DarkSide Wanted Money

13th May 2021, Kathmandu

The colonial pipeline ransomware cyber attack forced the company to shut down operations and freeze IT systems. The FBI officially verified that DarkSide was responsible for compromising Colonial Pipeline’s networks. The attackers said that they were looking for financial gain, not disruption (social, political, or economic), and vowed to choose their victim more carefully in the future. They now realize that they have attacked the wrong company as their initial aim was to extort money from clients by collecting ransomware.

Colonial pipeline was founded in 1962 and provides roughly 45% of East Coast’s fuel, including gasoline, jet fuel, diesel, etc., making it one of the largest pipeline operators in the United States.

Darkside is a Ransomware as a service (RaaS) group that offers its own brand of malware, which once deployed, steals data, encrypts the system using encryption protocols, and executes an encoded PowerShell command to delete volume shadow copies on a subscription basis to the customers. DarkSide posted a statement on its website describing itself as “apolitical” with no interest in government business.

Unlike Robin-Hood-like mentality, DarkSide, like other cybercriminal groups, also has a bit of a superhero complex and tried to donate around $20,000 in stolen Bitcoin to two international charitable organizations: The Water Project and Children International. The charities refused to accept the funds.

Biden declared that the US government was concerned about this aspect of the cyber-attack and that he was personally briefed about the whole situation.

How did the Colonial Pipeline ransomware attack happen?

The third-party company was brought in to analyze the incident as details about the cyberattack weren’t clear. They concluded that the investigation was complete. The outbreak was linked to the Darkside group.

Although Darkside only targeted the business side rather than the operating system, which was completely money-oriented rather than causing the pipeline crash down. The attack may have been caused by an old unpatched vulnerability in the system; a phishing email; the use of access credentials, or other tactics used by cybercriminals to mess with the company’s network.

The company mentioned that it proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations and affected some IT systems. The redemption work has been going on upon each system for restoring operational services by the end of the week.

While in crisis, one system has been operating manually for the supply of gases as some operations of the product to terminals for local delivery are now operational.

Why does the Colonial Pipeline ransomware attack matter?

As mentioned previously, about 45% of fuel distribution is provided by this company. The attack has impacted the systems supporting and managing pipeline operation and fuel distribution.

Supply shortages have occurred higher demands, yet the buyers aren’t being urged to panic because of the increased prices due to pipeline disruption. If the normal operation doesn’t get resumed, there is a possibility of more hikes in the price of fuel supplies in some areas impacted in the US.

Longer disruption may also cause gas shortages caused by supply problems for customers, aviation, and the military, leading to panic buy. Some stations have already been running dry because of the customer’s panic buying to store more fuel just in shortage.

Since manually operated, the priority is only given to the areas not having other options for fuel supply or experiencing a shortage. US Department of Energy (DOE) suggests “evaluate market conditions” and deliver supplies to where they are needed most.

Fake Chrome App Anchors Rapidly Worming ‘Smish’ Cyberattack

According to researchers, a fake Google chrome app, also known as new Android malware, has spread rapidly in the last few weeks, being used as a part of a complicated hybrid cyberattack campaign that also uses mobile phishing to steal credentials.

The attack starts with a basic smishing gambit that targets receiving an SMS text asking them to pay “custom fees” to release a package delivery. If they click, a message comes up asking them to update the Chrome app, and if the request is accepted, the malware gets downloaded to their phones.

After that, victims are taken to a phishing page where they are asked to pay a small dollar amount which is an approach to harvest credit card details. The attackers take advantage of the familiarity to get the mobile users to download the malicious apps posing as legitimate ones.

The combination of efficient phishing techniques, the propagation of malware, and several security solutions bypass is particularly dangerous. These techniques used separately are not effective but combined; they are hard to detect, spreads fasts, and trick many users.

This combined campaign was first detected at the start of May and observed in several European countries.

Fake Chrome App for Viral Propagation

It is used as a propagation method: Once installed, it sends more than 2,000 SMS messages per week daily at intervals of two to three hours from infected devices silently in the background. The researcher said that the recipient phone numbers are simply random and not from the victims’ phone books but seem to follow a sequential pattern.

The malware sends 300 SMS per day from each device hosting malware, and every time a target falls for it, the propagation is multiplied.

The fake chrome app hides using the icon of Google chrome and name, but its package, signature, and version are different.

Potential Follow-On Attacks

Banking fraud and massive phone bills may precede the victims of credential theft because some mobile plans do not include unlimited SMS. Users who unknowingly keep Trojan in their devices can be attacked in different ways.

Attackers could easily use malware to steal other information on the device, such as impersonate victims by detecting the login into the corporate app and stealing valuable company information and also exposed mobile banking users, especially if the victim consists of a Trojanized app.

Bypassing Cybersecurity Detection

Mix-techniques:

  • Using victims’ phone numbers, so they are not blocked by messaging app’s spam filter to expedite phishing SMS
  • To hide its malicious behaviors using obfuscation techniques and calling external code to hide its malicious behaviors.
  • Conceal malicious activities via trojanizing by Native Programming
  • If identified and referenced by antivirus, the cybercriminal operators repackage it with a new signature to go back under the radar.

How to Defend Against Mobile Phishing

Since attackers rely on repackaging To defend from such a campaign, a mobile-security solution that uses massive datasets of mobile-threat telemetry can be used.

The cloud-based solutions are a more practical approach to recover from those threats, along with good password hygiene and ignoring random links of text messages. Creating internet-search alerts will help identify if criminals attempt to use your personal details to duplicate your identity.

LEAVE A REPLY

Please enter your comment!
Please enter your name here