By now you’ve probably heard about the ransomware attack that shut down the Colonial Pipeline — a 5,500-mile-long pipeline that carries approximately 45% of gasoline and diesel fuel from the South to the U.S. East Coast. Journalists Collin Eaton (@CollinEatonHC) and Dustin Volz (@dnvolz) report, “It wasn’t clear whether the attack was perpetrated by a nation-state actor or criminal actor. Attributing cyberattacks is difficult and can often take months or longer.”[1] Peter Fretty (@pfretty), Technology Editor at IndustryWeek, worries this “latest cyberattack could be the beginning of a disturbing trend to attack key infrastructure.”[2] Journalists Sheela Tobben (@vtobben) and Jeffrey Bair (@HMSJeffBair) add, “Colonial is just the latest example of critical infrastructure being targeted by ransomware. Hackers are increasingly attempting to infiltrate essential services such as electric grids and hospitals. The escalating threats prompted the White House to respond last month with a plan to increase security at utilities and their suppliers. Pipelines are a specific concern because of the central role they play in the U.S. economy.”[3]
The Colonial Pipeline Attack
Tobben and Bair report, “The attack appeared to use a ransomware group called DarkSide, according to Allan Liska, senior threat analyst at cybersecurity firm Recorded Future. The cybersecurity firm FireEye Inc. said its Mandiant incident response division was assisting with the investigation. Ransomware cases involve hackers seeding networks with malicious software that encrypts the data and leaves the machines locked until the victims pay the extortion fee. This would be the biggest attack of its kind on a U.S. fuel pipeline.” Eaton, along with his colleagues James Rundle (@JimRundle) and David Uberti (@DavidUberti), note, “The ransomware attack that forced the closure of the largest U.S. fuel pipeline this weekend showed how cybercriminals pose a far-reaching threat to the aging, vulnerable infrastructure that keeps the nation’s energy moving. … So far, no evidence has emerged that the attackers penetrated the vital control systems that run the pipeline, according to people familiar with the matter. But the consequences of an infection spreading to that deeper layer are dire for any energy company. Many machines that control pipelines, refineries and power plants are well past their prime, have few protections against sophisticated attacks and could be manipulated to muck with equipment or cause damage, cybersecurity experts say.”[4]
In a separate article, Rundle and Uberti observe, “A cyberattack that forced systems offline at the largest pipeline operator on the U.S. East Coast followed warnings from current and former government officials that ransomware threatens national security.”[5] They add, “Cybersecurity analysts say companies have been targeted with ransomware for several years and that the attacks are becoming more brazen and costly, particularly since the start of the pandemic. As companies shifted to remote work, fewer employees worked exclusively within protected networks, creating more opportunities for hackers to break into their systems, cybersecurity analysts say. Estimates from cybersecurity company Emsisoft Ltd. show that attacks against schools, local governments and healthcare providers alone jumped to at least 2,354 in 2020 from 966 in 2019. School districts, hospitals, local governments and businesses of all sizes have been targets, and cybersecurity analysts say that hackers often demand millions of dollars to decrypt seized files.”
“Since as many as 80% of cyberattacks begin in the supply chain,” asserts Isaac Kohen, Vice President for Research & Development at Teramind, “companies should pay attention to their defensive posture related to their supply chains.”[6] Gerry Grealish (@Gerry_Grealish), Chief Marketing Officer at Ericom Software, notes, “Successful attacks using ransomware have proliferated so much that some security researchers are developing viable second careers as ‘ransomware negotiators,’ bargaining with attackers who hold corporate data hostage.”[7] He adds, “The vast majority of all ransomware falls into three categories. Some use exploits that target RDP [Remote Desktop Protocol], others use exploits targeting VPN [Virtual Private Network], and the rest use phishing attacks. If you’re able to secure these three vectors against ransomware threats, you’ll have dramatically minimized your attack surface.” According to Rundle and Uberti, “Many variants of ransomware, a form of malware, exist. A specialized tool developed by hackers is often necessary to decrypt the targeted systems. Ransomware gangs usually demand payment for use of this tool, CISA said. Coveware Inc., a company that specializes in ransomware recovery, said the average ransom payment in the first quarter of 2021 was $220,298, a 43% increase from the previous quarter. Demands that total millions of dollars are not unheard of, incident responders said.”
