Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack
- By Kurt Mackie
- May 12, 2021
A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" (CI) organizations can prevent similar attacks on their own systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an advisory and an alert in the wake of the attack on Colonial Pipeline, a major supplier of fuel to the U.S. East Coast. On May 8, Colonial Pipeline "temporarily halted all pipeline operations" due to ransomware that "affected some of our IT systems," according to company press releases.
Operations were disrupted by ransomware from DarkSide, a ransomware-as-a-service criminal organization, according to reports by Reuters.
The DarkSide attackers typically first gain initial access through phishing attempts, according to the CISA and FBI alert. They use remote access to systems via virtual desktop infrastructure, including the use of Remote Desktop Protocol (RDP). Their activities are obscured using "The Onion Router (TOR) for Command and Control (C2)" operations, and Cobalt Strike is also typically used in their C2 operations.
Operational Network Not Affected
Colonial Pipeline subsequently shipped the fuel via trucks, while bringing its systems back online on an incremental basis. It received environmental waivers from the government for this alternative distribution approach. The company estimated on May 11 that it had delivered about 967,000 barrels to the U.S. East by this means.
According to the CISA and FBI alert, Colonial Pipeline's operational technology networks have not been directly affected by the ransomware.
"At this time, there is no indication that the entity's operational technology (OT) networks have been directly affected by the ransomware," the alert indicated.
The alert didn't describe the effects on Colonial Pipeline's IT technology, but it did contain a long checklist of security mitigation steps for CI organizations to take.
CISA typically gives advice to federal government agencies, but the alert's advice was intended more generally. Here are its mitigation steps for CI operators:
- Require multi-factor authentication for remote access to OT and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
- Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
- Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
- Implement unauthorized execution prevention by:
- Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
- Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
- Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.
- Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools.
The alert included even more steps to take, which sounded more like long-term goals for such organizations.
For instance, CI organizations should keep IT and OT technologies segmented via a "demilitarized zone" that reduces "unregulated communications." They should have manual controls in place to use during a "cyber incident." CI organizations should have regular backups in place, isolated from network connections, that get regularly tested. CI organizations should have "gold images" on hand to rebuild systems that might get attacked. Network access rights should be managed according to least-privileged rights principles.
Organizations hit by ransomware should remove the affected systems and turn off other network-connected computers. They should also scan their backup systems for malware. CISA and the FBI discourage paying a ransom as it just encourages criminals and doesn't ensure file recovery.
CI organizations can get free help from CISA on reducing their exposure to threats by applying to use CISA's Cyber Hygiene Services.