by admin

Attack Of The Shadow Smashers PDF Free Download

In a grievous betrayal of his Oath of Office, President Trump incited a violent mob to attack the United States Capitol during the Joint Session, thus impeding Congress’s confirmation of Joseph R. As the winner of the presidential election. Download Free PDF. Download Free PDF. Lesley Hazelton THE FIRST MUSLIM, THE STORY OF MUHAMMAD. Lesley Hazelton THE FIRST MUSLIM, THE STORY OF MUHAMMAD. Download Full PDF Package. A short summary of this paper. 37 Full PDFs related to this paper.

Our team has recently led several high-profile investigations of attacks attributed to an up-and-coming cybercrime group, Darkside. These highly targeted campaigns were conducted in several phases over weeks or months, ultimately targeting theft and encryption of sensitive data, including backups. In this technical blog post, we will review the tactics, techniques, and procedures (TTPs) we’ve observed.

About Darkside, inc.

The Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a “press release.” Since then, they have become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.

The group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. While we can’t conclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their victims’ infrastructure, security technologies, and weaknesses.

They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms.

Our reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.

The group has both Windows and Linux toolsets. Much like NetWalker and REvil, Darkside has an affiliate program that offers anyone who helps spread their malware 10-25% of the payout.

Anatomy of an Attack

The Darkside ransomware attack campaigns stood out for their use of stealthy techniques, especially in the early stages. The group performed careful reconnaissance and took steps to ensure that their attack tools and techniques would evade detection on monitored devices and endpoints.

While their initial entry vectors vary, their techniques are more standardized once inside, and their endgame is coldly efficient.

Stealth tactics include:

  • Command and control over TOR
  • Avoiding nodes where EDR is running
  • Waiting periods & saving noisier actions for later stages
  • Customized code and connection hosts for each victim
  • Obfuscation techniques like encoding and dynamic library loading
  • Anti-forensics techniques like deleting log files

During the later stages of their attack sequence, they:

  • Harvest credentials stored in files, in memory, and on domain controllers
  • Utilize file shares to distribute attack tools and store file archives
  • Relax permissions on file shares for easy harvesting
  • Delete backups, including shadow copies
  • Deploy customized ransomware

Initial Access: Finding the Weak Link

Darkside ransomware gained initial entry through weak links – remotely exploitable accounts and systems.

We observed Darkside use compromised contractor accounts to access Virtual Desktop Infrastructure (VDI) that had been put in place to facilitate remote access during the pandemic. Though, contractor accounts did not.

We also observed them exploit servers, and then quickly deploy an additional RDP that would preserve access should the vulnerable server be patched.

While neither of these vectors is novel, they should serve as a warning that sophisticated threat actors are easily bypassing perimeter defenses. They illustrate the need for multi-factor authentication on all internet-facing accounts and rapid patching of internet-facing systems.

Command and Control

The Darkside ransomware attackers established command and control primarily with an RDP client running over port 443, routed through TOR. After installing a Tor browser, they modified its configuration to run as a persistent service, redirecting traffic sent to a local (dynamic) port through TOR via HTTPS over port 443, so it would be indistinguishable from normal web traffic. These connections were persistent, so the attackers could establish RDP sessions to and through the compromised hosts, facilitating lateral movement.

We found traces of TOR clients across many servers and observed dozens of active TOR connections.

The attackers used Cobalt Strike as a secondary command and control mechanism.We observed dozens of customized stagers that downloaded customized beacons that connected to specific servers. The stagers (named file.exe) were deployed remotely on specific targeted devices using WinRM, each one configured differently.Cobalt-Strike stagers established connections to a dedicated C2 server to download the Cobalt Strike Beacon.

Threat actors commonly use only a few C2 servers per victim, but Darkside configured each beacon to connect to a different C2 server with a different user agent. This would indicate that Darkside operates a large, well-established attack infrastructure.

