The Colonial Pipeline Ransomware Attack and what it means for You
In the beginning, they said they weren’t expecting any gas shortages. Those expectations have changed as we began getting reports Monday morning of gas stations without and gas to supply drivers with.
For those who don’t know, Colonial Pipeline which provides approximately 45% of the gas on the East Coast, was hit with a ransomware attack this past Friday. Due to the ransomware attack, Colonial Pipeline has shut down much of its operations. How does this impact you? In addition to the fuel shortages, it has also driven up the price of gasoline which is over $3 per gallon in 16 states.
What is Ransomware
Let’s begin with what ransomware is. Kaspersky defines Ransomeware as: “Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid for your system to work again. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message, or website. It has the ability to lock a computer screen or encrypt important, predetermined files with a password.”
Learn more about ransomware in a prior blog post of ours: “What is Ransomware and Why You Should be Aware of It.”
How it happened
We have discussed the increase in cyber attacks over the last year, which we do not see receding anytime soon. Malware increased by over 300% in 2020. “A research study conducted by Deep Instinct reports on the hundreds of millions of attempted cyberattacks that occurred every day throughout 2020 showing malware increased by 358% overall and ransomware increased by 435% as compared with 2019. (Helpnetsecurity)”
While this attack is still being investigated, the best guesses are that “the hackers gained access to Colonial’s computer system through the administrative side of the business.
“Some of the biggest attacks we’ve seen all started with an email,” Mr. Niccolls says.
“An employee may have been tricked into downloading some malware, for example.
“We’ve also seen recent examples of hackers getting in using weaknesses or compromise of a third-party software.
“Hackers will use any chance they get to gain a foothold in a network. (BBC)”
We have mentioned before that organization networks have been stressed by the huge push to work from home caused by the covid-19 pandemic. It may be the case that the hackers gained access to the network through an employee working remotely. Again, we must stress that this attack is still being investigated and the details aren’t clear just yet.
What this means
This attack shines a light on the vulnerability of not only business but of national infrastructure. This also reminds us that we must remain vigilant when it comes to cybersecurity. “95% of cybersecurity breaches are caused by human error. (Cybintsolutions)” Train everyone in the organization on cybersecurity and keep them informed on the latest trends; if an employee is aware of what cyber attacks look like they are less likely to fall victim to one.
Here are some tips from CISA (The U.S. Cybersecurity and Infrastructure Security Agency):
- Require multi-factor authentication for remote access to OT and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
- Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
- Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
- Implement unauthorized execution prevention by:
- Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
- Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
- Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.
- Deploy signatures to detect and/or block inbound connections from Cobalt Strike servers and other post exploitation tools.
Courtesy of redmondmag.
UPDATE: As of Wednesday afternoon, Colonial Pipeline has begun restarting their systems. Albeit, it will be a few days before they are fully up and running.