Security researchers FireEye / Mandiant discovered that a subsidiary of the DarkSide gang ransomware, known by the name «UNC2465», realized supply chain attack against one CCTV camera seller. UNC2465 is said to be by key partners of his gang DarkSide, along with other gangs that have received the names from Mandiant «UNC2628» and «UNC2659».
The attackers hacked the vendor's site and implanted malicious code into a Windows application, a customized version of the application Dahua SmartPSS Windows, which the company provides to its customers to control their security feeds.
In particular, Mandiant stated the following: "The intrusion described in detail in this post began on May 18, 2021, and took place a few days after the closure of the DarkSide business. While no ransomware was detected, Mandiant believes that gangs that have invaded DarkSide may use multiple ransomware affiliate programs and may switch between them at will. At some point in May 2021 or earlier, UNC2465 most likely infected with a trojan two software installation packages on the site of a CCTV security camera provider.
The site was breached for the first time on 18 May and the hackers remained inside the company until early June, when Mandiant investigators discovered the supply chain attack.
The infected application was used by the intruders to distribute a version of it .NET SMOKEDHAM backdoor, which supports keylogging, taking screenshots and executing arbitrary commands on infected systems.
Mandiant noticed the trojanized installer downloaded on Windows workstation, after the user visited a legal site that had been used in the past by the victim organization. The company confirmed that the user intended to download, install and use SmartPSS software. The following figure shows an image of the download page used for SmartPSS software.
FireEye researchers have linked SMOKEDHAM backdoor with the UNC2465 team, which is active at least from April 2019 and is considered a partner of DarkSide's RaaS company.
In this attack, as soon as the backdoor was developed, UNC2465 created one NGROK tunnel and moved sideways to less than 24 hours. Five days later, UNC2465 hackers returned and used additional tools - such as a keylogger and Cobalt Strike BEACON - and stole credentials by dumping it. LSASS memory.
The researchers also observed that in this supply chain attack, UNC2465 did not distribute the DarkSide ransomware as the final payload, without ruling out the possibility that the cybercrime team may have been integrated into a new RaaS operation.
Experts recommend scanning internal networks for the SmartPSS application and search for compromise indicators related to SMOKEDHAM backdoor. Finally, the researchers' report points out the following:
"The shift of UNC2465 from drive-by attacks to site visitors or phishing emails in this software supply chain attack shows a worrying change that brings new challenges. While many organizations focus more on perimeter defense and two-factor authentication (2FA) following recent public examples of password reuse or VPN device exploitation, endpoint monitoring often overlooked or limited to the standard antivirus. An integrated security program is needed to mitigate the risk from sophisticated teams, such as UNC2465, as they continue to adapt to a changing security landscape. "
Source of information: securityaffairs.co