Why the Colonial Pipeline Attack Was Anything But Ho-Hum

The recent Colonial Pipeline ransomware attack appears to have been fairly run-of-the-mill and not much different from other attacks we’ve seen – other than the fact that it shut down critical infrastructure, spiked gas prices, and created FUD in the United States populace.

And since the attackers, a Russian ransomware-as-a-service gang known as DarkSide, were successful in obtaining a $5 million ransom, there are fears that we could see a lot more of these types of attacks in the future.

Another interesting note is that we can surmise the operators of the Colonial Pipeline were not sufficiently confident that there was 100% effective segmentation between their office/admin network and their operational technology (OT) network – or else why would they have shut down all of their pipeline operations? Contrast this with the 2012 Saudi Aramco attack which saw 35,000 computers wiped or destroyed but failed to shut down oil production.

Perhaps most interesting in all of this are the social and geopolitical considerations. For example, who was really behind the attack, and should we make them pay? There are two camps of thought here:

• It was really just this ransomware group, who states they are apolitical and only go after greedy corporations (but not Russian or Eastern European ones) for money, and they didn’t intend to disrupt US critical infrastructure; or
• It was really a nation-state-backed attack, angling to disrupt and cause chaos, or else probing to see how vulnerable our infrastructure actually is.

In any regard, even if it were just a wayward cadre of ransomware entrepreneurs, any group making that kind of money is going to garner the attention of Mother Russia’s oligarchs. No big business escapes their notice nor can even exist without their involvement and/or consent. And if it did, it would immediately be shut down – which may actually be the case, since we have seen two things happen since this attack:

• The Russian hacking site XSS that used to be a clearinghouse for ransomware gangs said it was no longer going to allow any ransomware themed posts; and
• DarkSide said they were ceasing operations.

So, things have evidently gotten hot there. Was it because of threatened (or actual) US actions? Or was it because the gang failed to gain the official “okay” from their Russian overlords? Any answer would be pure speculation on my part.

But let’s look at the things I do know about and can address: how to spot and stop ransomware.

The MITRE ATT&CK Framework is a study of our adversaries’ tools, techniques, and practices (TTP). Our goal is to detect an indicator of compromise (IOC) as early as possible in the cyber kill chain before it becomes a data breach or something causing financial loss. Here’s an overview of TTPs:

1. Reconnaissance – The adversary is trying to gather information they can use to plan future operations
2. Resource Development – The adversary is trying to establish resources they can use to support operations
3. Initial Access – Used to gain an initial foothold within a network
4. Execution – Technique that results on the execution of code on a local or remote system
5. Persistence – Method used to maintain a presence on the system
6. Privilege Escalation – Result of actions used to gain higher level of permission
7. Defense Evasion – Method used to evade detection or security defenses
8. Credentialed Access – Use of legitimate credential to access system
9. Discovery – Post-compromise technique used to gain internal knowledge of system
10. Lateral Movement – Movement from one system over the network to another
11. Collection – Process of gathering information, such as files, prior to exfiltration
12. Command and Control – Maintaining communication within targeted network
13. Exfiltration – Discovery and removal of sensitive information from a system
14. Impact – Techniques used to disrupt business and operational processes

In light of the MITRE ATT&CK Framework, let’s look at few of the IOCs associated with typical ransomware, such as that of the Maze group:

1. For persistence, it places a startup_vrun.bat batch file in the Windows Startup folder.
2. For defense evasion, it attempts to disable any dynamic analysis or other security tools (such as IDA Pro) from running.
3. For credential gathering: It uses Mimikatz.
4. For lateral movement, it uses PSexec and PowerShell.
5. For command & control, it has hard-coded IPs via HTTP.
6. For data collection & exfiltration: it uses 7Zip & WinSCP to connect to cloud locations.
7. For impact: it deletes the Windows Shadow Volumes (preventing easily reverting back to a previous known good configuration), and it stops the MS-SQL service so it can encrypt databases.

Although I have not seen an exhaustive technical breakdown of the ransomware used by the DarkSide team, it appears to be very close to what we described above.

So, how do we monitor for these things? First, you need a Security Information and Event Management (SIEM) solution. If you’re not familiar, SIEM aggregates system security audit log information from firewalls, network infrastructure, servers, cloud, and other systems and runs correlation rules based on a continuously updated threat feed. The result is that it generates security alerts for investigation in near real-time, allowing analysts to contain incidents as early as possible in the MITRE ATT&CK kill chain.

Note that I mentioned analysts here. To be effective, a SIEM must be monitored, eyes-on-glass, 24/7 – because, as we know, most attacks take place in the middle of the night, or weekends or holidays when no one’s around. You can’t (or shouldn’t) try to run a SIEM on your own. To do so would require a minimum of four full-time staff – i.e., an on-call supervisor and at least one person per shift (and they can never take a break or any time off!).

So, outsourcing this function to an expert team makes sense both operationally and financially.

In general, we are going to need to look for the following in detecting ransomware:

1. File system changes (privileged use, encrypted files/extension changes, etc.).
2. Attempted connections to known command & control sites.
3. Use of known exploit framework tools such as Cobalt Strike Beacon, Metasploit, and others.
4. Use of admin tools such as PSexec, PowerShell, 7Zip, WinSCP, and MSIExec.
5. Suspicious processes and commands associated with ransomware – e.g., GetUserDefaultUILanguage function.

Regarding that last item, Brian Krebs and others have suggested that installing the Russian (or related Eastern European) language virtual keyboard into Windows could keep you from being targeted by these ransomware gangs, because they tend not to go after victims in countries friendly to the Kremlin (recall the bit about the oligarchs!). But I contend that we could potentially even monitor for any program that makes a call to the function checking on the virtual keyboard language as an indicator of “naughty” behavior – even if we have never seen a binary signature of this program before.

In conclusion, ransomware is not rocket science. It is something that is fairly predictable, and we know how to look for the IOCs and stop it. However, the consequences of not having SIEM/SOC/continuous monitoring and incident response in place are manifest: in this case, shutting down critical infrastructure and potentially hurting our national productivity and way of life. If you’re a company executive or IT leader, please reach out to us today for a discussion on how we can help you address this ransomware scourge.