Threat Research

Protecting Critical Infrastructure: Colonial Pipeline, DarkSide, and Ransomware

By FortiGuard Labs | May 10, 2021

FortiGuard Labs Threat Research Update

Affected platforms: Windows
Level of Risk: HIGH/MEDIUM due to the shutdown implications of Colonial Pipeline. However, this appears to be restricted to targeted attacks as we have not seen other instances of this ransomware elsewhere.
Impact: Low. This attack currently appears to be confined to targeted organizations and is not the result of widespread wormlike activity.

This ransomware attack is still actively being investigated. This blog contains all of the information we have on hand as of today, May 11th, and will be updated as more information becomes available.

Update: In a joint advisory issued on May 11th, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urge critical infrastructure (CI) asset owners and operators to adopt a heightened state of awareness based on the attack. The advisory does not contain any new information relating to the attack itself, nor are there any indicators of compromise (IOCs) associated with the attack, but they encourage organizations to implement the recommendations they list in the Mitigations section of the advisory.

On Thursday, May 6th, top U.S. fuel pipeline operator, Colonial Pipeline, was struck by a ransomware attack. According to statements made by the FBI, the perpetrators are an Eastern European cybercriminal organization known as DarkSide. While this group has not publicly acknowledged their involvement in the attack, they state that their objectives are monetary and not political.

Using the attack pattern DarkSide criminals are known for, they gained access to the network, attempted to steal nearly 100 gigabytes of critical data from Colonial Pipeline's network (adding leverage to their ransomware demands), and then locked down critical data and servers. According to multiple sources, only information systems were affected, and not industrial control systems (ICS). 

Fortunately, alert IT team members identified the attack and proactively took specific systems offline to contain the threat. This prevented the attackers from stealing any data while protecting their critical energy distribution infrastructure from even further compromise. 

These events caused Colonial Pipeline to halt all 5,500 miles of their pipeline operations as well as some of their IT infrastructure while they work to clean and restore compromised systems. Colonial Pipeline is the largest supplier of gasoline, diesel, and jet fuel on the East Coast. They transport 2.5 million barrels of fuel per day—nearly half of the East Coast's total fuel supply—through their network of pipelines linking refiners on the Gulf Coast with distribution centers across the eastern and southern United States. 

Keeping Critical Supply Lines Open

Federal agencies, cybersecurity specialists, logistics experts, and others have been working to avoid a prolonged shutdown of the line, which could cause prices to spike at gasoline pumps ahead of the peak summer driving season. But according to some experts, even a shutdown lasting only four or five days could lead to sporadic outages at fuel terminals along the U.S. East Coast that depend on the pipeline for deliveries.

To address this issue of ensuring supply to consumers, Federal responses have been primarily focused on maintaining the timely distribution of critical fuel supplies. Even though this issue resulted from a cyberattack, emergency measures have been focused on preserving supply through such measures as relaxing rules on fuel being transported by truck. As a result, drivers in 18 states can now work extra or more flexible hours when transporting refined petroleum products.

DarkSide Ransomware Attack Details

There is some question as to whether the DarkSide organization was directly involved in this attack or the result of the Ransomware-as-a-Service offering they run on the dark web, where "affiliates" pay DarkSide a percentage of any earnings resulting from a successful attack. Based on known available samples attributed to DarkSide campaigns, it appears that the group prefers living off the land techniques, which means that the group utilizes tools that already exist in the computing environment for lateral movement after compromise to evade detection.

While exact details of this attack remain unclear, examples of post-compromise tools and techniques associated with DarkSide is their usage of legitimate tools such as: 

Cobalt Strike - a pen-testing suite widely used by red teams around the globe

PSExec.exe - a command-line tool that offers extensibility and functionality similar to telnet for remote administration (and lateral movement)

Putty.exe - a widely used SSH/Telnet tool for the remote administration of servers (and lateral movement)

PCHunter - provides low-level system information at the kernel level 

MegaSync – A Russian language version of MegaSync, which coordinates with the storage provider MEGA, is likely used to move exfiltrated data and documents.

Another observed file is a tool that seeks out information from Firefox and looks for passwords and other associated data to exfiltrate.

Three Steps to Take to Protect Critical Infrastructures

Ransomware attacks remain one of the most dangerous threats to any organization that conducts even a portion of its business operations online. This challenge has become even more pronounced this past year. Workers transitioned from office-based locations protected by enterprise-grade security to remote areas and home offices protected with little more than a VPN connection. While we do not know the specifics for this case, we have seen a significant rise in ransomware attacks resulting from just such a scenario. 