The stagers and TOR executables were stored in network shares for easy distribution. The actors avoided installing backdoors on systems monitored by EDR solutions.

We observed the threat actors log into the Virtual Desktop environment with many accounts, sometimes concurrently. Each time the threat actor logged on, .lnk files were created in the compromised user’s home folders. The .lnk file activity helped determine which accounts and VDI environments had been compromised and when each account was used in the attack.

Recon and Credential Harvesting

Darkside ransomware is known for living off the land (LOtL), but we observed them to scan networks, run commands, dump processes, and steal credentials. Like the command and control code, the attack tools were also executed on hosts that had minimal detection and blocking capabilities. Well-known tools included advanced_ip_scanner.exe, psexec, Mimikatz, and more.

From the initial set of compromised hosts, ticket requests, and NTLM connections to gain access to additional systems and accounts. After a waiting period, the actor used an Active Directory reconnaissance tool (ADRecon.ps1) to gather additional information about users, groups, and privilege, storing results in a file called, DC.txt. Each of their attack tools was deleted after use. The attacker temporarily stored the recon results and credential information on a very active windows server. Interesting file names written and deleted on the server included: Typed_history.zip, Appdata.zip, IE_Passwords.zip, AD_intel, and ProcessExplorer.zip.

In addition to credential harvesting, the attacker mined credentials from User profile folders, including:

  • Users<user name>Appdata[RoamingLocal]Microsoft [CredentialsVault]
  • Users<user name>AppdataRoamingMozillaFirefoxProfiles
  • Users<user name>AppdataLocalGoogleChrome

The threat actor used Invoke-mimikatXz.ps1 to extract credentials from unmonitored servers and stored them in a file called “dump.txt.” This operation was performed on a high-value target with minimal detective capabilities.

Once the attacker obtained domain admin credentials, accessed domain controllers. In later stages they performed the well-known DCSync attack, where the attacker pretends to be a legitimate domain controller and utilizes the Directory Replication Service to replicate AD information, gaining access to password data for the entire domain, including the KRBTGT HASH.

Data Collection and Staging

The active Windows server also served as a hub to store data before exfiltration. Data was mined from hundreds of servers with a batch routine (dump.bat) located in DesktopDump, writing files to the same location, compressing them into 7zip archives with a simple naming convention, *.7z.[001]-[999].

Though they had accumulated elevated privileges, we observed the attacker relax the permissions on file systems, opening them up so that they could access the files with any domain user account. The batch file, target data, and the archives were deleted by the attackers within hours of collection

Encryption

Darkside doesn’t deploy ransomware until they’ve mapped the environment, exfiltrated interesting data, gained control of privileged accounts, and identified all backup systems, servers, and applications. We observed several connections to primary backup repositories using compromised services accounts shortly before encryption. By holding off on the encryption phase of the attack, they put themselves in a position to maximize damage and profit.

The ransomware code is delivered through established backdoors (TOR-RDP or Cobalt Strike) and is customized for each victim. The payload includes the executable, a unique extension, and a unique victim ID that allows the victim to access Darkside’s website and make payment.

By using unique executables and extensions, the ransomware easily evades signature-based detection mechanisms. Darkside also provides customized ransomware to other threat actors (Ransomware as a Service) and takes a part of the profit in successful attacks.

One version of the customized code was named, “Homie.exe.” In addition to being customized, we found it also uses anti-forensics and anti-debugging techniques, such as self-injection, virtual machine detection, and dynamic library loading. It also deletes shadow copies on victim devices.

Darkside Ransomware Stage 1 – Self Injection

On execution, the malware copies itself to the path “C:UsersadminAppDataLocalTemp” and injects its code into the existing process with a CMD command:

If the malware finds indications that it is being debugged or run in a VM, it immediately stops.

To avoid detection by AV and EDR solutions, the ransomware dynamically loads its libraries, without registering them in its imports section:

Only 3 libraries are imported, which indicates that other libraries’ names resolved dynamically during the malware’s run instead of being explicitly imported.

