hacking

DarkSide Pipeline Ransomware Attack

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.  Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States. Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

On May 11, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) published an article describing the DarkSide ransomware attack on the Colonial Pipeline. This pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.

When Colonial learned of the cyber attack, “they proactively disconnected certain OT (operational technology) systems to ensure the systems’ safety” (CISA report). In other words, while only the company’s IT network was hacked, the OT systems were unaffected but still taken offline deliberately by Colonial as a precaution.


What is DarkSide and how did they hack the pipeline?

Social engineering is a common way for attackers to gain access to unauthorized systems.

Social engineering is a common way for attackers to gain access to unauthorized systems.

DarkSide is a hacking group with ties to Russia. They liken themselves to Robin Hood, claiming to steal money from large companies and redistribute it to smaller organizations through charitable donations. “This Robin Hood mentality is more of a PR stunt” according to Jon DiMaggio, chief security strategist for threat intelligence firm Analyst1, interviewed in an article by TechRepublic. "When they made the donations (two donations at $10,000 each), it was reported across cyber news organizations all over the world," DiMaggio said. "It was essentially a $20K marketing cost that got their name out there. All of these guys seem to have big egos, which is why they have press releases and will talk to the media and researchers. So this donation was likely an attempt to increase their visibility."

So how was the attack carried out? “According to open-source reporting, DarkSide actors have previously been observed gaining access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI)” (CISA report). A phishing attack is when an attacker pretends to be someone trustworthy and convinces the victim to share login credentials or other vital system information. A VDI is defined as “the hosting of desktop environments on a central server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and are delivered to end clients over a network” (Citrix).

While the exact details of this attack are still under investigation, it is likely that social engineering and unauthorized VDI access were involved at some level.


How to mitigate ransomware attacks

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The CISA report lists many steps to take to help prevent ransomware attacks at your organization. Here is an abbreviated version of some of the steps they describe (see the full article for more details):

  • Require multi-factor authentication

  • Enable strong spam filters

  • Implement a user training program

  • Filter network traffic to prohibit malicious IP addresses

  • Update software in a timely manner.

  • Limit access to resources over networks.

  • Set antivirus/antimalware programs to conduct regular scans

  • Implement unauthorized execution prevention by:

    • Disabling macro scripts from Microsoft Office files

    • Implementing application allowlisting

    • Monitor and/or block inbound connections from Tor

    • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers

  • Implement and ensure robust network segmentation

  • Organize OT assets into logical zones

  • Identify OT and IT network inter-dependencies and develop workarounds or manual controls

  • Regularly test manual controls

  • Implement regular data backup procedures

    • Ensure that backups are regularly tested

    • Store your backups separately

    • Maintain regularly updated “gold images” of critical systems

    • Retain backup hardware

    • Store source code or executables

  • Ensure user and process account access rights are given based on the principles of least privilege and separation of duties.

For more information on how to defend against ransomware attacks, check out this webcast by John Strand, Owner and Security Analyst at Black Hills Information Security. He explains that there are many simple and free/inexpensive measures that companies can take to protect themselves. The content with John starts at the 29:15 mark and is definitely worth investigating.

Thanks for reading!

What is Buffer Overflow?

A buffer overflow can allow hackers to access your system in unexpected ways.  (Photo credit: Lars Kienle)

A buffer overflow can allow hackers to access your system in unexpected ways. (Photo credit: Lars Kienle)

A buffer overflow is an exploit used by a hacker to force a system to perform actions not intended by the programmers. To understand this concept, we first need to understand what a buffer is.

A buffer is a place where data is stored. A common example of this would be a login/password text box on a website. For our purposes, let’s assume that the text box is expecting a password of 12 characters or less. If a malicious hacker can input a formula that the programmer didn’t account for that could result in many more than 12 characters being entered into that text box, those extra characters would spill over into the surrounding memory, causing unintended side effects. This type of exploit can be used by the bad guys to gain access to hidden information on the system which could compromise and even change the operations of that computer/server. Without the proper controls in place, the extra information (overflow) is inserted into the computer memory, causing the computer to blindly run new instructions.

The simplest method for preventing buffer overflows is to use a programming language that does not allow for them. While C allows for buffer overflows, other languages such as Java, Python, and .NET do not require special changes.

Buffer overflows can represent a serious vulnerability to your systems. It is important to check your code for these vulnerabilities and ensure that you are mitigating risk from these types of attacks!

What is Ransomware and Crypto-Malware?

These types of malware could lock you out and cost you big money. (Photo credit: FLY:D)

These types of malware could lock you out and cost you big money. (Photo credit: FLY:D)

Ransomware is a type of malware designed to encrypt a computer, locking the user out of the computer or network completely. The attacker then demands a ransom to restore access to the system. These types of attacks have been carried out against individuals, companies, schools and even hospitals. In 2020, Cybersecurity company BlackFog estimated that “a business is attacked by a cybercriminal every 11 seconds” with a total estimated cost of $20 billion by 2021 (source).

Victims are often required to pay the bad guys in cryptocurrencies such as Bitcoin. “Once they have the Bitcoins, it’s simply a matter of ‘washing’ them via the Dark Web (a process which removes all traces of previous ownership and transactions) and the hackers can then convert the coins to cash” (Eurostaff).

Crypto-malware is similar to ransomware, with the main difference being that crypto-malware locks out the user from personal files but still leaves the operating system functional. The bad guys leave the OS running so that they can present a message to you demanding the ransom payment.

In either case, there are some steps you can take to help prevent these types of attacks:

  • Keep OS, software, and virus protection up to date on the latest version

  • Avoid opening emails or attachments from unknown senders

  • Avoid suspicious websites and links

  • Keep your data backed up routinely on an offline drive

These are just a few ways to keep you safe from ransomware and crypto-malware. It’s up to you to stay informed and stay vigilant!

TryHackMe - What is Splunk?

(Photo credit: Vishnu R Nair)

(Photo credit: Vishnu R Nair)

TryHackMe is a great resource for learning basic hacking concepts and getting hands-on experience! This article will show you around the “Detect Attacks Using Splunk” room from TryHackMe. “Splunk” is a product that captures and organizes data into digestible formats to help find patterns and solve problems for companies.

Begin by creating a TryHackMe account and completing the first few click-throughs, which eventually leads to this link:


Once you’ve entered the Splunk “room,” you will need to start your virtual machine. While the machine loads, you will answer some basic questions about Splunk commands. Google is your friend!

Following your quiz is an opportunity to learn about “BOTS,” which is described as a “blue-team jeopardy-esque (CTF) activity.” Learn more about that here.

Eventually, your virtual machine will load. Open the web browser and navigate to the URL listed in the instructions. This should lead you to the first exercise, with a screen that looks like this:

Splunk2.png

Our first task is to track down P01s0n1vy, who is attacking our company, Wayne Enterprises. Follow the prompts to begin to understand which IP address attacked us, and which software was used to carry out the attack. While all of the answers are more or less given to you, it is best to always click the green button to “Run the Search in a New Tab,” which helps you see exactly how Splunk works with data to find the answers.

Splunk3.png

You will then progress through a series of questions. Don’t be discouraged if you need to google some of the answers. The most important thing to remember is that as long as you are learning something, your time is well spent. Everyone starts somewhere, and TryHackMe is a great way to expose yourself to the world of hacking! Keep going and you will keep learning.

(Photo credit: Kaur Kristjan)

(Photo credit: Kaur Kristjan)

Here is a link that provides many answers if you get stuck.

Good luck, and enjoy!