[BreachExchange] UNC2465 cybercrime group launched a supply chain attack on CCTV vendor

[Sophia Kingsbury]

https://www.cyberdefensemagazine.com/unc2465-cybercrime/

UNC2465 cybercrime group that is affiliated with the Darkside ransomware
gang has infected with malware the website of a CCTV camera vendor.

An affiliate of the Darkside ransomware gang, tracked as UNC2465, has
conducted a supply chain attack against a CCTV vendor, Mandiant researchers
discovered. UNC2465 is considered one of the main affiliates of the
DARKSIDE group, along with other affiliate gangs tracked by
FireEye/Mandiant as UNC2628 and UNC2659.

The crooks compromised the website of the vendor and implanted malicious
code in a Windows application, a custom version of the Dahua SmartPSS
Windows app, that the company provides to its customers to control their
security feeds.

“The intrusion that is detailed in this post began on May 18, 2021, which
occurred days after the publicly reported shutdown of the overall DARKSIDE
program (Mandiant Advantage background). While no ransomware was observed
here, Mandiant believes that affiliate groups that have conducted DARKSIDE
intrusions may use multiple ransomware affiliate programs and can switch
between them at will.” reads the analysis published by Mandiant.

“Sometime in May 2021 or earlier, UNC2465 likely Trojanized two software
install packages on a CCTV security camera provider website.”

The website was first breached on May 18 and hackers remained within the
organizations until early June when Mandiant researchers spotted the supply
chain attack.

The tainted app was used by attackers to deliver a version of the .NET
SMOKEDHAM backdoor, which supports keylogging, taking screenshots, and
executing arbitrary commands on the infected systems.

“Mandiant Consulting observed the Trojanized installer downloaded on a
Windows workstation after the user visited a legitimate site that the
victim organization had used before.” continues the analysis. “Mandiant
confirmed the user intended to download, install, and use the SmartPSS
software. Figure 2 shows an image of the download page used for SmartPSS
software.”

The SMOKEDHAM backdoor was associated by FireEye to the activity of the
UNC2465 group that dates back to at least April 2019 and is considered a
DARKSIDE RaaS affiliate.

In the documented attack, once the backdoor is deployed, UNC2465
interactively established an NGROK tunnel and performed lateral movements
in less than 24 hours. After five days, the UNC2465 hackers returned and
deployed additional tools such as a keylogger, Cobalt Strike BEACON, and
gathered credentials via dumping LSASS memory.

Experts noticed that in this supply chain attack, UNC2465 did not deliver
the Darkside ransomware as the final payload, but they did not exclude that
the cybercrime group could move to a new RaaS operation.

Experts recommend scanning internal networks for the SmartPSS app and
search for Indicators of Compromise associated with the SMOKEDHAM backdoor.

“UNC2465’s move from drive-by attacks on website visitors or phishing
emails to this software supply chain attack shows a concerning shift that
presents new challenges for detection. While many organizations are now
focusing more on perimeter defenses and two-factor authentication after
recent public examples of password reuse or VPN appliance exploitation,
monitoring on endpoints is often overlooked or left to traditional
antivirus.” concludes the report. “A well-rounded security program is
essential to mitigate risk from sophisticated groups such as UNC2465 as
they continue to adapt to a changing security landscape.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210621/dbb5016a/attachment.html>