Tag Archive for: darkside

7 Major Cyber Attacks in 2021 and Lessons Learned to Strengthen Your Defenses in 2022

/by

Cyber attackers continued to successfully target organizations in all sectors and of all sizes during 2021. The biggest cyber attacks in 2021 resulted in damaging financial, reputational, and even societal consequences. Security leaders and teams should use the lessons learned from high-profile attacks to improve their organization’s security posture. Let’s look at 7 major cyber attacks in 2021 and the key lessons to learn from them.

The 2021 Cyber Attack Landscape

Threat actors continued to take advantage of additional security vulnerabilities created by the rapid pandemic-induced change to remote work. When remote work was a factor in data breaches during 2021, one study found the cost per breach increased by $1 million per incident.

37-Percent-Ransomware-2021-Cyber-AttacksRansomware remains one of the most significant cybersecurity threats with targets ranging from critical infrastructure to large enterprises to police departments. According to one report, 37 percent of organizations surveyed were hit by ransomware attacks in 2021.

Ransomware gangs now regularly use double extortion techniques. Not content with just encrypting important files or endpoints, in double extortion attacks, adversaries exfiltrate sensitive data before delivering ransomware payloads. The added incentive to pay the ransom comes from the threat of sensitive data being published on the Dark Web.

Another worrying trend in several 2021 cyber attacks was a focus on disrupting or infiltrating supply chains. Malicious actors target supply chains because they know that the downstream effects can hit multiple organizations or even result in supply shortages of critical goods and services.

2021 Cyber Attacks That Shook the World

Bearing this landscape in mind, here is a run-through of seven high-profile incidents that made global media headlines.

1. Colonial Pipeline

The Colonial Pipeline 2021 cyber attack concerned the information security community, consumers, and government agencies. Colonial Pipeline transports diesel, jet fuel, and gasoline across a 5,500-mile journey starting in Houston and terminating in New York. In May 2021, an Eastern European ransomware group known as DarkSide managed to infiltrate Colonial Pipeline’s billing system.

Darkside-Ransomware-Darth-Vader

Fearing an eventual lateral movement traversing the boundary between IT and operational technology (OT), the company halted all pipeline operations to contain the attack. The operational disruption lasted five days while Colonial Pipeline responded to the incident.

Part of the response involved paying a $4.4 million ransom to the ransomware gang. The FBI managed to recover a portion of this ransom in the aftermath. The concern around this breach was elevated by media images of panicked motorists queueing to stock up on gasoline because they feared an extended fuel shortage.

Subsequent investigations into the cyber attack on Colonial Pipeline found that the initial attack vector was a stolen password used to log in to a legacy VPN. The threat actors likely found the stolen password in a Dark Web leak list from a previous data breach. The Colonial Pipeline’s CEO, Joseph Blount, had to testify in front of the Senate Homeland Security and Governmental Affairs Committee about how the company handled this attack.

Lessons Learned:

  • Multifactor authentication is critical: In his testimony, Mr. Blount said that the hacked VPN account only had single-factor authentication. In today’s threat landscape, depending on passwords alone to secure access to accounts is very risky.
  • Poor password hygiene is still common: hackers used stolen credentials to log in to a VPN account. Aside from highlighting the vulnerabilities in relying on passwords, this attack shows how poor password hygiene, such as using passwords across multiple services and apps, remains commonplace. Better cyber awareness and training can combat this issue.
  • 24/7 monitoring is key: detecting events like suspicious use of VPNs, credential abuse, and policy violations around the use of remote access applications helps prevent compromises.

2. Accellion

Accellion provides file sharing and team collaboration tools to organizations that are reported to include Morgan Stanley, Shell Oil Company, Kroger, Health Net, Stanford University, and many others. In December 2020 and January 2021, one of the company’s legacy tools, Accellion File Transfer Appliance (FTA), became compromised with multiple zero-day vulnerabilities exploited by UNC2546 and UNC258, two threat actors with links to the Clop and Fin11 ransomware gangs.

