This is the first in a 2-part series on the Colonial Pipeline breach. In today’s blog and video, we look at the software vulnerabilities previously exploited by DarkSide – the ransomware gang responsible for the attack. While the details on precisely what happened with Colonial are not yet released, prior reporting has indicated that this group has attempted to exploit these vulnerabilities in the past.
CVE-2021-20016: SonicWall SSLVPN SMA100
CVE-2020-3992: OpenSLP/VMWare ESXi
CVE-2019-5544: OpenSLP/VMWare ESXi
CYR3CON PR1ORITY screenshot of the vulnerabilities previously used by DarkSide
The SonicWall VPN vulnerability has been theorized by security researchers to have been involved in the attack, though as of this article, that is not confirmed. This follows a trend of VPN vulnerability exploits used in ransomware throughout 2020. The vulnerability was released in late April and information about exploitation rapidly became available. The rapid increase in CyRating in the CYR3CON platform illustrates this point.
CyRating of the SonicWall VPN vulnerability rapidly increased from disclosure due to potential and then confirmed exploitation.
The other two vulnerabilities deal with ESXi, which CYR3CON has actively tracked intelligence on throughout 2020, and have recently gained notoriety in April and May of this year. The CyRating history and example intelligence are shown.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques