Briefing on the Colonial Pipeline Attack

Below is background and known details of how the pipeline attack was executed, as well as some recommended mitigation tactics for organizations looking to cover their bases.

Background

The Colonial Pipeline attack, which shut down the largest fuel pipeline in the United States, has been confirmed and attributed to DarkSide Ransomware by the FBI. Colonial Pipeline proactively shut down its operations when the attack was detected and has begun remediation with the forensics team Mandiant.
Operating as Ransomware-as-a-Service (RaaS), the DarkSide group typically only targets large revenue organizations that are deemed “non-critical.” However, it appears the attack on Colonial was not properly “vetted” by this group and was either a targeting mistake, or perpetrated by someone to whom they sold usage of their ransomware.
DarkSide has since released a statement apologizing for the societal impact of the attack and have added “controls” to ensure critical organizations (such as healthcare or government) are not targeted by their affiliates/partners in the future.

As detailed below, this incident highlights the importance of best practices when it comes to network segmentation and controls for organizations with OT/SCADA in their environments, particularly those providing critical services to the public.

As for their origins, DarkSide has been identified as either a Chinese or Russian APT (advanced persistent threat) group depending on the research source.
It should be further noted that they write their custom ransomware payloads to encrypt Windows and Linux devices.
DarkSide is also among the growing list of threat actor groups leveraging “double extortion” where they will leak all compromised data upon failure to pay the ransom. They have also been observed using DDoS attacks or scare tactics over phone to berate and pressure victims who do not pay the ransom.
DarkSide has been known to target organizations listed on NASDAQ and leak stolen information to those who may use it for trading on material, non-public information.

Details of the attack and techniques

The observed modus operandi for DarkSide and its affiliates is to create customized ransomware payloads for each specific target.
The ransomware executes a PowerShell command that deletes the utility Shadow Volume Copies from the system, then begins terminating various applications in preparation for encryption.
To ensure success, all the data is exfiltrated (and notably, this will include credentials and unencrypted documents found on infected hosts).

Initial access is gained through remotely exploitable accounts, systems, and services such as:
• Compromised contractor accounts
• Unpatched internet-facing systems
• Exposed VDI environments
• A compromised RDP session/account
Darkside then installs and modifies a version of Tor browser to run as a persistent service and establish RDP session over port 443 to look like normal web traffic. They may also leverage internal RDP access for lateral movement once initial access is successful.

The attackers may deploy Cobalt Strike stagers and beacons as a secondary C2 (command and control) via remote WinRM sessions. So far, all C2 agents used by Darkside are beaconing to different C2 servers making network detection difficult. Once the attacker obtains domain credentials, stagers and executables are stored in network shares for easy distribution and to avoid EDR detection prior to organization-wide device encryption.

Prior to encryption, the ransomware will attempt to turn off multiple services or terminate related processes, such as those for databases, backups, mail clients, word processor applications, or antivirus. They notably exclude TeamViewer from the termination list, leading researchers to believe they will use TeamViewer for remote access when available.

It should also be noted that BitDefender previously released a decrypter for this ransomware; however, this decrypter will not work on newer versions of this ransomware.

Mitigation/Detection

With ransomware attacks growing in popularity as a profitable focus of APTs, organizations should become aware of common tactics and ways to mitigate.
The following is a list of mitigating actions that an organization can take to reduce exposure and increase visibility to a potential ransomware attack resembling the DarkSide one.
1. Previous DarkSide attacks were observed using encoded Powershell scripts. Organizations with Powershell Script Block logging, command-line logging, SysMon, or EDR should be able to create rules that look for the following. Note that depending on normal Powershell usage in your environment, these rules may be too noisy to alert on and should be hunted and tuned for persistent detection.

o Execution Policy Bypass via “-ep bypass” command argument
o Powershell execute script-block command argument via “-c”
o Strings in Powershell script block or command-line arguments containing “char”, “byte”, “substring”,” “iex”, or “Invoke-Expression”

2. Look for deletion of Shadow Volume Copies via the following (also used by the ransomware group “REvil”):
o Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

3. Look for deletion of logs (anti-forensics technique).
4. Look for nodes going silent/offline for AV or backup services.
5. Look for unapproved or unexpected permission changes on network shares.
6. Enforce multi-factor authentication for all remote access, including VPN, RDP, VNC, Citrix, SecureLink, TeamViewer, etc.
7. Look for unexpected usage of common tools such as Advanced IP Scanner or PSExec.
8. Monitor file writes to network shares, or unexpected usage of domain accounts
9. Ensure interactive logins are turned off for service accounts wherever possible
10. Look for usage of “ADRecon.ps1” – results may be stored in a file named “DC.txt” by default, but any unexplained usage of ADRecon should be investigated thoroughly
11. Query for file write or deletion of the files named “ADRecon.ps1” or “DC.txt”
12. Look for file creation of unexpected ZIP or 7Z files indicating stolen data being staged for exfiltration.

DarkSide examples include: “Typed_history.zip”, “Appdata.zip”, “IE_Passwords.zip”, “AD_intel”, “ProcessExplorer.zip” or archives with a naming convention such as “*.7z.[001]-[999]”
13. Create alerting for Mimikatz usage
14. DarkSide has been observed using a script called “invoke-mimikatXz.ps1” to pull creds and store in “dump.txt”. Look for file writes or deletions including either filename or anything similar.
15. Look for the standard “Invoke-Mimikatz.ps1” script which can be easily alerted upon with proper endpoint logging or EDRs
16. Look for binary execution from %AppData%LocalTemp
17. Turn off unused network shares, and heavily restrict write access to these shares to only required accounts

Conclusion:

This ransomware attack, which shutdown a major national resource and caused millions in damages, cost increases, lost wages, and more, was easily preventable by implementing standard best practice. If you have any concerns about your company’s security, contact us via phone or email to schedule a security audit.
https://www.dragontech.us/managed-services

References
• https://www.bleepingcomputer.com/news/security/largest-us-pipeline-shuts-down-operations-after-ransomware-attack/
• https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/
• https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
• https://www.varonis.com/blog/darkside-ransomware/
• https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.html