This OT Vulnerability & IoC Database update provides additional detection capabilities for eyeInspect by including new Indicators of Compromise based on the current knowledge of the DarkSide malware/crew which hit Colonial Pipeline. Follow the company blog for updates.
- New IOC’s reported for Darkside have been added
- 29 IP-addresses
- 47 MD5 hashes
- 21 domains
- The C&C is reported to run over Tor; eyeInspect has a large (6700, very recently updated) list of Tor exit nodes (IP-addresses)
- Reports mention initial entry done via TeamViewer (or RDP), using bought account credentials of remotely working engineers.
- Once inside, the attack starts with the reconnaissance phase, in which the attacker makes use of MetaSploit and other Offensive Security Tool (OST) frameworks to locate vulnerabilities in the victim’s network with a goal of establishing initial access into the environment.
- From here, the investigations show the attackers start to move throughout the environment by obtaining access to privileged accounts such as an Administrator RDP sessions on a Domain Controller or by accessing another privileged account to access a file server, etc.
- Some of the existing checks of the Threat Detection Add-Ons cover the above-described scenario, where the targets are only Windows machines (below an excerpt from the script page).
- Implemented the detection of potential reconnaissance attempts based on MSRPC/DRSUAPI (Directory Replication Service protocol) over DCOM/SMB
- Implemented the detection of potential reconnaissance and user accounts manipulation attempts based on MSRPC/LSARPC (Local Security Account Remote protocol) over DCOM/SMB
- Implemented the detection of potential reconnaissance and user accounts manipulation attempts based on MSRPC/SAMR (Security Account Manager Remote protocol) over DCOM/SMB
- Implemented the detection of potential reconnaissance attempts based on MSRPC/SRVSVC (Server Service Remote protocol) over DCOM/SMB
- Implemented the detection of potential reconnaissance and lateral movement attempts based on MSRPC/SVCCTL (Service Control Manager Remote protocol) over DCOM/SMB
How eyeInspect helps beside the IoCs
- Helping to monitor boundaries between OT/IT
- Detecting anomalies & lateral movements
- Spotting unforeseen changes in the network communication behaviors, such as unforeseen connections or anomalous network logins
- Through the specific IoCs & alerts
This content update is supported by the following releases:
- eyeInspect 3.13.0 and up
The database update must be uploaded in the eyeInspect Command Center. This is a partial database update.
The additional detection and fingerprinting capabilities that SD Scripts can provide allow for more comprehensive vulnerability detection. For cases where vulnerability identification is important, it is strongly advised to run the Host and Link Add-Ons SD Script on the sensors (“Host-Link-Addons” script version 1.34 (or higher) is available on the portal at now)
Download the module and related documentation from the Downloads / Resources section of the OT Customer portal, https://portal.secmatters.com/.
Release date: 13-May-2021