Ransomware Stage 2 – Deletion of Shadow Copies

Using an obfuscated PowerShell command, the malware attempts to delete the shadow copies on the victim device. The obfuscated command:

The de-obfuscated command:

Ransomware Stage 3 – Encryption of Files

Attack of the shadow smashers pdf free download and install

After the deletion of the shadow copies, the malware first closes specific processes to avoid locked files that can delay encryption, and then begins its encryption routine.

List of processes:

  • sql
  • oracle
  • ocssd
  • dbsnmp
  • synctime
  • agntsvc
  • isqlplussvc
  • xfssvccon
  • mydesktopservice
  • ocautoupds
  • encsvc
  • firefox
  • tbirdconfig
  • mydesktopqos
  • ocomm
  • dbeng50
  • sqbcoreservice
  • excel
  • infopath
  • msaccess
  • mspub
  • onenote
  • outlook
  • powerpnt
  • steam
  • thebat
  • thunderbird
  • visio
  • winword
  • wordpad
  • notepad

During encryption, the malware appends an 8-character string to the end of the encrypted file names.

  • Dark side ransomware avoids encrypting files with the following extensions:

386,adv,ani,bat,bin,cab,cmd,com,cpl,cur,deskthemepack,diagcab,diagcfg,diagpkg,dll,drv,exe,hlp,icl,icns,ico,ics,idx,ldf,lnk,mod,mpa,msc,msp,msstyles,msu,nls,nomedia,ocx,prf,ps1,rom,rtp,scr,shs,spl,sys,theme,themepack,wpx,lock,key,hta,msi,pdb

  • It creates a ransom instructions (“README…txt”) to contact the ransomware creator for decryption:

How to Prepare for Threat Actors in 2021

Find and fix the weak links before attackers do

Any internet-facing account that doesn’t require MFA is a brute-force attack away from a compromise. Any unpatched internet-facing server is an exploit away from script-kiddie payday.

Assume breach and fix weak links inside

Threat actors look for quick ways to obtain domain admin credentials. Service or admin accounts with SPNs that also have weak encryption, or worse still, privileged accounts with weak or no password requirements are too-easy targets.

In too many organizations, attackers don’t even need elevated credentials to harvest data – the average employee has access to far more data than they require. Lockdown sensitive data so that only the right accounts have access, and then monitor file systems for unusual access and change events.

More lights, please, especially on stuff that matters

Organizations with comprehensive monitoring solutions detect and investigate attacks like these more quickly. If you have blind spots on core data stores, in Active Directory, DNS, remote access systems, or in web connections, you’ll struggle to determine which systems were compromised and whether sensitive data was stolen.

If you detect a breach, let Active Directory triangulate the blast radius

Active Directory events can help you quickly identify compromised accounts and devices. Instead of focusing on one endpoint at a time, once one compromised account or system has been identified, query Active Directory for signs of lateral movement by that account or accounts used on that system.

Attack Of The Shadow Smashers Pdf Free Download Torrent

If you have any reason to believe you’ve been targeted by Darkside or any other group, please don’t hesitate to reach out for incident response and forensics help via https://www.varonis.com/help.

Attack Of The Shadow Smashers PDF Free Download

A special thanks to Rotem Tzadok for leading our Darkside investigations and analysis.

War of the Ring Strategy 101 – (1) The Theaters of the War

In War of the Ring there are five major areas in which battles are fought. These are Gondor to the south, Eriador to the northwest, the DEW-line to the northeast, and The Misty Mountains and Rohan in the center. Both the Shadow and the Free Peoples have different options available to them in these areas and in this article we will take a closer look at what offensive strategies are available to the Shadow and what defensive strategies the Free Peoples can employ in the different areas and which Event Cards that can be useful in their endeavors.

