OVERVIEW
The cyberattack recently threatened the entire US fuel supply infrastructure and demanded a huge Ransome. A Colonial pipeline that supplies fuel to the US’s east coast area over 5,500 miles long and can carry 3 million barrels of fuel per day between Texas and New York. It is operated by Colonial Pipeline Company, which is headquartered in Alpharetta, Georgia.
Attacker targeted the unpatched Vulnerability and successfully exploited the entire infrastructure and made the function offline.
Ransomware are became the new trend of 2021, its been more usual for attacker to leverage the infrastructure and encrypt it and demand huge amount of Ransom according to the recent statistic by Check Point research
“The ransomware attacks around the globe have gone up by 102 percent in 2021 compared to 2020. Further, the statistics reveal that India is the most impacted country with 213 weekly ransomware attacks per organization which is 17 percent up from the beginning of the year.”
Who Are Darkside
An unidentified East European-based hacker group who typically provides RAAS [Ransomware As A Service] It has been officially started in Aug 2020, A group that has taken responsibility for the recent Colonial Pipeline attack and demanded nearly $90 million in bitcoin.
Vulnerabilities
The attacker who actively exploited the below listed to CVE to successfully intrusion within
- CVE-2019-5544
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with maximum CVSSv3 base score of 9.4.
- CVE-2020-3992
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
Att&ck Technique
The below listed technique are been observed during the attack
Initial access :
- Phishing
- External Remote Access
Execurtion:
- Cobalt strike
- PSExec
- SystemBC
Defence Evasion:
- Powertool64
- PCHunter
- GMER
Discovery:
- ADRecon
- ADFind
- NetScan
- IP Scanner
Persistence:
- Windows\sys32\net.exe
- GPO
- Scheduled Tasks
Lateral movement:
- PSExec
- RDP
- SSH
Exfiltration
- Meg.nz
- puTTy
- Rclone
- 7zip:
Impact:
- Wwife[.]exe [Ransomeware]
- azure_update[.]exe
Command & Control:
- Plink
- AnyDesk
- Combalt Stike
IOC
UNC2659
| Indicator | Description |
| 173.234.155[.]208 | Login Source |
UNC2465
Ngrok Utility
| Indicator | Description |
| 81.91.177[.]54 :7234 | Remote Access |
| koliz[.]xyz | File Hosting |
| los-web[.]xyz | EMPIRE C2 |
| sol-doc[.]xyz | Malicious Infrastructure |
| hxxp://sol-doc[.]xyz/sol/ID-482875588 | Downloader URL |
| 6c9cda97d945ffb1b63fd6aabcb6e1a8 | Downloader LNK |
| 7c8553c74c135d6e91736291c8558ea8 | VBS Launcher |
| 27dc9d3bcffc80ff8f1776f39db5f0a4 |
| Indicator | Description |
| 104.193.252[.]197:443 | BEACON C2 |
| 162.244.81[.]253:443 | BEACON C2 |
| 185.180.197[.]86:443 | BEACON C2 |
| athaliaoriginals[.]com | BEACON C2 |
| lagrom[.]com | BEACON C2 |
| ctxinit.azureedge[.]net | BEACON C2 |
| 45.77.64[.]111 | Login Source |
| 181ab725468cc1a8f28883a95034e17d | BEACON Sample |
Reference
- https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
- https://www.youtube.com/watch?v=_rXAqOsVcc8
- https://cybersecurityworks.com/blog/ransomware/darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt.html?utm_source=Social_media&utm_medium=Social_media&utm_campaign=darkside_ransomware
- https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi0q5jvtdfwAhUM8HMBHWkTB28QFjABegQIAhAD&url=https%3A%2F%2Fwww.splunk.com%2Fen_us%2Fblog%2Fsecurity%2Fthe-darkside-of-the-ransomware-pipeline.html&usg=AOvVaw2BrO6sgE79M7HJ4peTyMB0
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html