Countering Ransomware Attacks
Grealish provides a few recommendations for mitigating the risk of hackers targeting RDP and VPN vulnerabilities. He notes, “RDP vulnerabilities are incredibly common, with new code execution bugs seemingly being discovered once a month. Companies, meanwhile, are slow to patch these bugs. … To defend against RDP hackers, it may be worth looking for a third-party vendor that approaches the RPD philosophy with baked-in security tools. … VPNs have only recently gained very widespread popularity among hackers as ransomware targets. … A vulnerability in one of the most widely used VPNs lets hackers connect without supplying a username and password, which makes ransomware installs child’s play. … If you have a VPN with this vulnerability, you need to patch it immediately.” When it comes to phishing, Grealish suggests, “Have your employees use webmail, along with a technology called remote browser isolation (RBI). RBI takes aim at one of the critical assumptions behind phishing emails — that when a target clicks on an embedded URL, the website that opens can download malicious files right to their browser — and from there, it can infect the endpoint and the entire network. … What RBI does is instantiate a browser within a container hosted in the cloud or in the DMZ. This browser streams only safe rendering information data back to the endpoint, but all files downloaded within the remote browser stay safely isolated within the remote browser. If the employee downloads a malicious executable, the file has nowhere to execute.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also offers a few suggestions to help mitigate malware threats. The guidance recommends that customers use the NIST Cyber Supply Chain Risk Management (C-SCRM) document to understand the risks involved with the use of a given piece of software in the infrastructure. The eight NIST-suggested practices are:
1. Integrate C-SCRM across the organization.
2. Establish a formal C-SCRM program.
3. Know and manage critical components and suppliers.
4. Understand the organization’s supply chain software for which a vulnerability is disclosed.
5. Closely collaborate with key suppliers.
6. Include key suppliers in resilience and improvement activities.
7. Assess and monitor throughout the supplier relationship.
8. Plan for the full lifecycle.
Cybersecurity consultant Christopher Burgess (@burgessct) writes, “The CISA guidance report contains a plethora of resources worthy of staff review, though review won’t be sufficient. The keys to a secure environment are in the hands of the CIOs, CISOs, and DPOs who are in the position to both demand and ensure their teams learn from the lessons of others and understand the ‘why’ behind the implementation of both SSDF and C-SCRM in products created and used.”[8]
Concluding Thoughts
Organizations must realize they are in a constant battle against hackers. Megan Stifel, Americas executive director at the Global Cyber Alliance, told Rundle and Uberti, “Ransomware is a symptom of a broader problem, and that broader problem is poor cyber hygiene.” Rundle and Uberti conclude, “Security analysts say that many ransomware attacks are opportunistic in nature, meaning that attacks are designed to exploit common gaps in defenses, rather than actively target individuals or companies. … CISA recommends that all companies implement several practices to reduce the risk of ransomware infections. Those precautions include keeping software up to date and regularly patching security flaws. As an added measure, the agency also will scan an organization’s network for vulnerabilities, a service that it offers for free to state and local governments and to companies that operate critical infrastructure.” Even constant vigilance may not be enough to prevent an attack; however, anything less than constant vigilance almost guarantees trouble.
Footnotes
[1] Collin Eaton and Dustin Volz, “U.S. Pipeline Cyberattack Forces Closure,” The Wall Street Journal, 8 May 2021.
[2] Peter Fretty, “Cyberattack on Colonial Pipeline Disrupts Normal Flow,” IndustryWeek, 8 May 2021.
[3] Sheela Tobben and Jeffrey Bair, “Cyber Hack Knocks Out Largest U.S. Fuel Pipeline for Third Day,” SupplyChainBrain, 10 May 2021.
[4] Collin Eaton, James Rundle and David Uberti, “U.S. Pipeline Shutdown Exposes Cyber Threat to Energy Sector,” The Wall Street Journal, 9 May 2021.
[5] James Rundle and David Uberti, “How Can Companies Cope with Ransomware?” The Wall Street Journal, 9 May 2021.
[6] Isaac Kohen, “Why the Biggest Threat Facing Supply Chains is on the Inside,” Supply & Demand Chain Executive, 8 May 2021.
[7] Gerry Grealish, “The Three Most Dangerous Ransomware Delivery Vectors: RDP, VPN, and Phishing,” Dataversity, 20 January 2021.
[8] Christopher Burgess, “CISA issues guidance on defending against software supply chain attacks,” CSO, 28 April 2021.