Darkside ransomware, Sodinokibi ransomware and CVE-2018-13379 – KNOW what’s trending this week

Post by Amanjot Kaur Jun 07, 2021

As per KNOW, threat intel dashboard designed by Netenrich, Darkside ransomware, Sodinokibi ransomware, and CVE-2018-13379 remained trending threats over the last week.  

Let’s dive into the details of what all transpired behind the scenes.  

What’s Darkside up to and how the U.S. is dealing with it?  

Last week, The New York Times obtained a secret chat that gave an inside look into the “ransomware-as-service” model offered by Darkside, a Russian-speaking cybercrime gang.[1] The same outfit was responsible for an attack in the last month on Colonel Pipeline, a Georgia-based fuel company, wherein they reportedly received $5 million as a ransom.[2][3] The chat log and dashboard accessed by The Times provide a glimpse into the ‘dark side’ of increasing cyber-crime operations, especially those operating from Russian grounds. 

Darkside provides individual hackers access to off-the-shelf ransomware software that can be used by anyone with no technical skills to extract money from their targets. The start-up-like operations also provide hackers with technical support for negotiation, payment processing, and designing pressure campaigns.  

The Biden government issued a statement expecting Russia to take strict action against the hackers. However, with Russia saying it has nothing to arrest the hackers, cybercriminals have assumed an immunity to prosecution as in such cases they don’t break any Russian law.[4] The episode has also cast a spotlight on how national security is vulnerable to even small-time cybercriminals now, who are supported by such an ecosystem. Cybercrime doesn’t require sophisticated skills now. Anyone from any part of the world with a criminal bent of mind can get access to such a ransomware platform for less than $100.  

As per the latest statement released by the U.S Department of Justice ransomware attacks are going to given similar priority as terrorism.[5]  

Security recommendations: 

• Continue to educate and re-educate your staff about phishing and spear-phishing attacks as most ransomware attacks start with a compromised end-user. 
• Impromptu tests and ongoing training can be used to encourage awareness.  

What’s happening with Sodinokobi?  

First discovered in 2019, Sodinokobi also known as REvil, is a ransomware-as-a-service model. The Russian-speaking gang is known to exploit security vulnerabilities and carry out phishing campaigns.[6] 

1. Attack on JBS

In a quite similar incident to Colonel Pipeline in the U.S, Sodinokobi/REvil syndicate attacked JBS, the world’s largest meat company. The breach shut off some of JBS’s operations in the US, Canada, and Australia.

In the initial reports, the company reported that if it would stop its operation for one day, the U.S would lose almost a quarter of its beef-processing capacity. Since meat has a shorter shelf life, if the closure were to be weeklong then it would have been a serious issue.

By Thursday, however, the company said it resumed its operations almost to the full capacity. However, it is not clear if it has paid any ransom. Meanwhile, the ransomware outfit released a statement that the agriculture sector is going to be its main target.^[7]

The White House has said that President Biden intends to confront Russian leader, Vladimir Putin, on the increasing cybercrime from Russian grounds when he meets him in Europe in two weeks.

2. Attack on Fujifilm

On the evening of June 1^st, Fujifilm realized that they have been attacked by ransomware. As an immediate response, Fujifilm had to partially shut down its operations. In its official statement, the company said, “we have taken measures to suspend all affected systems in coordination with our various global entities.”

As per the initial investigation, the company said that it was attacked by Qbot, a 13-year-old Trojan, mostly spread through phishing attacks. The Qbot is currently linked with the REvil group. However, it is unclear whether the company had to pay any ransom to the hackers responsible for the attack.

Security recommendations: 

• Increase awareness about phishing/spear-phishing attacks within your organization. Run regular training programs for the same.  
• Keep a backup of your important files following the 3-2-1 rule i.e. create three backup copies in two different file formats with one of the backups in a different location.  
• Regularly update your systems, applications, and programs to ensure they are protected from known vulnerabilities. 

What is CVE-2018-13379? How to patch it?  

Source: Netenrich KNOW dashboard 

Recently, FBI released an alert that shed a light on how APT actors are exploiting CVE-2018-13379 and two other related unpatched, and critical vulnerabilities in specific Fortinet FortiOS devices. The vulnerability is used for data theft and data encryption and has been categorized as critical by NVD.[8]  

By exploiting the vulnerability, the APTs are downloading system files through specially crafted HTTP resources and exposing passwords. It is also observed that ports 4443, 8443, and 10443 are being used to scan vulnerable devices, and find flaws. As per the FBI, the top three IOCs are – new user accounts, outbound traffic, and unrecognized scheduled tasks.  

The alert raised by FBI should be taken as a reminder that software, program, and system updates must be done proactively and regularly.  

KNOW before your attackers  

There’s an increasing trend in ransomware attacks through malware, especially using phishing and spear-phishing methods. How safe is your security posture? KNOW, an evidence-based threat intel dashboard provides the exact and updated intelligence needed to discover, investigate, and act on the trending threats.  

About the Author

Amanjot Kaur