Supply Chain Attack Conducted by Darkside Operator


Mandiant researchers have identified a supply chain attack against a CCTV provider by a Darkside ransomware gang affiliate that has been distinguished as UNC2465. UNC2465 and other linked gangs identified by FireEye/Mandiant as UNC2628 and UNC2659 are regarded as one of the key affiliates of the DARKSIDE Group. 

The intrusion began on 18 May 2021, a day after the public suspension of the DARKSIDE general program (Mandiant Advantage background). Mandiant believes that although no ransomware has been discovered, membership groups that have performed DARKSIDE attacks could employ several ransomware affiliate programs and switch to each other at any time. 

Mandiant found that the installers were malicious at the commencement of June and informed the CCTV firm of a possible compromise on this website, making it possible for UNC2465 to substitute legitimate and Trojanised files.

Although Mandiant does not anticipate that many individuals have been affected, this strategy is reported to boost awareness. 

Software supply chain attacks can be very complex, from the recent attacks discovered by FireEye to attacks targeting smaller suppliers. A single infiltration of the software supply chain attack gives access to all businesses running the software of a victim company – in this situation, UNC2465 has modified the installer instead of the software itself.

Mandiant noted in mid-May 2021, that numerous threat players quoted a notice that the operators of the service seemed to share with the DARKSIDE RaaS members. That notification indicated that it had lost the access and would be closing its service to its infrastructure, including its blog, payment, and CDN servers. 

Since then, other underground members have claimed that they are unpaid DARKSIDE affiliates, and in certain cases privately gave forum admins with proof indicating their claims are legitimate. 

Mandiant consulting responded to an intrusion in June 2021; The first vector, which Mandiant found was a trojanized security camera PVR installer from a reputable website. As a result of ongoing infrastructure use and equipment use since October 2020, Mandiant has attributed the general intrusion to DARKSIDE affiliate UNC2465. 

On 18 May 2021, a person accessed the Trojanized link in the concerned organization and installed a ZIP. A chain of Downloads and Scripts was run when the software was installed which led to SMOKEDHAM and afterward NGROK on the computer of the victim. 

Further malware use like BEACON is also reported to have taken place. The trojan program was enabled in Mandiant's opinion between 18 May 2021, and 08 June 2021. 

Mandiant indicates that the majority of publicly identified victims of ransomware shaming websites have progressed steadily over the last month. Despite the recent restriction on posts concerning ransomware in underground forums, threat actors may still exploit private chats and links to find ransomware services.