Virtualization Technology News and Information
Roundup: Insight from Security Experts on Colonial Pipeline Ransomware Attack


On Monday, cyber-crime gang DarkSide claimed responsibility for compromising one of the largest U.S. fuel pipelines, The Colonial Pipeline Company.  It remains largely paralyzed today after a ransomware cyberattack that took place over the weekend forced the temporary shutdown of all operations.

Service is hoped to be restored by end of the week, but in the meantime, there's been a huge disruption of service to the East Coast and consumers will likely be impacted by localized fuel outages or price increases.  The incident highlights the rising threat of ransomware attacks and the ongoing threat to the nation's aging critical infrastructure.

A number of industry security experts have chimed in with their thoughts on the matter.

Taree Reardon, Senior Threat Analyst, VMware

"The most important takeaway for organizations on Anti-Ransomware Day is the awareness and prioritization of patch management. Four years ago when WannaCry hit, there was a patch available that would have protected organizations from the attack, yet it wasn't widely implemented. Whether it was lack of resources or awareness, or simply turning a blind eye to a major threat, a lesson was learned that still rings true today: patches need to be applied in a reasonable amount of time. As cyberattacks become more ubiquitous, severe and complex, no business is safe from becoming a victim. Organizations must put the correct security measures into place before it's too late."


Joe Partlow, CTO, ReliaQuest

"This Anti-Ransomware Day, it's important to watch for an upcoming trend in ransomware operations, with more payments going underground than ever before. Ransomware payouts have increased significantly over the past year, as malware authors continue to innovate and cybercriminals outsource tasks to monetize operations more quickly. To compound this, the Treasury Department warned that firms that negotiate with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions. In response, we are seeing ransomware payments go underground -- and can expect more of this in the years to follow. Companies will take whatever measures necessary to regain access to critical systems and data to keep the business running, regardless of government regulations."


Ray Canzanese, Threat Research Director, Netskope

"Recent Netskope research shows that the majority of all malware is now delivered via cloud apps, underscoring how attackers increasingly abuse popular cloud services to evade legacy security defenses putting enterprise data at risk. Ransomware, specifically, has recently been delivered using malicious Office Documents, which we saw increase in volume by 58% in 2020. Malicious Office documents have also been used as Trojans to deliver other malware, including bankers and backdoors. Using cloud app delivery to evade legacy email and web defenses, malicious Office documents represent 27% of all malware downloads. Organizations need to consider a myriad of risks as they move to the cloud. A framework called Secure Access Service Edge (SASE) is emerging as a viable method to apply secure access and thwarts attacks, for example, by preventing malicious software from accessing the network. SASE architecture can help guide increasingly disperse organizations to realize the benefits of remote work and the cloud without compromising security."


Kev Breen, Director of Cyber Threat Research, Immersive Labs

"An alarming trend that organizations must be aware of is double extortion. As businesses become more prepared to face ransomware attacks and have backups and recovery plans in place, ransomware operators have had to find other ways to force them to pay. Their solution: take a copy of the data before encrypting it. With a copy of the data now in the hands of the bad guys, it doesn't matter if you have good backups and can get back to BAU as quickly as possible. It seriously shifts the dynamic of power, because unless the ransom is paid, the attackers can simply make everything public. This can be hugely damaging to both the organization and its users and customers, as it could see the release of highly personal and sensitive information, including medical records, mental health records, and financial data. And ransomware operators don't stay quiet: they run their own leak sites where they publicly name and shame the victims to add even more pressure to pay the ransom. With legislation like GDPR in the EU, even if the ransom is paid, there is still a chance organizations will be hit with large fines by the regulators."


Theresa Lanowitz, director, AT&T Cybersecurity

"When a business is infected with ransomware, a pop-up window alerts the user to locked files, threatening release or deletion of their data if demands are not met, similar to what you see in a movie. This is a reality that plays out in business on a daily basis today, and we're more reminded of the impact such threats have on the fourth anniversary of the ransomware WannaCry.

Cybercriminals use ransomware because they can disguise it in campaigns that play on emotions. The ROI on ransomware makes the attacks worthwhile, because unfortunately, many businesses do pay the ransomware to avoid a complete stoppage of work. With that said, once businesses face a complete stoppage from a ransomware attack, cybersecurity is usually taken more seriously - ransomware is an expensive lesson to learn.

