How the DarkSide got into Colonial Pipeline's networks.
Citing sources at Mandiant, Bloomberg reports that DarkSide ransomware operators gained access to Colonial Pipeline's networks on April 29th through a deactivated and disused virtual private network (VPN) account. The attackers are believed to have found the password in a batch of credentials posted to the dark web. It's unclear whether they obtained the username in a similar fashion or arrived at it by guessing. Mandiant's investigation found no evidence of phishing, although it doesn't discount the possibility of password reuse. The investigators saw no signs of an attack earlier than the 29th.
"Fancy Lazarus": a DDoS extortion racket, and not an espionage service.
Security firm Proofpoint on Thursday released a study of a criminal group that styles itself “Fancy Lazarus,” and that specializes in extortion by distributed denial-of-service. One might think Fancy Lazarus was either a Russian or a North Korean operator, but it’s not. Its chosen name is an apparent homage to Fancy Bear and the Lazarus Group, but Proofpoint discerns no connection whatsoever to either group. Instead Fancy Lazarus seems to be an ordinary criminal operation. In the past it’s borrowed the popular names of well-known state-run actors, including “Fancy Bear”, “Lazarus,” “Lazarus Group,” and “Armada Collective,” but that’s all apparently either misdirection or, more probably, an attempt to look more menacing than in fact they are.
Fancy Lazarus, Proofpoint says, is “taking aim at an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities, and retail sectors.” They threaten a crippling DDoS attack, but as often as not if they’re ignored they’re simply not heard from again. Some victims report demonstration DDoS attacks, and a few of them say they’ve experienced some degree of disruption, but in general Fancy Lazarus seems to be more talk than action.