servers.\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 16px;\"><strong>We, therefore, urge organizations to harden the security on their ESXi servers or other hypervisors to secure and limit the attack surface.<\/strong><\/span><\/p>\n<p style=\"text-align: center;\">As of today, our research has associated 260 vulnerabilities with ransomware. Remediating and patching these vulnerabilities on priority could have averted the<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/largest-us-pipeline-shuts-down-operations-after-ransomware-attack\/\"> Colonial Pipeline <\/a>attack.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><span style=\"font-size: 18px;\"><b id=\"docs-internal-guid-4836d69a-7fff-a041-133e-d8ed09d701d4\"><a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\">Get a Ransomware Assessment<\/a> and avoid paying millions of dollars as ransom.<\/b><\/span><\/p>\n<p dir=\"ltr\">\n","protected":false},"excerpt":{"rendered":"<p>As of today our research has associated 260 vulnerabilities to ransomware. Remediating and patching these vulnerabilities on priority could have averted the Colonial Pipeline attack.<\/p>\n","protected":false},"author":1,"featured_media":7534,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,80,81,117],"tags":[352,389,381,357,91,405,250],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7543"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7543"}],"version-history":[{"count":8,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7543\/revisions"}],"predecessor-version":[{"id":14732,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7543\/revisions\/14732"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7534"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}