Because ransomware disguises have become more advanced, a business cannot simply resume its analog methods of business. The digital age marches on, even with cybercriminals in our midst. While there are some simple protection methods that will deter an attacker, more businesses need to make these strategies a priority. Examples include email and patch management, the use of anti-malware tools, and using the 3-2-1 for backups: make three copies of data, use two different storage types for copies, and keep one copy offsite. Using these techniques will help make businesses less attractive to cybercriminals."


Julian Zottl, Chief Technology Officer - Cyber Protection Solutions, Raytheon Technologies

"This year marks the 4th anniversary of WannaCry. It was one of the largest ransomware attacks in history, and one that reminds all cybersecurity professionals that we need to remain vigilant every day. Looking back at the recent cyberattacks that have compromised company data and overall safety, we need to detect these attacks faster, and remediate them quicker. The dwell time between attack and remediation has dropped dramatically in the last 10 years, however, it still is not quick enough. For instance, the 2021 hack on a Florida water plant emphasized the importance of improving our security posture for national infrastructure - while identifying where organizations fall behind when protecting sensitive information. This hack was not sophisticated, but it could have had deadly consequences.

The recent SolarWinds and Exchange hacks have enabled ransomware authors to more easily deploy ransomware, such as DoejoCrypt/DearCry, to vulnerable Exchange servers. This will also enable the deployment of web shells on infected machines. As a result, this could have dire consequences, since it allows attackers to execute arbitrary files on the system. Recovery from this type of attack will be difficult and very costly, but could be prevented with the right Computer Network Defense architecture and training.

Organizations need to start viewing cybersecurity as a central and essential service. As businesses and agencies are seeing their budgets cut, one of the places they target is their cyber defense budget. Combine this with more employees working from home because of the current pandemic, and you have a perfect opportunity for adversaries. Cyber defense groups are quickly trying to address these issues, however, with lower budgets, they are finding it difficult to act. Despite these challenges, they still must keep their information and networks protected.

These breaches not only require a complete overview of current security measures, but an expanded outlook on how to train future generations of cybersecurity professionals to prepare, and potentially prevent, a similar attack. United States government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and groups such as the Multi-State Information Sharing and Analysis Center (MS-ISAC), are helping the nation to understand, and manage, cyber and physical risk to our critical infrastructure. Because of these growing threats, it's more crucial than ever to invest in security training that will properly prepare for the new risks that will arise. In response, organizations should consider how they can become involved in a cyber graduate's education from the onset - whether through guest lectures, sponsored events such as the National Collegiate Cyber Defense Competition (NCDDC), and/or internship opportunities that allow students to witness what a career in cybersecurity really requires - a constant vigilance against such data breaches that threaten the livelihood of so many."


Troy Gill, Manager of Security Research at Zix

"The recent attack on the Colonial Pipeline highlights the risk ransomware can pose not only to businesses but to critical national industrial infrastructure. The attack also showcases that the trend of "ransomware as service" is prolific in today's world in addition to seeing the growing trend of more joint involvement from both private companies and government agencies to help halt the impact as quickly as possible. Similar to the FBI stepping in and removing Microsoft Exchange web shells to help safeguard organizations, I believe this involvement by the FBI and other government agencies have become critical to assist and prevent further damage with the Colonial Pipeline attack.   

Many believe that this attack was a result of more engineers remotely accessing control systems for the pipeline from home using a remote desktop software such as TeamViewer and Microsoft Remote Desktop. The pandemic forces more employees to work from home and unfortunately, many organizations are still trying to secure their devices, remote access points, and overall networks. There is no excuse for organizations not to enforce and implement two-factor authentication (2FA) or a multi-layered authentication (MFA) protection approach. In addition to requiring 2FA or MFA, this attack is a great reminder for organizations to make sure they are following all their best practices including:  

1.    Identify and isolate/mitigate the threat, eliminate it as appropriate and confirm elimination,  
2.    Deploy regular security audits to identify vulnerabilities and suspicious user behavior, and
3.    Ensure business-critical data is being backed up accurately and regularly.   

Also of note, this is an important reminder that it is never recommended to pay ransoms as you have no real guarantee that the attackers will cease attack nor is it certain they will provide you with the decryption keys. It is your company's responsibility to have best proactive and reactive security measures in place so that when faced with a cybersecurity breach, you can reduce the recovery time and restore business quickly."


