The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have given an advisory regarding DarkSide ransomware after the attack on the fuel pipeline firm Colonial Pipeline.
The cyberattack triggered significant disruption to fuel supplies to the East Coast. Colonial Pipeline was compelled to turn off systems to manage the threat, which includes the operational technology of its 5,500-mile pipeline which delivers jet fuel, diesel, and gasoline, to the U.S. East Coast. The four major pipelines were closed over the weekend, and although smaller pipelines were immediately restored, the primary pipelines have continued to be shut down pending safety evaluations. The pipelines deliver about 2.5 million barrels of fuel per day and account for 45% of the East Coast’s fuel.
The attack had an impact on the Colonial Pipeline’s information technology network, however, there is no impact on its operational technology system. The DarkSide ransomware gang released a statement immediately after the attack saying that the attacks were carried out solely for financial gain and not because of politics or to cause an economic or social disturbance. The ransomware group additionally stated it will be vetting pending ransomware attacks by its affiliates and partners to avert social repercussions later on.
The joint warning from CISA and the FBI consists of technical information about the attack together with a number of mitigations to minimize the potential compromise in DarkSide ransomware attacks or any other ransomware attacks. All owners and operators of critical infrastructure are being advised to use the mitigations to avoid the same attacks.
Past attacks by DarkSide partners have acquired initial access to networks via phishing emails and the exploitation of vulnerabilities in remotely accessible accounts and systems and Virtual Desktop Infrastructure. The group is popular for using Remote Desktop Protocol (RDP) to remain persistent. Much like a lot of other human-operated ransomware operations, prior to the deployment of ransomware, the threat actors exfiltrate sensitive information and threaten to peddle or publish the data if no ransom is paid.
Preventing DarkSide and other ransomware attacks calls for actions to be taken to prevent the preliminary attack vectors. Solid spam filters are needed to block phishing email messages and multi-factor authentication ought to be used on email accounts to avert the use of stolen credentials. MFA likewise needs to be carried out on all remote access to operational technology (OT) as well as information technology (IT) systems. An end-user training program must be put in place to train workers how to discern spear-phishing emails and to train about cybersecurity best practices.
Network traffic ought to be filtered to forbid communications with known malicious IP addresses, and web filtering technology utilized to stop users from visiting malicious sites. It is essential for software and operating systems to be up to date and for patches to be used immediately. CISA advises using a centralized patch management system and a risk-based evaluation technique to figure out which OT network assets and zones ought to take part in the patch management program.
Access to resources over networks ought to be limited, particularly RDP, which must be deactivated if not operationally required. If RDP is necessary, MFA ought to be implemented. Steps should additionally be undertaken to avert unauthorized code execution, including turning off Office Macros and employing application allowlisting to make sure only authorized programs are executed according to the security policy.
Inbound links from Tor exit nodes or any anonymization service to IP addresses and ports with no external connections expected must be checked and/or blacklisted. Signatures ought to be implemented to prohibit inbound interconnection from Cobalt Strike servers and some other post-exploitation tools.
It is impossible to block all attacks, therefore steps must be taken to limit the seriousness of a successful attack to minimize the threat of serious business or functional degradation. These steps include robust network segmentation, managing assets into reasonable zones, and using regular and strong backup processes.
You can see the notification and proposed mitigations on this page.