The Shadow

Within the borders of Gondor there are five victory points ripe for the taking. These are all prime targets for the Shadow, since by taking these not only does the Shadow gain the victory points; he will also prevent the Free Peoples player from turning Strider into Aragorn, if captured before Strider reaches Gondor. To strike at all three victory points locations the Shadow must coordinate the armies from Mordor and Harad in an effort to lay siege to the Strongholds of Dol Amroth and Minas Tirith quickly. In addition to the two Strongholds the city of Pelargir must be captured, and this is often the wisest place to begin the attack on Gondor. By sending the armies from Harad here you can quickly divide the Gondor force into two; one in Minas Tirith and one in Dol Amroth. Be aware though that by beginning your assault at Pelargir you might give the Free Peoples player the chance to muster some reinforcements in Dol Amroth and/or Minas Tirith before you have the chance to besiege them. The Event Cards that allow the Shadow to move his Armies and muster in advanced positions can give a real boost in the assault on Gondor but the most useful one is probably 'Corsairs of Umbar' which will allow the Southrons to launch an assault on Dol Amroth all the way from Umbar. Next in line is 'Denethor’s Folly' which will make your assault on the white city substantially easier with less Free Peoples Leadership and no Combat Card to worry about in your initial combat round.

The Free Peoples

Defending the settlements of Gondor against the oncoming Shadow is no easy task. Pelargir is extremely difficult to hang on to if the Shadow launches the first attack here but both Dol Amroth and Minas Tirith can be defended if needed. To defend Minas Tirith the fortification of Osgiliath should be reinforced before the Shadow strikes and you should have enough time to muster at least once in Dol Amroth if Gondor comes under attack, unless it is from the 'Corsairs of Umbar' Event Card. At your disposal are several nice Event Cards that can make your defenses a lot easier. With cards such as 'Guards of the Citadel', 'Imrahil of Dol Amroth', 'Faramir’s Rangers', 'House of the Stewards' and 'Dead Men of Dunharrow' you can quickly strengthen the defenses and create some really difficult situations for the Shadow. However, the most powerful ones ('Faramir’s Rangers' and 'Dead Men of Dunharrow') have some requirements that need to be fulfilled to get the most out of them.

The Shadow

To the northeast, the Shadow can claim five victory points from the Strongholds of Erebor and the Woodland Realm, and the city of Dale. Dale is the easiest target, but if you plan to take one or both of the Free Peoples Strongholds you need some serious muscle. A good strategy is to take the Sauron Army units that begin the game in Mordor and march them up north. The distance is quickly covered and unless the Free Peoples player dedicates some valuable Action Dice to actually rouse some of the DEW nations they won’t be able to put up much of a fight. A note must be made about Erebor though, it is well protected from the start and with a single muster it will become very difficult to take. The big risk for the Shadow around the DEW-line is that if the Free Peoples nations are brought to War they can quickly reinforce each other and make you regret you choose the DEW-line as a target. To avoid this the Shadow should strike quickly before they are activated or suddenly at the same time as he also strikes somewhere else since he should be able to move in two different theatres of war while the Free Peoples player only can defend in one. If you are lucky to draw the card 'Horde From the East' early the DEW-line should be a prime target. The Easterling army created by combining this card with the beginning forces in Rhûn should be more than sufficient to take Dale and one of the two Free Peoples Strongholds in the area. The other S&E muster events could also be used for this purpose but no other is as powerful as 'Horde From the East'.

