Our selection of UniFi access points vary by functionality and design. Each model is thoughtfully engineered to meet precise user needs and optimize performance within specific environments. Together, they offer an ideal solution for everyone — whether you prioritize performance, design, aesthetics, or network simplicity.
Because each access point is so unique, it’s important to choose a model that best suits your needs.
A Best-in-Class Wireless Experience
Our line of UniFi 6 access points, beginning with the recently introduced U6 Lite and U6 Long-Range, mark our introduction of WiFi 6 technology to UniFi. With these and future U6 models, your network can support over 300 concurrent devices and deliver a reliably smooth wireless experience to each of them with OFDMA technology, which transfers high volumes of data more tactically across multiple devices to improve upload and download speeds.
While the U6 access points represent the future, tried-and-true models like the UniFi HD and nanoHD remain favorites for a wide variety of users, not just because of their speed and range but also their ability to provide a consistently strong signal to a large number of devices, which is crucial in our digital world.
These access points expand signal coverage with an integrated, directional antenna while only consuming a small amount of power. When mounted to the ceiling, these UniFi access points widen their coverage zones even further to ensure fast, stable connections across high-traffic environments.
You can also give your access points a bit of flair and align them with your space’s look and feel. For instance, you can change the color of your U6 access point’s LED ring or change the exterior of certain models with a variety of skins including wood, black fabric, and camouflage.
Extend Your WiFi and Connect More People
If you’re looking to extend your WiFi signal easily and without cumbersome equipment, a mesh access point could be the right device for you. Although all of our access points can link with the other access points in your office or home to enhance your signal’s reach and prevent dead zones, our mesh access points are specifically designed to do so. As such, mesh access points are often a go-to solution for hotels, museums, and other high-traffic areas.
Many mesh access points are also very compact and easily deployable. They can be mounted to a wall or ceiling, placed on a tabletop, or attached to a pole outdoors to improve connection quality throughout your property.
WiFi extenders are also designed to improve the reach of your wireless signal by doubling your coverage area. These models are the definition of plug-and-play; just plug them into a standard US wall outlet and instantly improve your WiFi experience! However you choose to extend your network, you’ll have a device that can support hundreds of concurrent connections with minimal power consumption.
Wireless Excellence for Thousands
What if you need to provide high-speed internet access to a lot of people—like, a LOT of people. Maybe it’s a concert hall packed with people livestreaming the headline act, or a stadium filled with thousands using their mobile devices simultaneously at halftime?
To give the people what they want, you’ll need a really powerful, high-capacity access point. As always, UniFi is ready for you with the WiFi BaseStation XG, one of the world’s best large-venue WiFi installations because of its ability to support up to 1,500 concurrent device connections. The BaseStation can dynamically filter and evenly distribute traffic to avoid channel congestion, as well as maximize coverage with its directional beamforming antenna.
Maybe you’re not just dealing with one location, though. What if you need to bridge the networks of two buildings in a downtown commercial district or industrial park? To help with these types of large networking projects, we offerpoint-to-point bridges that create multi-gigabit wireless links between two locations up to 500 meters apart. These bridging devices are designed to be highly adaptive to the layout of the area you’re looking to connect, sporting directional antennas that ensure strong, unobstructed links regardless of area zoning or building positioning.
Robust and Versatile Wireless Delivery
No matter how large or unique your network is, there’s a UniFi access point that can enhance your wireless experience, support your devices, and simplify your traffic management.
To see the different UniFi access points in action, check out Which AP is Right for Me?, and for more detailed model information, head to the Ubiquiti Store. Also, remember to keep it tuned here and on our revamped YouTube channel for brand-new UniFi content, including how-to videos, unboxings, and more to help you build your network!
