HomesecurityUNC2465: DarkSide partners hit CCTV camera vendor with supply chain ...

UNC2465: DarkSide partners hit CCTV camera vendor with supply chain attack

Security researchers FireEye / Mandiant discovered that a subsidiary of the DarkSide gang ransomware, known by the name «UNC2465», realized supply chain attack against one CCTV camera seller. UNC2465 is said to be by key partners of his gang DarkSide, along with other gangs that have received the names from Mandiant «UNC2628» and «UNC2659».

The attackers hacked the vendor's site and implanted malicious code into a Windows application, a customized version of the application Dahua SmartPSS Windows, which the company provides to its customers to control their security feeds.

Read also: Colonial Pipeline: Most of the ransom paid to DarkSide has been recovered

UNC2465 DarkSide
UNC2465: DarkSide partners hit CCTV camera vendor with supply chain attack

In particular, Mandiant stated the following: "The intrusion described in detail in this post began on May 18, 2021, and took place a few days after the closure of the DarkSide business. While no ransomware was detected, Mandiant believes that gangs that have invaded DarkSide may use multiple ransomware affiliate programs and may switch between them at will. At some point in May 2021 or earlier, UNC2465 most likely infected with a trojan two software installation packages on the site of a CCTV security camera provider.

The site was breached for the first time on 18 May and the hackers remained inside the company until early June, when Mandiant investigators discovered the supply chain attack.

The infected application was used by the intruders to distribute a version of it .NET SMOKEDHAM backdoor, which supports keylogging, taking screenshots and executing arbitrary commands on infected systems.

Mandiant noticed the trojanized installer downloaded on Windows workstation, after the user visited a legal site that had been used in the past by the victim organization. The company confirmed that the user intended to download, install and use SmartPSS software. The following figure shows an image of the download page used for SmartPSS software.

CCTV camera seller - supply chain attack
UNC2465: DarkSide partners hit CCTV camera vendor with supply chain attack

See also: DarkSide ransomware business closed - partners complain they have not been paid

FireEye researchers have linked SMOKEDHAM backdoor with the UNC2465 team, which is active at least from April 2019 and is considered a partner of DarkSide's RaaS company.

In this attack, as soon as the backdoor was developed, UNC2465 created one NGROK tunnel and moved sideways to less than 24 hours. Five days later, UNC2465 hackers returned and used additional tools - such as a keylogger and Cobalt Strike BEACON - and stole credentials by dumping it. LSASS memory.

The researchers also observed that in this supply chain attack, UNC2465 did not distribute the DarkSide ransomware as the final payload, without ruling out the possibility that the cybercrime team may have been integrated into a new RaaS operation.

UNC2465 DarkSide supply chain attack
UNC2465: DarkSide partners hit CCTV camera vendor with supply chain attack

Proposal: Manchester is under "coordinated global attack" by hackers

Experts recommend scanning internal networks for the SmartPSS application and search for compromise indicators related to SMOKEDHAM backdoor. Finally, the researchers' report points out the following:

"The shift of UNC2465 from drive-by attacks to site visitors or phishing emails in this software supply chain attack shows a worrying change that brings new challenges. While many organizations focus more on perimeter defense and two-factor authentication (2FA) following recent public examples of password reuse or VPN device exploitation, endpoint monitoring often overlooked or limited to the standard antivirus. An integrated security program is needed to mitigate the risk from sophisticated teams, such as UNC2465, as they continue to adapt to a changing security landscape. "

Source of information:

Every accomplishment starts with the decision to try.