- On Tuesday, FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
- So far, FireEye has tracked five threat actors who are either current or past DarkSide RaaS affiliates.
- RaaS subscribers are given access to custom malware — in this case, the DarkSide ransomware variant — in return for developers receiving a slice of any ransom payment profits.
- FireEye has described the current activities of three out of the five linked groups, tracked as UNC2628, UNC2659, and UNC2465.
- UNC2628: tend to move quickly from initial infection to ransomware deployment and may only lurk on a compromised network for two to three days before starting encryption.
- Suspicious authentication attempts, brute force attacks, and ‘spray and pray’ tactics are common, and this threat actor may also acquire initial access through legitimate credentials for corporate virtual private networks (VPNs), which can be purchased from other cybercriminals online.
- UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.
- UNC2659 exploits CVE-2021-20016 to obtain initial access, a now-patched vulnerability in the SonicWall SMA100 SSL VPN, a service designed for mobile workers.
- “There is some evidence to suggest the threat actor may have used the vulnerability to disable multi-factor authentication options on the SonicWall VPN, although this has not been confirmed,” FireEye says.
- TeamViewer is abused to maintain persistence on a compromised machine and the group exfiltrates files before encryption.
- UNC2465 uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor. In a case documented by FireEye, initial access to a network was obtained months ahead of ransomware execution.
- Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation. The NGROK utility is used by the threat actors to circumvent firewalls and expose remote desktop service ports.
– Charlie Osborne | May 12, 2021