Threat Alert

by IthacaLabs™

THREAT LEVEL/High 11/05/2021

Active Ransomware Attack on US Colonial Pipeline networks

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

Following the latest ransomware attack against Colonial Pipeline’s network(s), this attack should serve as a wake-up call for organizations in critical infrastructure that have failed to take ransomware protection steps and implement advanced cybersecurity defences that limit the potential attack surface, like zero trust.

Pressure sensors, thermostats, valves and pumps are used to monitor and control the flow of diesel, petrol and jet fuel across hundreds of miles of piping. This operational technology is connected to a central system. In essence, there is a connection between the enterprise network and the OT. As such, they are susceptible to malicious attacks.

According to several resources, it is highly likely, that the malicious actors gained access to Colonial’s computer system through the administrative side of the business. Usually, the initial step of such attacks begin with a malicious email or a compromise of third party software. Then by leveraging weaknesses within the internal network(s) attackers manage to access the OT network directly and/or indirectly.

The cyber actor called DarkSide operates as a ransomware-as-a-service (RaaS) scheme, under which partners are enlisted to help expand the criminal enterprise by breaching corporate networks and deploying ransomware, whilst the core developers are responsible for maintaining the malware and payment infrastructure. Affiliates normally receive 60% to 70% of the proceeds, with the remainder going to the developers.

Other oil and gas firms, such as Forbes Energy Services and Gyrodata, both located in Texas, are among the victims whose internal data was released on the DarkSide’s data leak blog. DarkSide is thought to be the work of Carbon Spider (aka Anunak, Carbanak, or FIN7), whose high-level boss and systems administrator was recently sentenced to ten years in prison in the United Statesy.

DarkSide’s practice of releasing corporate-style press releases on their Tor domain to give its illegal activities a professional air has prompted cybersecurity company Digital Shadows to call it a “ransomware-as-a-corporation” (RaaC).

Following the SolarWinds hacks by Russian intelligence operatives and the exploitation of Microsoft Exchange Server vulnerabilities by Chinese threat actors, the Colonial Pipeline incident is the latest cyberattack to hit the US government in recent months.

In this entirely new playing field, traditional information risk management practices become irrelevant or less effective. To address this challenge, modern organizations are escalating the “Digital Risk Management” and “Zero Trust” discussion, pushing it beyond the confines of the internal Information Security and Risk Management functions and onto the Board’s agenda, adopting a “Secure & Resilient By Design” Approach.

CVE(s)

N/A

Affected Systems

  • ICS Network and associated components

Recommendation(s)

You should understand the importance of the approaches such as “Zero Trust” and “Secure & Resilient By Design”.

Being proactive it is a very important step, however this approach should be complemented with post-breach detection mechanisms such as Active-Defense (Laying traps to lure and deceive the attackers so that they are misdirected and delayed).

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

You should understand the importance of Security Awareness training and Social Engineering exercises.

The guidelines below will help you protect against Ransomware and its associated security threats:
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* Consider enabling the “”Show hidden file-extensions””. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “”.scr””, “”.bat”” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Keep your antivirus up to date and use real time protection.
* It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network.

References

Get the latest Threat Alerts in your inbox.