I recently had the pleasure of sitting down for ‘coffee’ with Claudio Bolla, Global Information Security Director at INEOS to learn how he’s managing cloud manufacturing security during the pandemic. As a large chemicals company with 26,000 employees, INEOS operates 36 different business units with 196 locations around the world. Their businesses span oil and gas, energy, and chemical production. INEOS manufactures chemicals that have been used to develop the vaccine, hand sanitizer, face masks, the plastic used in aeroplane parts, just to name a few things!
I knew that INEOS did quite a bit of M&A and because of this, finds itself with many disparate businesses, such as INEOS Automotive which is building a 4×4 vehicle (inspired by the Land Rover Defender). But what I didn’t know was that INEOS has made a foray into the beautiful game of football! Turns out sports is one of INEOS’ key pillars. This started with the acquisition of Lausanne Football Club in Switzerland, followed by the Nice Football Club in France. On the philanthropic side, they’ve even developed their own football clubs in underdeveloped countries to improve the social well-being of youth.
When the pandemic hit, many companies sent all or the majority of their employees home to work remotely. However, because INEOS had physical assets with production sites, it wasn’t just a matter of telling everyone to work from home. They had to keep their manufacturing plants running! And it was critical to do so because they were making products that are used to fight the pandemic. They moved from a primarily office-based, production-site approach to a hybrid situation. This transition introduced much complexity, especially given the number of business units, differing types of products, and challenges related to maintaining a secure manufacturing environment in the cloud.
Prior to the pandemic, INEOS turned to Cisco Umbrella to migrate all of their divisions to a single provider for DNS coverage. Umbrella also gives them the ability to let each business unit decide if they want different types of policies for different types of users. With so many contrasting businesses, the security controls for each BU can vary quite a bit. Since they had already deployed Umbrella successfully, when the pandemic hit, INEOS was able to quickly secure remote manufacturing workers using the roaming client: they went from 500 users connecting per day to over 7,000 users in one weekend!
In the talk, Claudio reveals how “an unexpected benefit of Umbrella was App Discovery,” which allows them to uncover cloud storage and reduce risk. Umbrella’s CASB functionality allows customers to gain control and visibility of cloud application and service usage across their entire network, and block risky apps to improve security.
Claudio shared many, many intriguing insights on how to give employees the right level of security at the right time (yes, there is such a thing as too many security controls!)
Hear directly from Claudio Bolla in this short highlights video:
Updated May 17, 2021, 3:25 a.m. Eastern Time: This article has been updated to add references to the DarkSide victim data.
On May 7, a ransomware attack forced Colonial Pipeline, a company responsible for nearly half the fuel supply for the US East Coast, to proactively shut down operations. Stores of gasoline, diesel, home heating oil, jet fuel, and military supplies had been so heavily affected that the Federal Motor Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states to help with the shortages.
It has been five days since the shutdown prompted by the attack, but Colonial Pipeline is still unable to resume full operations. Outages have already started affecting motorists. In metro Atlanta, 30% of gas stations are without gasoline, and other cities are reporting similar numbers. To keep supplies intact for essential services, the US government has issued advisories against hoarding.
Apart from locking Colonial Pipeline’s computer systems, DarkSide also stole over 100 GB of corporate data. This data theft is all the more relevant in light of the fact that the group has a history of doubly extorting its victims — not only asking for money to unlock the affected computers and demanding payment for the captured data, but also threatening to leak the stolen data if the victims do not pay. As we will cover later, DarkSide shows a level of innovation that sets it apart from its competition, being one of the first to offer what we call “quadruple extortion services.”
The group announced on May 12 that it had three more victims: a construction company based in Scotland, a renewable energy product reseller in Brazil, and a technology services reseller in the US. The DarkSide actors claimed to have stolen a total of 1.9 GB of data from these companies, including sensitive information such as client data, financial data, employee passports, and contracts.
Trend Micro Research found dozens of DarkSide ransomware samples in the wild and investigated how the ransomware group operates and what organizations it typically targets.