Dave White, President of Axio

"The event appears to be a ransomware attack on the IT network at Colonial. It's not yet clear whether they shutdown the pipeline out of an abundance of caution to stop the spread of the ransomware payload OR they can't operate the pipeline because either OT systems have been impacted or they are dependent on IT systems. All of that said:

  • This points out the critical importance of preparing for ransomware events.
  • This event builds on the insight from recent events in Texas, where natural gas pipeline issues resulted in state-wide power blackouts, operational challenges to the power grid as far away as California, and more than $800m in commodity-price-related economic impact in Minnesota. The US economy is critically dependent on energy pipeline infrastructure. It is important for all energy-critical asset owners and the federal government undertake risk analysis and economic quantification studies to understand the scale of impact from events like this and support investment in appropriate protections.
  • Recommendations from the Cyberspace Solarium Commission include establishing a Public-Private Partnership on Modeling Cyber Risk and a Bureau of Cyber Statistics charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policymaking and government programs. This event combined with the recent events in Texas point out our critical dependence on energy pipeline infrastructure and the importance of quick action on these and other recommendations from the Commission.
  • The pipeline industry, in collaboration with API, INGAA, and AGA, have been attempting to get ahead of pipeline cybersecurity issues with the update to the critical API 1164 standard.
  • The recent news about the shortage of truck drivers qualified to drive fuel trucks will compound the US economic impact from this event.
  • This could rapidly accelerate the movement to regulate cybersecurity on pipelines. If it does, API-1164 will become very important very quickly."

Mieng Lim, VP of product management at Digital Defense
"This attack on a vital fuel pipeline, like the recent attack on a Florida water facility, is a harbinger of what's to come if we continue to neglect the cybersecurity of our critical infrastructure. Cyber criminals and nation state actors will continue to probe for and exploit these weaknesses. Spending to secure our critical infrastructure networks is like replacing a home's faulty electrical wiring. It's hard to see the results of the spend, but not spending could be devastating. Our economy and the health and welfare of our population is at risk. It's a simple choice -- increase the cyber security protecting our critical infrastructure or continue to be victims of escalating cyberattacks."


Paul Martini, CEO of cloud cybersecurity company, iboss

"Ransomware attacks have spiked over the course of the pandemic, so while it's not shocking to hear about another high-profile attack, the rapid contrition from the attackers is peculiar. We've seen massive attacks against some of the largest tech giants, yet organized threat actors -  previously motivated strictly by financial gain - may now see a need to differentiate themselves from other criminals and nation-state cyber-espionage groups. Despite this 'apology', no organization, from small independent businesses to Fortunes 500, should let their guard down. Prioritizing a strong network security posture is the only defense against constantly evolving threats."


Rich Lilly, Partner and Director of Security at Netrix

"Ransomware has been on the rise, and we're finding that bad actors are not only going after one area of the business, but then launching new attacks within the same business in another area, impacting some customers multiple times. In addition, many enterprises have focused on securing their enterprise IT environments where most of their users live, but an area that is increasingly being attacked are OT (Operational Technology systems such as ICS). We are seeing attackers trying to gain persistence wherever possible, and it doesn't always end with a user, but most of the time it starts with one. Deploy MFA, build a zero-trust strategy, and ensure you have solid platforms in place to detect and respond to your enterprise, IoT and OT environments, in order to reduce your risk."


James Shank, Ransomware Task Force (RTF) committee lead for worst case scenarios and Chief Architect, Community Services for Team Cymru

"One of the areas of focus during the Ransomware Task Force Worst Case Scenario thought experiment included supply chain attacks that impact critical infrastructure or critical services. We discussed this sort of possibility; this is troubling and shows the criticality of ransomware as a great threat to national security.

Targeting pipelines and distribution channels like ths attack on the Colonial Pipeline Co. makes sense - ransomware is about extortion and extortion is about pressure. Impacting fuel distribution gets peoples' attention right away and means there is increased pressure on the responding teams to remediate the impact. Doing so during a time when the pandemic response has created other distribution and supply chain problems, many of which will require timely and efficient distribution of goods, adds to the pressure.

This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests. We can not think of these attacks as impacting private companies only - this is an attack on our country's infrastructure."  


Nik Whitfield, cyber and continuous controls monitoring (CCM) expert and founder of Panaseer

"The only way to prevent an attack such as ransomware from happening is to have the proper cyber controls and safeguards in place. Yet most organizations don't have the tools to measure and understand if the protections they need are in place and functioning at any given moment in time. It's the biggest issue in cyber security. It's why Gartner's Q1 2021 Emerging Risks Report highlights ‘cybersecurity control failures' as the top emerging risk for enterprises today. This lack of visibility is particularly concerning in the industrial sector where threats to organizations such as Colonial Pipeline not only impact the bottom line but also disrupt our everyday lives."


Published Tuesday, May 11, 2021 8:07 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2021>