CISA/FBI Give Guidelines for Avoiding Business Disruption from Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a notification concerning DarkSide ransomware in the aftermath of the attack on the fuel pipeline corporation Colonial Pipeline.

The cyberattack prompted serious disturbance to fuel products to the East Coast. Colonial Pipeline had to de-activate systems to control the risk, such as the operational technology of its 5,500-mile pipeline that provides jet fuel, gasoline, and diesel to the U.S. East Coast. The four principal pipelines were de-activated during the weekend, and though smaller pipelines were easily restored, the principal pipelines have stayed closed awaiting safety checks. The pipelines move approximately 2.5 million barrels of fuel each day and supply 45% of the East Coast’s fuel.

The attack impacted the Colonial Pipeline’s information technology network, nevertheless, there is no effect on its operational technology system. The DarkSide ransomware group gave a statement soon after the attack stating that the attacks were executed strictly for monetary purposes and not because of politics or to bring about economic or social trouble. The group likewise explained it is vetting upcoming ransomware attacks by its affiliates and associates to prevent social issues down the road.

The joint alert from CISA and the FBI comes with technical info regarding the attack and also numerous mitigations to lessen the chance of compromise in DarkSide ransomware attacks along with ransomware attacks on the whole. All owners and operators of critical infrastructure are being told to employ the mitigations to avoid identical attacks.

Former attacks by DarkSide members have obtained initial access to systems through phishing email messages and the taking advantage of vulnerabilities in remotely accessible accounts and networks and Virtual Desktop Infrastructure. The gang is well-known for using Remote Desktop Protocol (RDP) to stay persistent. Just like various other human-operated ransomware operations, before deploying ransomware the hackers exfiltrate sensitive files and issue threats to market or post the information when no ransom payment is given.

Preventing DarkSide and other ransomware attacks involves techniques to be undertaken to prevent the preliminary attack vectors. Robust spam filters are needed to block phishing emails from getting into inboxes and multi-factor authentication must be used for email accounts to avert the use of stolen credentials. MFA must additionally be enforced on all remote access to operational technology (OT) and also information technology (IT) networks. An end-user training program ought to be enforced to teach the workforce how to identify spear-phishing email messages and to instruct about cybersecurity guidelines.

Network traffic must be filtered to restrict communications with identified malicious IP addresses, and web filtering technology employed to keep users from opening malicious web pages. It is important for software and operating systems to remain updated and for patches to be employed instantly. CISA endorses using a centralized patch management process and a risk-based examination method to find out which OT network assets and zones must get involved in the patch management system.

Access to sources over systems needs to be minimized, specifically, RDP, which ought to be turned off if not operationally needed. If RDP is necessary, MFA must be used. Steps must likewise be taken to protect against unauthorized code execution, which includes deactivating Office Macros and employing application allowlisting to make certain only authorized applications may be executed as per the security policy.

Inbound links from Tor exit nodes and various anonymization services to IP addresses and ports with no external connections anticipated ought to be examined and/or obstructed and signatures must be implemented to prohibit incoming links from Cobalt Strike servers and additional post-exploitation tools.

It is unlikely to prohibit all attacks, and so steps need to be undertaken to restrict the intensity of a successful attack to cut down the possibility of extreme business or functional degradation. These actions consist of strong network segmentation, setting up assets into sensible zones, and using frequent and solid backup operations.

You can look at the advisory and suggested mitigations in this article. https://us-cert.cisa.gov/ncas/alerts/aa21-131a