INTRODUCE

Darkside is a hacker group who have carried out a range of cyberattacks on many companies such as: CompuCom (security) ,Canadian Discount Car (truck rental and sales), Toshiba Teccorp and most recently is Colonial Pipeline – the largest oil and petrochemical products transportation company in the United States.

Darkside’s goal is stealing information of hacked companies and transporting them outside via C&C Servers. Those critical files, folders, and resources will also be encrypted, so that these companies can not access to important data. And If companies don’t want to be stalled, they are forced to pay Darkside.

According to statistics, Darkside has earned nearly 100 million USD in ransom from 47 different victims. The majority of these was paid through a hacker insurance service (Cyber ​​Insurance). However, despite paying the ransom and working normally again, their data still were sold on underground Web sites, DeepWeb forums. Beside the money from cyberattacks, DarkSide also rents out its malicious tools to other hackers.

DarkSide mainly uses tools available on the victim’s system to attack them. As in the attack on Colonial Pipeline, only 3 of the 32 tools that DarkSide uses are malicious tools, the rest are services and software available on Windows (eg Powershell) to perform the attack. Because of using little malicious code, inorder to detect Darkside, the network need to have behavior analysis, the ability to prevent and hunt threats early as well as hunt for threats.

RESEARCH FINDINGS

– Only 9% of the tools and software that DarkSide uses are malicious. These malicious codes are used to collect data and connect to the C&C Server.

– The remaining 91% of tools and software are Windows features (19%), Open-Source tools (19%), free tools (31%), services and features which’s Availability on the victim’s system (22%)

– DarkSide uses about 34 attack techniques classified into 14 groups according to Miter ATT&CK.

– For each attack technique, DarkSide uses a combination of different tools and software to perform. At the same time, they also find different ways for these tools and software to be whitelisted and undetected by security solutions.

– Defense methods based on Signature or Harsh codes are not effective against DarkSide. Instead, it is necessary to be able to analyze behavior and evaluate malicious actions on the system

– Instead of real-time defense (Reactive Defense), it is necessary to be able to stop the threat early through attack simulation solutions. Once DarkSide is allowed to enter the system, it will be very difficult to prevent and detect.

DESCRIPTION OF DARKSIDE’S ATTACK METHOD research findings

First, DarkSide will probe if the victim has SonicWall SMA 100 SSL VPN software (Reconnaissance step). If so, they will finger out what version it is and perform an Initial Access attack, exploiting the CVE-2021-20016 vulnerability. At the same time, they also use Phishing Emails to collect login information for the attack process.

Once they entered the system, they will take advantage of available tools such as GPO (Group Policy Object), PowerShell, PsExec and WMI – all Windows OS features – to attack and steal information. They also use Windows’ Task Scheduling and GPO functionality to maintain control over the system (Persistent). Malicious DLLs will be stuffed into common programs such as MS Word to maintain attack as well as privilege escalation attack (Privilege Escalation).

To avoid detection (Defense Evasion), DarkSide uses a series of different tools such as: BITSAdmin, GMER to disable existing firewalls on the system, PC Hunter to disable 3rd party security products and PowerTool 64 to disable AntiVirus software. To spread to neighboring systems, Dark Side uses the PsExec tool, a tool provided by Windows that allows downloading or Uploading files to the Shared Network.

When DarkSide wants to collect data, They uses tools such as 7-zip, SQLDumper.exe,Smokeham. After having the desired data, DarkSide will connect to the C&C Server and encrypt these data, send them out through tools such as Mega.client, Putty, Rclone or Winscp. But the worst thing they cause is the encryption of all business data (Impact) with the Power_Encryptor malicious code. This makes it impossible for companies to continue doing business (eg Colonial Pineline Company) and is forced to pay a ransom before the data is destroyed

NOTICE

– Only 9% of the used tools are malicious, the remaining 91% are available features or open source.

– Due to the use of common software to attack, it is almost impossible to detect DarkSide once they have penetrated the system. Because of the software like Winscp or WMI, GPO, PsExec… are used by the SysAdmins themselves and if they block them with Harsh codes, it will make it difficult to operate the system as well as give False Positive.

– There are a large number of used tools are open source software. Therefore, it is very easy to change their Code, thereby changing Harsh and cannot be blocked through Harsh.

– In short, Blocking DarkSide through Harsh and IoC is almost impossible. Instead of using Signature for deterrence, need behavior analysis and threat hunting as well as early prevention (Proactive Defense) instead of real-time prevention (Active Defense)

HOW PICUS STOPS DARKSIDE – DETECTION AND WARNING OF RANSOMWARE THREATS 

– Picus allows us to evaluate the defenses of security systems, thereby helping system administrators discover security vulnerabilities in network, endpoint and on the Cloud.

– Picus is not only an attack simulator and vulnerability detection tool, but it also offers solutions to fill holes, detect malware as well as their signatures to prevent threats in the future.

– Picus Threat Library includes over 10,000 different attack techniques of over 100 dangerous hacker groups such as: DarkSide, Hafnium, Nobelium (UNC 2452), APT 7, APT 38, Sodinokibuk, Trickbot, WastedLocker…

– Includes over 700 different attack scenarios and is categorized based on Miter ATT & CK.

– Allow to simulate attack without affecting the system, create an isolated LAN for emulation, Network Traffic of attack stream from 100Kb – 2Mb.

– Provide methods to fill the security holes discovered during the attack simulation. Offers Signatures and IoCs for detection and prevention.

– Help organizations perform Threat Hunting. You can create your own attack techniques using the techniques available in the Threat Library. Or you can simulate DarkSide attack technique as described above to ensure that the system has ability to prevent the attack early.