The DarkSide ransomware
DarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of modern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value targets and involves more precise monetization of compromised assets (with double extortion as an example). Modern ransomware attacks are also typically done by several groups who collaborate and split profits. These attacks may look more like advanced persistent threat (APT) attacks than traditional ransomware events.
Here is a short timeline of DarkSide activity compiled from publicly available reports:
August 2020: DarkSide introduces its ransomware.
October 2020: DarkSide donates US$20,000 stolen from victims to charity.
November 2020: DarkSide establishes its RaaS model. The group invites other criminals to use its service. A DarkSide data leak site is later discovered.
November 2020: DarkSide launches its content delivery network (CDN) for storing and delivering compromised data.
December 2020: A DarkSide actor invites media outlets and data recovery organizations to follow the group’s press center on the public leak site.
March 2021: DarkSide releases version 2.0 of its ransomware with several updates.
May 2021: DarkSide launches the Colonial Pipeline attack. After the attack, Darkside announces it is apolitical and will start vetting its targets (possibly to avoid raising attention to future attacks).
Initial access
In our analysis of DarkSide samples, we saw that phishing, remote desktop protocol (RDP) abuse, and exploiting known vulnerabilities are the tactics used by the group to gain initial access. The group also uses common, legitimate tools throughout the attack process to remain undetected and obfuscate its attack.
Throughout the reconnaissance and gaining-entry phases, we saw these legitimate tools used for specific purposes:
PowerShell: for reconnaissance and persistence
Metasploit Framework: for reconnaissance
Mimikatz: for reconnaissance
BloodHound: for reconnaissance
Cobalt Strike: for installation
For modern ransomware like DarkSide, gaining initial access no longer immediately leads to ransomware being dropped. There are now several steps in between that are manually executed by an attacker.
Lateral movement and privilege escalation
Lateral movement is a key discovery phase in the modern ransomware process. In general, the goal is to identify all critical data within the victim organization, including the target files and locations for the upcoming exfiltration and encryption steps.
In the case of DarkSide, we confirmed reports that the goal of lateral movement is to gain Domain Controller (DC) or Active Directory access, which will be used to steal credentials, escalate privileges, and acquire other valuable assets for data exfiltration. The group then continues its lateral movement through the system, eventually using the DC network share to deploy the ransomware to connected machines. Some of the known lateral movement methods deployed by DarkSide use PSExec and RDP. But as we previously noted, a modern ransomware group behaves with methods more commonly associated with APT groups — it adapts its tooling and methods to the victim’s network defenses.
Exfiltration
As is common practice with double extortion ransomware, critical files are exfiltrated prior to the ransomware being launched. This is the riskiest step so far in the ransomware execution process, as data exfiltration is more likely to be noticed by the victim organization’s security team. It is the last step before the ransomware is dropped, and the attack often speeds up at this point to complete the process before it is stopped.
For exfiltration, we saw the following tools being used:
7-Zip: a utility used for archiving files in preparation for exfiltration
Rclone and Mega client: tools used for exfiltrating files to cloud storage
PuTTy: an alternative application used for network file transfer
DarkSide uses several Tor-based leak sites to host stolen data. The file-sharing services used by the group for data exfiltration include Mega and PrivatLab.
Execution and impact
The execution of the actual ransomware occurs next. The DarkSide ransomware shares many similarities with REvil in this step of the process, including the structure of ransom notes and the use of PowerShell to execute a command that deletes shadow copies from the network. It also uses the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.
In addition to PowerShell, which is used to install and operate the malware itself, the group reportedly uses Certutil and Bitsadmin to download the ransomware. It uses two encryption methods, depending on whether the target operating system is Windows or Linux: A ChaCha20 stream cipher with RSA-4096 is used on Linux, and Salsa20 with RSA-1024 is used on Windows.
The following figure shows a sample ransom note from DarkSide.
Figure 1. A Darkside ransom note
It is interesting to note that DarkSide’s ransom note is similar to that of Babuk, which might indicate that these two families share a link.
