People always ask me if law enforcement is having any luck in combatting cyber criminals. Let me be clear: it is a very tough job to take down cyber criminals located in other countries or sponsored by foreign nations. Our government is focusing on cyber criminals more than I have ever seen before, and the effort is promising.

Not only did the Department of Justice (DOJ) lead an effort to recoup ransomware paid by Colonial Pipeline, but it also just took down (I love that term), with the help of international law enforcement, an online marketplace, Slilpp, that was selling stolen login credentials for banking and online payment platforms.

An unsealed affidavit for a warrant requested by the DOJ states that victims have reported over $200 million in losses in the U.S. The Slilpp marketplace sold login credentials for more than 1,400 account providers before law enforcement took them down.

According to the DOJ: “[W]ith today’s coordinated disruption of the Slilpp marketplace, the FBI and our international partners sent a clear message to those who, as alleged, would steal and traffic in stolen identities: we will not allow cyber threats to go unchecked…. We applaud the efforts of the FBI and our international partners who contributed to the effort to mitigate this global threat.”

The FBI and DOJ are tirelessly chasing cyber criminals and their efforts are paying off for all of us. They deserve huge credit for their persistence and efforts.

The FBI recently issued a Flash Alert to Fortinet Fortigate users that Advanced Persistent Threat (APT) groups are continuing to exploit devices that have not been patched. Although Fortinet issued patches for these vulnerabilities in 2018, 2019, and 2020, many organizations have not applied the patches.

The exploitations are random,  not against specific industries or sectors, and seem to be focused on just targeting unpatched devices. According to a Joint CISA and FBI alert issued in April 2021, the vulnerabilities could be used by threat actors to exfiltrate data, encrypt data, and stage for additional attacks.

Not patching vulnerabilities in software that is actively being used by your organization is giving threat actors easy access to valuable data, akin to not locking your door and allowing a burglar to enter and steal all your valuables. These are not new vulnerabilities nor are they new patches. Check with your IT professionals to confirm that these patches have been applied.

Colonial Pipeline paid hackers a ransom of $4.4 million in bitcoin soon after discovering a cybersecurity hack on its systems that began on May 6.  The company’s acknowledgement comes after days of speculation about whether a ransom was paid to the hackers.  The company’s CEO defended the “difficult” decision to pay the ransom, maintaining he was trying to avoid widespread fuel shortages for the East Coast. Even with the ransom payment, Colonial’s pipeline was shut down  for days, resulting in price spikes and shortages at gasoline stations in the Southeastern U.S. In addition to the ransom payment, Colonial also revealed it would be spending tens of millions of dollars over the next several months to restore its systems.

Meanwhile, the hacker, identified by the FBI as Darkside, a group out of Eastern Europe, lost access to its IT infrastructure and cryptocurrency funds.  Many believe that law enforcement seized the group’s assets, given that it occurred on the same day President Biden announced the U.S. would “pursue a measure to disrupt” Darkside.

There are no mandatory federal cybersecurity requirements for U.S. critical infrastructure, including the energy sector. To date, federal government agencies have issued cybersecurity guidelines for the energy sector, but since most operations are privately owned, they are not obligated to follow them.  President Biden is trying to provide funding to harden security systems in U.S. critical infrastructure.  His proposed American Jobs Plan includes $20 billion for cities and towns to strengthen energy cybersecurity and $2 billion in grants for energy grids in high-risk areas. In the interim, Biden’s recently issued Executive Order on Improving the Nation’s Cybersecurity controls how security incidents are managed and how hardware and software is used by federal government agencies. For vendors and developers who want to do business with the federal government, this means focusing on improving product security in order to win new contracts from a very large customer.

Colonial Pipeline, a company that transports more than 100 million gallons of gasoline and other fuel daily across 14 states from Houston to New York Harbor, shut down the pipeline last Friday after discovering ransomware on its computer systems.  The FBI has blamed the attack on a ransomware group called DarkSide.

The hack reportedly began last Thursday when hackers stole about 100 gigabytes of data as part of a double extortion scheme.  After stealing the data, the hackers then locked Colonial’s computers. Darkside threatened to publish the stolen data online and to keep the computers locked unless Colonial paid an unknown ransom amount.

Colonial Pipeline notified the FBI of the attack on Friday morning and is cooperating with the investigation. The FBI also brought into the investigation the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies that regulate energy and infrastructure.  The FBI and other government agencies are still awaiting access to the company’s security protocols to determine how hackers pulled off the crippling ransomware attack.

U.S. critical infrastructure has been the target of an increasing number of cyberattacks. Earlier this year, an unknown hacker breached the access controls at the Oldsmar, Florida, water treatment plant, in an attempt to poison the city’s water supply with lye. In 2020, an unnamed natural gas compressor facility was shut down for two days due to a cyberattack.  Several natural gas pipeline operators had service interruptions in 2018, when a technology vendor that facilitated electronic communications between the operators was hacked.

Many members of Congress and the Biden Administration agree that making cybersecurity improvements is essential for the nation’s critical infrastructure, including our electric grid, local energy and utility companies, water treatment plants, and wastewater facilities. All of these operators face significant challenges to make such improvements, including sufficient funding, staffing and training.  In addition, even though the federal government adopted cybersecurity requirements for certain infrastructure operators, funding shortages can result in very little oversight and inspection to make sure operators are complying with the requirements. Some states, like Connecticut, have adopted requirements for certain infrastructure as well as provided funding to make sure operators in the state are complying.

