Team82 Blog / 6 min read
A disruptive ransomware attack reported Saturday against Colonial Pipeline, the East Coast's largest gasoline, diesel, and natural gas distributor, continues today and is already impacting oil and gas delivery, precipitating a rise in fuel prices for consumers.
The FBI today, meanwhile, confirmed that DarkSide, a Russian cybercrime gang that sells ransomware as a service, is responsible for the attack. DarkSide is alleged to be involved in other attacks against U.S. companies since it surfaced last August, but this is the first known attack to impact a U.S.-based critical infrastructure provider and interrupt its services.
Colonial Pipeline published a statement confirming a ransomware attack against its IT systems, and that it "proactively" took its systems offline in order to contain the threat. As of Sunday, Colonial Pipeline said it was working on a restart plan, and lateral lines between terminals and delivery points were operational; all four of its mainlines were still down.
"Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline," the company said in its prepared statement.
Precious few details have been made available by Colonial Pipeline, which at first acknowledged only a cyberattack against its IT systems before updating its statement to confirm a ransomware attack.
Ransomware is a scourge to enterprises worldwide. These attacks are largely opportunistic, but a growing number of them have targeted specific high-value companies across industries. Ransomware recovery costs, meanwhile, are expected to double this year to nearly $2 million on average per incident, according to security company Sophos.
DarkSide, meanwhile, first appeared last summer, carrying out high-value, targeted ransomware attacks. The group's attacks not only encrypt critical systems, but also steals data before locking down servers. It has netted millions through attacks and partnerships with ransomware outfits, according to published reports. Those reports paint DarkSide as a gang that seeks out only victims capable of paying exorbitant ransom demands. The group reportedly does not target healthcare organizations, education, or government agencies. It extorts victims with threats of publishing data stolen in attacks if a ransom demand is not met.
It should be noted that attribution in cyberattacks is often a challenge. Experts attempt to match tactics, techniques, and procedures (TTPs) uncovered during forensic investigations to specific threat actors. Some attackers, however, share malware, exploits, and other artifacts that can be fingerprinted in an investigation, making attribution a less-than-exact science.
This is the most impactful known attack against U.S. critical infrastructure. Other intrusions such as the attack against the Oldsmar, Fla., water treatment facility garnered significant headlines and attention within industrial circles, and remains important in terms of awareness to improve defenses against cyberattacks within critical infrastructure. Damage in the Oldsmar attack, however, was quickly contained by operators and disruption was kept to a minimum.
The Colonial Pipeline attack is a different beast. Oil and gas delivery on the East Coast will be impacted the longer the shutdown continues—Colonial Pipeline delivers more than a million gallons daily from Texas to New York. Gasoline and home heating oil prices are expected to rise, putting further stress on the sector. CNBC reports that gasoline futures are up 1.28% and heating oil futures up .73%; West Texas Intermediate crude futures, the U.S. oil benchmark, is already up 61 cents, CNBC said. A shutdown of 10 days or longer, for example, would force refineries to slow production and would impact prices and profits industry-wide.
It's unknown how the Colonial Pipeline was attacked. Ransomware attacks are increasing in sophistication; some threat actors rely on phishing emails to lure victims to sites hosting a malware download that would infect computers or servers with ransomware. Other intrusions may involve a different attack vector that includes an exploit of vulnerable software or the use of stolen credentials that allows an attacker access to critical systems.
DarkSide has been known to target domain credentials, an effective and dangerous tactic associated with what Microsoft calls human-operated ransomware attacks. Hallmarks of human-operated ransomware attacks include lateral network movement and harvesting of data along the way to compromising domain credentials. An attacker in possession of Active Directory admin or domain credentials would have extensive admin-level privileges across servers and workstations, as well as service accounts.
Such a privileged attacker would have the run of any system on a domain, being able to access critical databases, and drop further exploits, or malware such as ransomware. Many ransomware attacks have turned into full-blown extortion with threat actors stealing data and threatening to publicly leak sensitive company documents online if ransom demands are not met. This is also a DarkSide TTP.
Within operational technology (OT) environments, such as those in oil and gas and other critical infrastructure, legacy equipment is frequently front-and-center. While these systems are old, they are reliable, and ensure the availability and safety coveted within industrial operations. As more OT networks and industrial control systems (ICS) are converged with IT systems and managed centrally, critical systems that were once air-gapped now have some exposure to the internet. Thus, a vulnerable legacy Windows system overseeing industrial processes would now be accessible from outside the OT network if not configured properly or segmented from the business network.
Further complicating matters is the fact that some of this obsolete technology can't be patched, and all too often, this technology is maintained by staff that frequently are not as cyber savvy as they need to be to keep attackers at bay. This leads to a situation where cybersecurity risk levels are below acceptable tolerances, and in some cases, organizations are blind to the risk.
One additional risk factor of pipelines is that they are highly distributed environments, and the tools used to grant asset operators remote connectivity are optimized for easy access, rather than security. This provides attackers opportunities to sneak through cyber defenses, as we saw in the Oldsmar attack.
Among critical-infrastructure sectors, energy is especially at risk. Our researchers have found that the energy sector is one of the most highly impacted by ICS vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half (2H) of 2020 compared to 2H 2018.
The Biden administration, meanwhile, has begun pressing government and critical-infrastructure operators to improve cybersecurity within electricity utilities, recently announcing a 100-day push to begin this process. The incentive-heavy plan has a large focus on locking down the supply chain and shoring up vulnerabilities in critical infrastructure. Given that much of the critical infrastructure in the U.S. is privately owned, these types of public-private partnerships are going to be crucial to closing any security gaps.
CWE-749 Exposed Dangerous Method or Function
When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
CWE-288: Authentication Bypass Using an Alternative Path or Channel
Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.
CVSS V3: 10
The vulnerability is caused by the using deprecated deserialization functions and/or classes such as BinaryFormatter in the zenon internal graphic utility DLLs.
CVSS V3: 6.3
The vulnerability is caused by the default directory permissions for the Zenon Projects directory in the engineering studio default workspace. By allowing access to all the users on the system, the attacker may alter the zenon project itself to load arbitrary zenon projects in the zenon runtime.
CVSS V3: 5.9
Code Execution through overwriting service executable in utilities directory. The vulnerability is caused by the weakly configured default directory permission for the ABB Utilities directory.
CVSS V3: 7.0