DarkSide ransomware targets
Based on the group’s Tor leak sites, DarkSide determines whether to pursue targeting a potential victim organization by primarily looking at that organization’s financial records. It also uses this information to determine the amount of ransom to demand, with a typical ransom demand amounting to anywhere between US$200,000 and US$2 million.
Reports say that, based on the leak sites, there are at least 90 victims affected by DarkSide. In total, more than 2 TB of stolen data is currently being hosted on DarkSide sites, and 100% of victims’ stolen files are leaked.
The actors behind Darkside have stated that they avoid targeting companies in certain industries, including healthcare, education, the public sector, and the nonprofit sector. Organizations in manufacturing, finance, and critical infrastructure have been identified in Trend Micro data as targets.
Based on Trend Micro data, the US is by far DarkSide’s most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. As previously mentioned, DarkSide avoids victimizing companies in CIS countries. Part of the ransomware execution code checks for the geolocation of potential victims to avoid companies in these countries, although the group would likely be aware of the location of a target organization long before the ransomware is executed. That the group admittedly spares companies in CIS countries could be a clue to where DarkSide actors are residing. It is possible that they do this to avoid law enforcement action from these countries, since the governments of some of these countries do not persecute criminal acts such as DarkSide’s if they are done on foreign targets.
After the Colonial Pipeline attack, DarkSide released a statement on one of its leak sites clarifying that the group did not wish to create problems for society and that its goal was simply to make money. There is no way to verify this statement, but we know that the group is still quite active. As previously mentioned, DarkSide actors announced that they had stolen data from three more victims since the Colonial Pipeline attack.
MITRE ATT&CK tactics and techniques
The following are the MITRE ATT&CK tactics and techniques associated with DarkSide.
Conclusion
Ransomware is an old but persistently evolving threat. As demonstrated by the recent activities of DarkSide, modern ransomware has changed in many aspects: bigger targets, more advanced extortion techniques, and farther-reaching consequences beyond the victims themselves.
Ransomware actors are no longer content with simply locking companies out of their computers and asking for ransom. Now they are digging deeper into their victims’ networks and looking for new ways to monetize their activities. For example, a compromised cloud server can go through a complete attack life cycle, from the initial compromise to data exfiltration to resale or use for further monetization. Compromised enterprise assets are a lucrative commodity on underground markets; cybercriminals are well aware of how to make money from attacking company servers.
In the Colonial Pipeline attack, DarkSide used double extortion. But some ransomware actors have gone even further. Jon Clay, Director of Global Threat Communications at Trend Micro, outlines the phases of ransomware:
Phase 1: Just ransomware. Encrypt the files, drop the ransom note, and wait for the payment.
Phase 2: Double extortion. Phase 1 + data exfiltration and threatening data release. Maze was one of the first documented cases of this.
Phase 3: Triple extortion. Phase 1 + Phase 2 + threatening DDoS. SunCrypt, RagnarLocker, and Avaddon were among the first groups documented doing this.
Phase 4: Quadruple extortion. Phase 1 (+ possibly Phase 2 or Phase 3) + directly emailing the victim’s customer base or having contracted call centers contact customers.
In fact, as detailed in security reports, DarkSide offers both the DDoS and call center options. The group is making quadruple extortion available to its affiliates and showing a clear sign of innovation. In cybercrime, there are no copyright or patent laws for tools and techniques. Innovation is as much about quickly and completely copying others’ best practices as it is about coming up with new approaches.
Ransomware will only continue to evolve. Organizations therefore need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Unfortunately, some organizations may be putting cybersecurity on the back burner. For example, some security experts noted that Colonial Pipeline was using a previously exploited vulnerable version of Microsoft Exchange, among other cybersecurity lapses. A successful attack on a company providing critical services will have rippling effects that will harm multiple sectors of society, which is why protecting these services should be a top priority.