In healthcare alone, over 11 organizations were impacted by this supply chain attack. A zero-day attack is particularly challenging because it exploits previously unknown vulnerabilities for which no fix yet exists.

Lessons Learned:

  • The importance of vulnerability management and patching: Speed is critical in patching zero-day vulnerabilities with known exploits. Risk-based Vulnerability Management tools and services can help organizations prioritize patch assets based on priority and context.
  • The need for data exfiltration protection: In addition to double-extortion ransomware attacks, this supply chain attack demonstrated that threat actors see data exfiltration as the ultimate prize. It is important for organizations to detect precursors of data exfiltration and behavior anomalies and automate containment actions to prevent loss of data.

3. JBS

JBS is the world’s largest meat processor with reported annual sales of $50 billion and over 230,000 employees.

On Sunday, May 30, JBS USA discovered it was the victim of a ransomware attack that affected some of the servers supporting its U.S., Australian and Canadian IT systems. The company suspended all affected systems, then contacted law enforcement.

JBS Cyber Attack Ransomware

Assistance from the FBI helped to confirm that the prolific REvil ransomware operation was responsible for the JBS meat cyber attack. In a statement made to the media, JBS announced the payment of an $11 million ransom to REvil in an attempt to mitigate the risk of sensitive stolen data being published online.

Since the attack did not affect JBS’ backup data or core systems the company was able to recover from the attack in a few days with minimal disruption to the supply chain. JBS issued press releases on May 30, June 1, June 2, and June 3 to keep customers and the public apprised of the status of the incident.

Lessons Learned:

  • Backup strategies still work: Some security commentators argue that backup strategies are redundant in a world where data exfiltration is the main goal of malicious actors. However, the ability to restore normal operations quickly after a cyber attack is imperative, particularly in critical industries such as meat processing upon which much of the world depends for survival. Just backing up systems and data is not sufficient. You also must take steps to protect your backup files from attempts to delete them.
  • Early detection and response: More detailed investigations into the JBS attack found that data exfiltration began after leaked credentials were exploited as far back as February 2021. Early detection and response could have played a crucial role in thwarting attackers while they were in the network. Perimeter-focused controls are no longer sufficient for defending against attacks; security teams lacking internal resources can turn to managed detection and response.
  • Incident Response Plan: Having a written Incident Response (IR) plan and routinely practicing the process makes a difference. JBS effectively engaged the appropriate government entities and third-party consultants who assisted with the forensic and mediation work.

4: Brenntag

In April of 2021, Brenntag, a German chemical distribution company, became yet another victim of DarkSide ransomware. Brenntag employs more than 17,000 people worldwide, and the company reported over $14 billion of revenue in 2019.

Ransomware PaymentIn yet another double extortion attack, DarkSide managed to exfiltrate 150 gigabytes of data from the North American division of Brenntag’s network. After data exfiltration, the Brenntag ransomware payload encrypted multiple devices and files on the company’s network using the Salsa20 file encryption algorithm.

The immediate response to the Brenntag ransomware attack focused on containing the threat by disconnecting affected systems from the network. The company also paid a $4.4 million ransom in return for both a decryption key and not having sensitive data belonging to 6,700 individuals published online. The sensitive data included birthdates, Social Security Numbers, driver’s license numbers, and health data.

 

Credential theft appeared to play a prominent role in this attack. A ransom note seen by security researchers at Bleeping Computer alluded to the fact that threat actors “bought access to the network”.

Lessons Learned:

  • Stolen credentials are a big problem: Initial network access via stolen credentials was a common theme in several 2021 cyber attacks. Mitigation requires a multi-pronged approach that includes multi-factor authentication, ongoing cyber education, and regularly mandating password changes.
  • The paradox of cyber attacks: Threat actors often deploy sophisticated tools and techniques to evade detection once inside networks, however, the methods they use to gain initial access often exploit incredibly basic cybersecurity flaws.