In addition, it is recognized that our cybersecurity standards need updating.  The Biden Administration has proposed significant funding for the National Institute of Standards and Technology (NIST) to work with industry, science, and government to evaluate and improve the standards for our critical infrastructure.

Ransomware attacks are so frequent that they seem like old news. There is a new interest in ransomware attacks following the attack against Colonial Pipeline [view related posts]. The Colonial Pipeline attack crippled the gas transporter for five days and could affect gas availability and prices for at least the next two weeks.

The FBI has blamed the incident on DarkSide. Although DarkSide publicly states that it is only interested in money and not in disruption, it certainly has contradicted its public statements. The FBI, in a private advisory, said that it has been following DarkSide since October 2020.  According to reports about the advisory, the FBI stated “Darkside has impacted numerous organizations across various sectors, including manufacturing, legal, insurance, health care, and energy.” In addition, it is reported that DarkSide leases its hacking tools as ransomware as a service, splitting proceeds with other attackers as a financial incentive.

Ransomware continues to be a very significant threat to all industries, and particularly to health, energy, and insurance. Preparing for a ransomware attack, and conducting tabletop exercise and incident response preparedness drills are key to identifying vulnerabilities and risk.

The FBI recently issued a Flash alert warning higher education institutions, k-12 schools, and seminaries about increasing numbers of ransomware attacks affecting the education industry.  According to the warning, “[s]ince March 2020, the FBI has become aware of PYSA ransomware attacks against U.S. and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors.”

The ransomware attacks are initiated by gaining unauthorized access to networks either by exploiting Remote Desktop Protocol (RDP) credentials or phishing.  Then the PYSA ransomware extracts sensitive information and encrypts files with the .pysa extension.  In some circumstances, the attackers sell the extracted information on the dark web.  The FBI reports that some criminals will also remove the malicious files after deployment, thus making it even more difficult for the victims to discover what has happened.

The FBI does not recommend paying any ransom as it emboldens and encourages more criminal conduct.  Acknowledging that many educational institutions might choose to pay after determining few other options exist, the FBI points out that there is no guarantee that paying any ransom will result in the return of the data.

The FBI also suggests schools implement mitigation steps as follows:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

State and local governments have been hammered with business email compromise (BEC) attacks over the past few years and the onslaught does not appear to be abating.

Last week, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification to state, local, tribal, and territorial governments that they are being targeted by BEC attackers. The FBI noted that it is seeing an increase in these attacks, which have caused losses ranging between $10,000 and $4 million.

According to the FBI, state and local governments are low hanging fruit that scammers target because they have inadequate resources and cybersecurity controls. The FBI cites two risks as contributing to these attacks: the move to remote working and the failure to provide sufficient training to the workforce.

The FBI urged all members of the workforce to receive security awareness training, to learn how BEC attacks occur, and how to spot phishing and fraudulent emails. The FBI further suggested that additional measures for state and local governments to adopt include multi-factor authentication on email accounts, blocking automatic email forwarding, monitoring email Exchange servers for configuration changes, enabling alerts for suspicious activity (including foreign IP address logins), adding banners from external sources, and using filtering service (spam filter) as well as internal phishing tests. The FBI Alert is worth a read and can be accessed here.

U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.

In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.

In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.

Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.

We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now

Development and Operations (DevOps) teams are often pressured by executives and sales teams to get software products completed and out the door and into the market as quickly as possible so the products can generate income. Often, security is not the highest priority for DevOps, as adding security features may affect the performance of the software or add time to the deployment schedule.

The SolarWinds hack is a crucial reminder to DevOps teams to build security into software products, and to complete due diligence on the security protocols regarding the DevOps teams of vendors that make components used by software manufacturers, such as JetBrains.

JetBrains is a Czech-based company that developed a product called TeamCity, which Reuters reports is “used by tens of thousands of customers to construct other software.” According to other news reports, the FBI is investigating whether the Russians hacked into JetBrains’ TeamCity DevOps tool in order to infect SolarWinds’ Orion software [see related post].  If your DevOps team is using TeamCity, it may present another risk associated with the SolarWinds incident that has much broader impact on other software development.

Check with your DevOps team to see what kind of security due diligence they are completing on the vendors that are providing the component parts of the software they are developing, including JetBrains. If no due diligence is being done, this is a perfect time to start.

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) this week issued Alert (AA20-301A) titled North Korean Advanced Persistent Threat Focus: Kimsuky warning U.S. businesses, and particularly those in the commercial sector, about tactics used by North Korean advanced persistent threat (APT) group Kimusky. https://us-cert.cisa.gov/ncas/alerts/aa20-301a

The Alert, co-authored by the Federal Bureau of Investigation (FBI) and the U.S. Cyber Command Cyber National Mission Force, “describes the tactics, techniques and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government.”

The key findings of the government on Kimsuky’s activities include:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.

The methods used by Kimsuky include social engineering and spearphishing, which are outlined in the Alert and are worth reviewing. After obtaining access, Kimsuky uses BabyShark Malware, PowerShell or the Windows Command Shell to execute the malware.

The Alert lists the indicators of compromise, including domains that have been used by Kimsuky, which IT professionals may wish to consult.