The Free Peoples

The closeness of Dale, Erebor and the Woodland Realm is both as blessing and a curse to the Free Peoples player. If activated early and brought to war they can form a formidable defense against the forces of Sauron but if attacked one by one by the Shadow player before you can muster defenders they become easy victory points for the Shadow. The most important thing you can do in your defense of the DEW-line is to move the army in Carrock to the Old Forest Road to block an attack from the south, and from where it can reach both the Woodland Realm and Dale if forced to retreat. Even better is if you manage to play the card “Grimbeorn the Old, Son of Beorn” before leaving Carrock. Another thing you might consider is moving Gandalf the White to the DEW-line, the easiest way to do this is to resurrect him in the Woodland Realm. His ability to negate Nazgûl leadership can prove vital in the defenses of the DEW-line. The cards 'Dain Ironfoot’s Guard', 'Thranduil’s Archers', and 'King Brand’s Men' are all good Muster Events if played before the Shadow’s attack has begun but the most powerful event is probably 'Book of Mazarbul' since this will bring the dwarves into the war immediately. Often you will find that if you manage to get the dwarves to war quickly and muster an elite or two in Erebor the Shadow will forego the DEW-line and try to find easier pickings elsewhere. 'Fire! Fear! Foes!' is also quite useful since this will allow you to instantly move the North nation to war, and this will also affect Eriador.

The Shadow

In Rohan there are three victory points, two of which can be reached in the second turn of the game if Isengard is sent to war in the first turn. If the Shadow decides to attack Rohan the best strategy is to first take Helm’s Deep and then head on to Edoras quickly, capturing the settlement in Westemnet along the way. Finally having captured Edoras as well will not be enough as you should also make sure to capture the settlement in Folde. If the Free Peoples player is allowed to muster in Edoras or Folde he can often create quite a powerful army, which combined with some 'The Ents Awake' Event Cards can either retake Helm’s Deep/Edoras or even launch an attack upon Orthanc itself. With the proper cards you can finish of Rohan quite early in the game, 'Wormtongue' is especially nice since it will allow you to take the Fords of Isen and attack Helm’s Deep before Rohan is activated. If you manage to get 'Rage of the Dunlendings' you can quickly muster reinforcements in the Gap of Rohan if you need to garrison Isengard against the Ents or if you need to reinforce the army in Rohan, and with 'A New Power is Rising' you also get some heavy reinforcements either to garrison Isengard or to send into Rohan.

The Free Peoples

To properly defend Rohan you have to get some units into Helm’s Deep quickly. If you manage this Saruman’s forces can be stalled for quite some time, especially if you have a 'The Ents Awake' Event Cards, or two, to play in the combat. If the Shadow manages to quickly capture Helm’s Deep you should muster heavily in Edoras, preferably through the many Muster Cards, from where you can launch a counter attack on Helm’s Deep or head south to assist your allies in Gondor, perhaps through the 'Paths of the Woses'. If you lose both Helm’s Deep and Edoras you should still not give up on Rohan as the Shadow sometimes forget the settlement in Folde, from there you could muster a small army which then can set of across the plains of Rohan simply to annoy or to actually threaten the Shadow. Chances are that after taking Helm’s Deep and Edoras the Isengard Armies will be stretched thin and will have trouble cutting you of. The three most important cards for you in Rohan are the three 'The Ents Awake' Event Cards. These cards can win you some important combats or even take out Orthanc and Saruman if you manage to play them at the right time. The drawback is that in order to play them as events you must have Gandalf the White in play, something not always possible if the attack on Isengard happens early in the game, and a Companion in Fangorn. Aside from the 'The Ents Awake' cards there are several very good Muster Cards that allow you muster the Rohirrim quickly. 'Eomer, Son of Eomund', 'Riders of Theoden', and 'The Red Arrow' will all allow you to muster one Rohan unit and one Rohan Leader. If the Shadow doesn’t capture all your Settlements you should be able to muster an Army with which to respond to the enemy’s moves.

