Colonial Pipeline Breach: Vulnerabilities Used by DarkSide

This is the first in a 2-part series on the Colonial Pipeline breach.  In today’s blog and video, we look at the software vulnerabilities previously exploited by DarkSide – the ransomware gang responsible for the attack.  While the details on precisely what happened with Colonial are not yet released, prior reporting has indicated that this group has attempted to exploit these vulnerabilities in the past. 


HubSpot Video

CVE-2021-20016: SonicWall SSLVPN SMA100 

CVE-2020-3992: OpenSLP/VMWare ESXi 

CVE-2019-5544: OpenSLP/VMWare ESXi 

CYR3CON PR1ORITY screenshot of the vulnerabilities previously used by DarkSide  


The SonicWall VPN vulnerability has been theorized by security researchers to have been involved in the attack, though as of this article, that is not confirmed.  This follows a trend of VPN vulnerability exploits used in ransomware throughout 2020.  The vulnerability was released in late April and information about exploitation rapidly became available.  The rapid increase in CyRating in the CYR3CON platform illustrates this point. 

CyRating of the SonicWall VPN vulnerability rapidly increased from disclosure due to potential and then confirmed exploitation. 


The other two vulnerabilities deal with ESXi, which CYR3CON has actively tracked intelligence on throughout 2020, and have recently gained notoriety in April and May of this year.  The CyRating history and example intelligence are shown. 


CYR3CON helps teams prioritize vulnerabilities and prevent breaches.  Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.