5: Volkswagen and Audi

VW Audi logos

Volkswagen has consistently been one of the top-selling automotive brands. In June 2021, details emerged of a significant data breach both at Volkswagen and Audi, one of the Volkswagen Group’s luxury line of vehicles. The breach exposed information belonging to 3 million customers.

For the majority of customers, the leaked details were basic and non-sensitive. However, at least 90,000 people were contacted about sensitive data exposure, including driver’s license numbers, Social Security numbers, and dates of birth.

A spokesperson indicated the Volkswagen data breach stemmed from a compromise at a third-party vendor used by the company. Vice magazine reported that a hacker obtained the data by scanning the Internet for unsecured Microsoft Azure Blobs, which are used to store unstructured data in the cloud.

Lessons Learned:

  • Third-party risks: Volkswagen trusted another vendor with its valuable customer data, but that same vendor failed to implement such a basic practice as securing all data stored in the cloud. Third-party risk management is crucial to avoid breaches like this one.
  • The need for data visibility: You cannot protect sensitive data when you do not know where it is stored or how it is secured. Comprehensive data visibility may have mitigated the possibility of this Volkswagen data breach from happening.

6: HSE Ireland

The Health Service Executive runs Ireland’s public health system. Over 67,000 direct employees help to maintain the health of Ireland’s populace. Several severe Covid-19 outbreaks stressed Ireland’s health system in 2021, and a ransomware attack in May came at the most unwelcome of times.

The installation of a ransomware payload by Conti threat actors completed a two-month operation that severely impacted the HSE’s IT infrastructure. The immediate aftermath of the HSE cyber attack resulted in healthcare professionals losing access to IT systems, including patient information systems, clinical care systems, and laboratory systems.

Equally as severe as this disruption to important health services was the exfiltration of sensitive healthcare data belonging to 1,000 patients. During negotiations about a ransom, Conti gang members began leaking patient data for up to 520 individuals on the Dark Web.

A detailed incident report found that the HSE cyber attack started in March 2021 when an employee clicked and opened a malicious Excel attachment. This attachment provided remote access to the HSE’s IT environment. Threat actors used Cobalt Strike, a penetration testing tool, to escalate their privileges on the originally compromised workstation.

Lessons Learned:

  • The need for threat intelligence: Robust threat intelligence and discovery helps detect tools like Cobalt Strike and stop similar incidents in their tracks.
  • The danger of phishing: Phishing emails with malicious attachments provide low-hanging fruit for adversaries to infiltrate your network. Robust email security software and employee training reduce the risk of malicious attachments or users being enticed to visit infected websites.

7: CNA Financial

Last but not least in our overview of 7 of the major 2021 cyber attacks is an attack that resulted in one of the largest ransom payments. CNA Financial, one of the biggest insurance companies in the United States, was hit by a March 2021 ransomware attack that encrypted up to 15,000 systems. The threat actors used a ransomware strain known as Phoenix CryptoLocker.

phoenix-cna-ransom-note

The attack began when an employee downloaded a fake browser update from a genuine website onto his/her workstation. Additional malicious activity helped to elevate privileges from the workstation to get network-wide administrative access. The final ransomware payload took down so much of the company’s IT infrastructure that executives felt they had no other option but to pay for the decryption key. The $40 million CNA Financial ransom payment set a record at the time that remains today.

  • The value of detection and response capabilities: With seemingly no functioning backup strategy in place to restore encrypted devices and files, this incident underscores the value of detection and response capabilities. By emphasizing defense-in-depth, businesses can detect and respond to cyber attacks much faster and limit their effects.
  • Some companies still pay: Despite government admonitions against paying ransom demands, several large companies paid substantial sums to hackers in 2021; none were more substantial than the $40 million that was the CNA Financial ransom. It is recommended that IT leadership prepares for this possibility by discussing options with management and their cyber insurance provider.

2021 Cyber Attacks Conclusion

There are many lessons to take forward from this list of seven major cyber attacks in 2021. Basic security flaws can provide hackers with an easy route into networks; even those belonging to the largest enterprises with the highest security investments. Despite the ease of initial entry, a common thread here is that detection and response capabilities are critical to detecting and preventing breaches.

Businesses stand to gain a far more robust security posture by investing in managed detection and response (MDR). Ready-made expertise in threat intelligence, detection, and response awaits businesses that allocate some of their security budget to MDR services.

Contact Proficio today to see how our leading MDR solution helps businesses like yours defend against cyber threats.

DarkSide Ransomware

/by

Overview | Darkside Ransomware

DarkSide ransomware was first discovered in the wild in August, 2020. It runs a Ransomware-as-a-Service (RaaS), whereby affiliates are able to deploy the ransomware for a fee or a cut of the proceeds from successful ransom payments.

The DarkSide ransomware group was brought to mainstream attention due to the recent ransomware attack against Colonial Pipeline. The Proficio Threat Intelligence Team posted information and articles about the Colonial Pipeline attack in our Twitter Feed. Below, we provide more detailed findings based on our research of DarkSide ransomware.

What We Know About the DarkSide Ransomware Group

DarkSide ransomware group attacks are highly targeted, and affiliates are able customize the ransomware executable for the specific organization they are attacking. Organizations that are targeted typically have the finances to pay large ransom amounts. After the attack on Colonial Pipeline, the DarkSide ransomware group has publicly stated that they are apolitical and their goal “is to make money, not create problems for society”.

However, affiliates are not allowed to attack organizations from the following sectors:

  • Healthcare
  • Funeral services
  • Education
  • Public sector
  • Non-profit organizations
  • Government sector

The DarkSide ransomware group also has a website where they publish data stolen from victims who refuse to pay the ransom. This is a method of further pressuring victims to pay, following a trend observed among ransomwares throughout 2020, including DoppelPaymer and REvil/Sodinokibi.

How DarkSide Ransomware Attacks Work

The initial entry method of DarkSide ransomware attacks can vary depending on the affiliate carrying out the attack. There is currently no public information on the initial entry method used in the attack on Colonial Pipeline, however example methods observed from past DarkSide ransomware attacks include:

  • Exploiting hardware/software vulnerabilities
  • Exploiting remote access services (such as RDP)
  • Access victim’s network using legitimate credentials, obtained by:
    • Phishing attacks
    • Password attacks (such as password spraying)
    • Purchasing from a third-party source

After gaining access to the victim’s environment, the attackers will move laterally throughout the network and perform internal reconnaissance to gather information before encrypting data. The following have been observed being utilized in previous attacks for reconnaissance/lateral movement:

  • PSExec
  • RDP connections
  • SSH
  • Mimikatz
  • Cobalt Strike
  • BloodHound

Information gathered during the internal reconnaissance also includes credentials stored in files, memory and domain controllers; the stolen credentials are then used to access privileged accounts. PowerShell commands are executed to delete shadow copies which wipes backups and file snapshots to prevent recovery.

Stolen data is exfiltrated before deploying DarkSide ransomware to encrypt the victim’s files. Upon successful encryption, the ransomware appends a victim’s ID as an extension to file names. A ransom note with the naming convention of “README.[victim’s_ID].TXT” is dropped onto the victim’s device with instructions for the victim to access a Tor website using a Tor browser to pay the ransom – and if unpaid, they threaten to publish the stolen data.

Example of a Ransom Note Darkside Ransomware

Figure 1- Example of a Ransom Note

Known DarkSide Affiliates

As previously mentioned, DarkSide ransomware can be used by different affiliates and as such, different Darkside attacks can utilize different tools and tactics depending on the affiliate. Below are examples of different attack flows by three affiliates that were identified by FireEye.