The Shadow

On opposite sides of the Misty Mountains lie the Elven sanctuaries of Rivendell and Lorien. If you as the Shadow are planning to Hunt the Fellowship actively Lorien should be a prime target since capturing it early in the game is will rob the Fellowship of its most obvious resting place. Lorien can be attacked from both Dol Guldur and Moria, just remember that if the Dol Guldur garrison heads west it cannot also head north to help in an assault on the DEW-line. The Moria army needs some heavy reinforcements before it can handle Lorien on its own but if done properly it should be able to take the Golden Woods, but remember to keep an eye out for Free Peoples musters in Rivendell as the Elves are only three moves away. Rivendell is farther away and not an as obvious target as Lorien but an early assault on Rivendell can hamper the Fellowship if it has managed to stay hidden during its initial moves out of Rivendell. Attacking Rivendell will require more active mustering/movement than most other victory point location but this can quickly change if the card 'Monsters Roused' is played. This card can, with reinforcements either from the northern Sauron Settlements or from Moria, quickly dispatch the defenders of Rivendell. All cards that allow mustering in the Misty Mountains can be used in preparation for a strike at Lorien or Rivendell and the card 'Return to Valinor' can be particularly nasty if you manage to roll high enough.

The Free Peoples

Defending the Elven sanctuaries of Rivendell and Lorien isn’t easy. You only have a limited number of Elven reinforcements to recruit and they are not enough to cover all the Elven Strongholds. You must try to discern where the Shadow is most likely to strike and muster your defenders there. All the Elven Muster Event Cards ('Kindred of Glorfindel' and 'Celeborn’s Galadhrim' for Rivendell and Lorien respectively) are good but you shouldn’t use them to muster in a Stronghold you believe the Shadow is leaving alone. One of the Shadow’s possible strategies is to seem to be headed towards one Elven Stronghold and then after you have mustered some defenders there he simply heads to another Stronghold in which you now lack the ability to muster adequate defenses. Lorien in particular is important to hang on to if you need to have the Fellowship resting and healing there. Often the Shadow targets Lorien simply to deny Frodo this safe haven on the way to Mordor. To avoid this you could place Gandalf the White there as fast as possible to negate all that irritating Nazgûl Leadership or you could simply try to get the Elves to war quickly and use some of your precious reinforcements there. Your best defense is however the powerful yet fragile Event Card 'A Power Too Great'.

The Shadow

In the northwest both the Shire and the Grey Havens can provide you, as the Shadow player, with some much needed victory points. The Shire can easily be taken from either Angmar or North Dunland and with the proper cards ('Rage of the Dunlendings' and/or 'Return of the Witch-king') the scouring of the Shire should only be a few dice rolls away. The Grey Havens is another story. This Stronghold is far of from your own muster points and if your initial assault fails it will take ages to bring up reinforcements. If you opt for the Grey Havens as a target make sure you bring an Army capable of finishing of Cirdan and his Elves without needing any reinforcements. Here it is essential that you make good use of Combat Cards and especially of your Nazgûl, to get as many re-rolls in the combat as possible.

The Free Peoples

To protect the Shire you will need both luck and cunning. Some players prefer to gather the North units from Bree and the North Downs in the Shire in order to fend of a possible attack form the Shadow. This is most often not worth the dice it costs since the Shadow might as easily disregard the Shire all together and then your Army movements were for nothing. The best option is probably to try to react to the Shadow and if he sends units towards the Shire you should be able to bring in the other North units. If this fails you can probably survive the loss of the lone victory point from the Shire. The greater risk here is if the army that conquers the Shire is big enough to attack the Grey Havens. In this case you have to muster defenders in the Elven Stronghold and have faith in your troops. If you manage to repel the attack the enemy has a long way to bring up any reinforcements. Your greatest defenses in Eriador are the Event Cards 'The Power of Tom Bombadil' and 'A Power Too Great'. Next in line is 'Fire! Fear! Foes!' since this will allow you to instantly move the North nation to war, and this will affect the DEW-line as well. 'Swords in Eriador' is also useful as it allows you to muster two units and draw a Strategy Card. This brings us to the Dwarves in Ered Luin, a much overlooked unit. It isn’t very often this unit sees any action but if the Dwarven nation manages to get to war it can be used in the defense of the Grey Havens and since the Elven ability to muster is limited this can prove vital in that odd game.The Theaters of the War is the first of a series of strategy articles for War of the Ring players, written by Kristofer Bengtsson.