FortiGuard Labs reported in their February 2021 Global Threat Landscape Report that organizations saw a sevenfold increase in ransomware attacks during the second half of 2020. The preferred attack vector has been to compromise unprotected or under-protected home networks and then hijack VPN connections back into the corporate network. One of the many challenges of relying on decades-old VPN technology is that it does not provide any native inspection of the data sent through those connections, nor does it authenticate the users, devices, or applications flowing through a VPN tunnel. FortiGuard Labs threat researchers documented a significant and nearly instantaneous shift away from attacks targeting enterprise devices to ones targeting consumer-grade appliances the moment organizations began transitioning to a work-from-home connection strategy.

To defend against today's growing and evolving ransomware threat, organizations need to do three things:

1. Secure Home Offices and Remote Connections

Home networks and remote connections need to be secured. Fortinet has a complete portfolio of tools focused on addressing this issue. Here are a few:

Fortinet Secure SD-WAN enables organizations to secure and maintain reliable connections from remote offices to corporate resources, whether in a physical network or the cloud. It ensures that critical business applications operate under maximum levels of security while providing an optimal user experience. Secure SD-WAN can also isolate business connections from the rest of the home network, so the corporate network is not at risk from unsecured home devices such as entertainment systems, smart appliances, or users engaged in remote work, remote learning, or online social or entertainment activities.

FortiSASE provides cloud-based security to ensure that even the most mobile users and distributed IoT devices have secure connections to corporate resources. The goal is to provide secure access to critical resources for any user on any device from any location.

FortiEDR provides advanced endpoint device protection to detect and respond to cyber-attacks and ensure that devices can continue to operate securely and reliably even if they have been compromised.

Zero Trust Access eliminates the inherent trust in many networks that attacks exploit to move freely across a compromised network. It does this by first assuming that every device or user has been potentially compromised. It then combines advanced multifactor authentication, critical context (such as user role, device type, time and day, or geolocation) with network access control technology to ensure that every device is only allowed access to the resources they need to do their job. Zero Trust Network Access extends this further by providing granular control to critical applications based on deep authentication of users and devices.

2. Implement Ransomware Countermeasures

Ransomware countermeasures include such things as maintaining regular backups of critical systems and securely storing them off-network, having an attack response strategy and team in place, running recovery simulations, building chains of command with distributed authority so critical decisions can be made as close to the cyber event as possible, and augmenting threat detection and response with A.I. systems and automation so responses threats can be identified, investigated, and stopped at digital speeds.

3. Leverage Actionable Intelligence

Actionable threat intelligence needs to be part of your security framework. Not only do you need to be aware of threats in the wild, but threats in progress as well so a compromise in one part of your network does not spread to another. And this requires security and network systems deployed anywhere across your distributed network to see, share, correlate, and respond to threat events in real-time.

Fortinet Protections

FortiGuard Labs

FortiGuard Labs has the following (AV) signatures in place for publicly available DarkSide Ransomware and associated campaign samples as:

PossibleThreat
Riskware/Agent
Riskware/PCH
Riskware/PowerTool
Riskware/RemoteUtilities
Riskware/TorTool
W32/DarkSide.B!tr.ransom
W32/Filecoder.ODE!tr.ransom
W32/Filecoder_DarkSide.A!tr
W32/Filecoder_DarkSide.B!tr
W32/GenKryptik.FBOV!tr
W32/Packed.OBSIDIUM.BV!tr
W64/Kryptik.BVR!tr

FortiGuard Labs has the following (IPS) signatures in place for Cobalt Strike Beacon Activity as:

Backdoor.Cobalt.Strike.Beacon

For TOR (darkweb) activity, Application Control signatures will detect all TOR related activity.

FortiEDR

All related IOCs have been added to our Cloud intelligence and will be blocked if executed on customer systems.

WebFiltering

All available network IOCs are blocked by the WebFiltering client.

Other Mitigations

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is essential to keep all AV and IPS signatures up to date. 

It is also vital to ensure that all known vendor vulnerabilities within an organization are addressed and updated to protect against attackers establishing a foothold within a network.

Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know and always treat emails from unrecognized/untrusted senders with caution. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.

Stay Tuned for More Info on the DarkSide Ransomware

The FortiGuard Labs team is actively gathering additional information about this threat, and we will be providing updates to this blog as new information comes to light. We will also give more information about Fortinet solutions that protect customers from attacks like the one that compromised Colonial Pipeline. In the meantime, customers are encouraged to also read the related Threat Signal report to learn critical technical details about this attack, related IOCs, and additional Fortinet protections.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training programSecurity Academy program, and Veterans program.