CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the cyberattack on Colonial Pipeline.

The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel.

The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or social disruption. The group also said it would be vetting future ransomware attacks by its affiliates and partners to avoid social consequences in the future.

The joint advisory from CISA and the FBI includes technical details of the attack along with several mitigations to reduce the risk of compromise in DarkSide ransomware attacks and ransomware attacks in general. All critical infrastructure owners and operators are being urged to implement the mitigations to prevent similar attacks.

Previous attacks by DarkSide partners have gained initial access to networks via phishing emails and the exploitation of vulnerabilities in remotely accessible accounts and systems and Virtual Desktop Infrastructure. The group is known to use Remote Desktop Protocol (RDP) to maintain persistence. As with many other human-operated ransomware operations, prior to the deployment of ransomware the attackers exfiltrate sensitive data and threaten to sell or publish the data if the ransom is not paid.

Preventing DarkSide and other ransomware attacks requires steps to be taken to block the initial attack vectors. Strong spam filters are required to prevent phishing emails from reaching inboxes and multi-factor authentication should be enabled for email accounts to prevent the stolen credentials from being used. MFA should also be implemented on all remote access to operational technology (OT) and information technology (IT) networks. An end user training program should be implemented to train employees how to recognize spear phishing emails and to teach cybersecurity best practices.

Network traffic should be filtered to prohibit communications with known malicious IP addresses, and web filtering technology used to prevent users from accessing malicious websites. It is vital for software and operating systems to be kept up to date and for patches to be applied promptly. CISA recommends using a centralized patch management system and a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.

Access to resources over networks should be restricted, especially RDP, which should be disabled if not operationally necessary. If RDP is required, MFA should be implemented. Steps should also be taken to prevent unauthorized execution of code, including disabling Office Macros and implementing application allowlisting to ensure only authorized programs can be executed in accordance with the security policy.

Inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected should be monitored and/or blocked and signatures should be deployed to block inbound connection from Cobalt Strike servers and other post exploitation tools.

It may not be possible to block all attacks, so steps should be taken to limit the severity of a successful attack to reduce the risk of severe business or functional degradation. These measures include robust network segmentation, organizing assets into logical zones, and implementing regular and robust backup procedures.

You can view the alert and recommended mitigations here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.