UNC2628

This affiliate group is suspected to have used a password spraying attack against the victim’s VPN to gain initial access into the environment. The attackers utilized Cobalt Strike beacons for C2 communications and Mimikatz for credential theft. Lateral movement was performed using RDP connections and Cobalt Strike.

The attackers exfiltrated stolen data using Rclone, a command line utility to manage files for cloud storage applications, to cloud-based storages. DarkSide ransomware is then deployed using PsExec.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Credential Access [TA0006] Brute Force: Password Spraying [T1110.003]
Initial Access [TA0001] Valid Accounts [T1078]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Credential Access [TA0006] OS Credential Dumping [T1003]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Execution [TA0002] System Services: Service Execution [T1569.002]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2659

This affiliate group gains initial access by exploiting the SonicWall vulnerability CVE-2021-20016. After gaining access to the victim’s environment, the attackers download the tool TeamViewer from the official website onto the victim host to establish persistence within the environment.

This group was also observed utilizing Rclone for data exfiltration, which is downloaded from the official website onto the victim host. The stolen data is exfiltrated to cloud-based storages.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Exploit Public-Facing Application
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Command And Control [TA0011] Remote Access Software [T1219]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2465

This affiliate group utilized a backdoor named “SMOKEDHAM” to gain access to the victim’s environment, which is delivered via phishing emails and legitimate services such as Google Drive and Dropbox. Advanced IP Scanner, BloodHound, and RDP were used for internal reconnaissance, and Mimikatz was used for credential theft.

The attackers also used the NGROK utility to bypass firewalls and expose remote service ports such as RDP to the Internet. The DarkSide ransomware is deployed using PsExec and scheduled tasks.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Credential Access [TA0006] OS Credential Dumping [T1003]
Defense Evasion Impair Defenses [T1562]
Execution [TA0002] System Services: Service Execution [T1569.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

General Recommendations

Although DarkSide ransomware attacks can involve different tactics and tools, based on which threat group is making use of their RaaS, the tactics, techniques and tools deployed are not completely different as they share the common DarkSide platform. The variety of tactics and techniques deployed should serve as a clear indication that focusing on any single threat will not provide adequate coverage, in terms of ensuring that an organization is well protected from the broad array of security threats.

The use of EDR solutions provide valuable visibility into endpoints and important systems, so they should play a big role in dealing with ransomware attacks. We also recommend a defense-in-depth approach for securing your network and environment, including ensuring there is proper segmentation and security device visibility between network segments, particularly critical network segments. Traditional security architecture, that focuses solely on securing the perimeter, are inadequate in dealing with modern day persistent threats, though they play an important part.

An organization with proper network segmentation and security device coverage can then make use of the following general suspicious indicators/activities that serve as a useful way to monitor for to identify potential DarkSide ransomware attacks:

  • Attacks on VPN infrastructure (exploiting vulnerabilities or through password spraying attacks)
  • Phishing emails
  • Deployment, use and download of common exploit and bypass tools like Mimikatz, Cobalt Strike and BloodHound
  • Unauthorized deployment, use and download of remote access tools (Teamviewer, Remote Desktop, etc)
  • Installation of suspicious or unknown services
  • Data exfiltration to cloud storage

Proficio has already deployed a wide variety of use cases that can be effectively utilized to detect such common indicators or activities. Of course, the effectiveness of the use cases depends on the log sources being monitored and their visibility into the environment or network. We recommend reaching out to your security advisors or client success managers to understand the use cases deployed for your environment and how we can work together to increase the efficacy of our monitoring, detection and discovery efforts.

The Proficio Threat Intelligence Team will continue to research and investigate all new threats to identify the best way to start a threat hunting campaign. And as always, we will keep all of our clients informed on our efforts in this area.

Precautionary Measures

Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems and accessible services up to date on the latest security patches.
  • Make use of Multi-Factor Authentication to govern access as much as possible.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.