In a US Senate hearing on cybersecurity threats, Senator Rob Portman of Ohio described the strike on Colonial Pipeline as “potentially the most substantial and damaging attack on US critical infrastructure ever.” This attack is a call to action for all organizations to harden their networks against attacks and improve their network visibility.
Trend Micro has a multilayered cybersecurity platform that can help improve your organization’s detection and response against the latest ransomware attacks and improve your organization’s visibility. Visit the Trend Micro Vision One™ website for more information. Detailed solutions can be found in our knowledge base article on DarkSide ransomware.
There have been a lot of changes in ransomware over time. We want to help you protect your organization from this growing attack trend.
The Colonial Pipeline ransomware attack is just part of a new onslaught of ransomware attacks that malicious actors are ramping up against high value victims. Why are we seeing this?
These malicious actors are after extortion money, and as such they are looking to target organizations that are more likely to pay if they can disrupt their business operations. In the past we saw this with targeting of government and education victims. The more pain that these actors can cause an organization, the more likely they will receive an extortion payment.
Ransomware attacks have gone through many iterations and we’re now seeing phase 4 of these types of attacks. To give you context, here are the four phases of ransomware:
1st phase: Just ransomware, encrypt the files and then drop the ransom note … wait for the payment in bitcoin.
2nd phase: Double extortion. Phase 1 + data exfil and threaten for data release. Maze was the first document to do this and the other threat actor groups followed suit
3rd phase: Triple extortion. Phase 1 + Phase 2 and threaten for DDoS. Avaddon was the first documented to do this
4th phase: Quadruple extortion. Phase 1 + (possibly Phase 2 or Phase 3) + directly emailing affected victim’s customer base. Cl0p was first documented doing this, as written by Brian Krebs
The majority of the time now we’re seeing a double extortion model, but the main shift we’re now seeing is the targeting of critical business systems. In this latest case, it does not appear that OT systems were affected but the IT systems associated with the network were likely targeted.
That may change though as many organizations have an OT network that is critical to their operations and could become a target. In this blog post we highlighted how manufacturers are being targeted with modern ransomware and the associated impact.
Taking down the systems that run an organization’s day-to-day business operations can cause financial and reputation damage.
But there could also be unintended consequences of going after victims that are too high profile, and this latest might be one example of this. Bringing down a major piece of critical infrastructure for a nation, even if the motive is only financial gain, might incur major actions against the actors behind this attack. So in the future, malicious actors may need to assess the potential ramifications of their target victim and decide if it makes good business sense to commence with an attack.
We will continue to see ransomware used in the future, and as such organizations need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Some things to think about as you go about this:
Understand that you will be a target. Every business can likely be on the radar of malicious actors, but those in critical infrastructure need to assess the likelihood of becoming a victim now.
Dedicated attackers will find a way into your network. Access as a Service (usually where another group performs the initial access and sells it to another group) is used regularly now, and whether via a phished employee, a vulnerable system open to the internet, or using a supply chain attack, the criminals will likely find a way in.
The malicious use of legitimate tools are a preferred tactic used across the entire attack lifecycle. Check out our recent blog on this topic.
Your key administrator and application account credentials will be targeted.
Ransomware actors will look to exfiltrate data to be used in the double extortion model.
The ransomware component will be the last option in their malicious activities as it is the most visible part of the attack lifecycle and as such you will then know you’ve been compromised.
For those organizations who have OT networks some key things to think about:
Understand your risk if your OT network is taken offline
Build a security model that protects the devices within the OT network, especially those that cannot support a security agent
Network segmentation is critical
If your OT network needs to be taken offline due to the IT network being compromised, you need to identify how to overcome this limitation
This latest attack is another call to action for all organizations to harden their networks against attacks and improve their visibility that malicious actors are in your network. Trend Micro has a multi-layered cybersecurity platform that can help improve your detection and response against the latest ransomware attacks and improve your visibility. Check out our Trend Micro Vision One platform or give us a call to discuss how we can help.
