Alexey Kleymenov (Nozomi Networks Labs) writing on the ISA Automation website showed the internal mechanics of DarkSide’s attack on the Colonial Pipeline. Nozomi Networks Labs has studied the internals of the DarkSide executable is sharing its findings to reveal the techniques used by its machine code in three areas: the selection of victims and files, ensuring anonymity and anti-detection, and preventing data restoration. Read his fascinating analysis here.
A report from MIT outlined how ‘self-promoting cybersecurity firms end up helping ransomware criminals’. In January this year, Bitdefender defender ‘happily announced’ a ‘startling breakthrough’, a flaw in DarkSide’s ransomware. The following day, DarkSide declared that it had repaired the problem, and that ‘new victims have nothing to hope for, special thanks to BitDefender for helping fix our issues, this will make us even better’. DarkSide wasn’t bluffing, it unleashed a new string of attacks including the one that paralyzed Colonial Pipeline. MIT believes that without Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have ‘quietly restored its system with a secret decryption tool’. Read the full story in the MIT Technology Review.
The US Cybersecurity and Infrastructure Security Agency (CISA) has named has named pipeline infrastructure as one of 55 National Critical Functions (NCF) that can cause a ‘debilitating impact on security, national economic security and public safety.’ CISA has published a Joint Cybersecurity Advisory AA21-131A covering the DarkSide heist and outlining best practices to mitigate disruption from ransomware attacks. The advisory includes ‘indicators of compromise’, malicious lines of code that need to be scanned-for in company networks.
Michela Menting, ABI Research’s digital security research director described the Colonial Pipeline incident as ‘exposing a willful ignorance to take cybersecurity seriously!’ ‘Any company (especially one with upwards of $500 million in annual revenues) that is not prepared for such attacks has clearly been purposefully skimping on basic cybersecurity tools, training, and strategy.’ Menting surmised that as the attack shut down both IT and OT, ‘their security posture must have been poor at best’. In the face of continuously increasing threats, even the best cybersecurity solutions will not guarantee protection. Preparation for an attack means ‘architecting infrastructure so that it can continue to operate despite an ongoing attack while simultaneously recognizing and dealing with the threat’. More in ABI Research’s Critical Infrastructure Security market data report.
Reflecting on the Colonial Pipeline hack, Index Engines observes that hackers now routinely include backup infrastructure in their attacks, thereby making recovery impossible. Index Engines supports backup products from vendors such as Dell to ensure backup environments are available to provide clean recoveries. Index Engines Jim McGann commented ‘cyber criminals can now sabotage companies’ recovery processes. Both the REvil and Conti ransomware have can now corrupt or shut off backups.’ More from Index Engines.
Bedrock’s Sam Galpin, commenting the Colonial attack, said, ‘In an ideal world with state-of-the-art defenses, the attack would be detected and defeated before it could inflict any damage. In the real world, the first indication of compromise is likely to be the ransom note. Surviving ransomware is about what happens next’. This means immediate activation of the cyber incident team and response plan. The starting point may well be that an attack has disabled all the Windows workstations on the control network. Under these conditions it is probable that PLCs and other controllers are still running. This is, of course, uncertain. The HMI screens are displaying ransom notes. The operators are blind. To find out what might happen next, read Bedrock’s white paper: Chapter 4 – Securing Industrial Control Systems – Best Practices.
CGG reports a cybersecurity incident on a server hosting Accellion software*. The vulnerability exploited Accellion’s secure file transfer application (FTA), before a corrective patch was found. At CGG, Accellion’s FTA was used on a separate server, isolated from production IT infrastructure. This standalone server had limited use within CGG and was not used to transfer or store personal or commercial sensitive information. There has been no operational or financial impact. CGG is investigating the breach in collaboration with Accellion and external security partners. More from CGG.
* Ironically, Accellion’s Kiteworks flagship is claimed to ‘prevent breaches and compliance violations from risky third party communications’.
Gyrodata reports a data security that may have involved personal information of some current and former Gyrodata employees. On February 21, 2021, Gyrodata discovered that it was the target of a ransomware attack. In response, the company immediately took steps to secure its systems, launched an investigation, and a cybersecurity firm was engaged to assist with its investigation. Gyrodata also notified federal law enforcement of the incident and continues to support their investigation. Individuals whose personal information may have been involved should remain vigilant for incidents of fraud or identity theft by reviewing account statements and free credit reports for any unauthorized activity. As a precaution, Gyrodata is also offering individuals whose Social Security number or driver’s license number may have been involved complementary credit monitoring and identity protection services. More from PR Newswire.
A white paper from Abacode, a managed cybersecurity and compliance provider (MCCP) warns that cyber-insurance is not quite the panacea some companies hope for. Recent legal precedence has seen insurers voiding key coverage by involving the ‘act of war’ clause. The argument gained legal credibility in the trial of the six Russian military members indicted for cybercrimes in connection with the 2016 NotPetya wiper attack. Insurers claimed the NotPetya attack represented a hostile act by a sovereign power and did not pay out. Abacode states that cyber-insurance is not a ‘get-out-of-jail-free’ card, businesses and organizations need to start looking at cyber-related insurance policies as a supplement to their own risk calculations – not as a substitute. Denial of coverage reveals a fatal flaw in many companies’ risk management policies, notably as ‘silent coverage’, where the insurance is not bought specifically for the risk, is now being eliminated from property and business-interruption insurance policies. Companies need to perform a third party security assessment by experts (like Abacode?) to establish a cybersecurity capability baseline and then to focused on their own security controls around critical assets and on mitigating critical, low probability, high-impact cyber-threats like a ransomware attack. More from Abacode.
Special Publication (SP) 1800-25 from the NIST National Cybersecurity Center of Excellence (NCCoE) covers ‘Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events. SP 1800-26, addresses ‘Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events’. These new publications complement SP 1800-11, which addresses recovering from ransomware and other destructive events. See also the NCCoE Data Security program page.
Cynet’s 2021 Survey of CISOs with Small Cyber Security Teams interviewed some 200 chief information security officers in ‘medium-large’ sized organizations with between 500 and 10,000 employees and security budgets mostly in the $500k to $1 million range. Findings are that such small (up to 5 FTEs) are forced to cut corners, 16% of teams are ignoring alerts that have been automatically mitigated, 14% of teams only look at the alerts that are flagged as ‘critical’, and 79% of companies take more than 4 months to get up to speed deploying and becoming proficient in top security tools. The realities of small security teams ‘are opening companies up to serious risk’ and are ‘drowning in duplicate processes, and complex controls’. The top two breach prevention technologies* used by about almost all respondents were EDR/EPP (52%) and NTA/NDR (45%), followed by CASB (29%), NGAV (18%) and XDR (15%). Looking forward companies are planning to acquire NGAV (64%), Deception (56%) and CASB (42%). Deception and UEBA were the top two breach prevention technologies that companies want but cannot afford due to high costs or lack of people to operate. Outsourcing (to Cynet?) is one way to handle risk. Read the Cynet analysis here. Cynet has also announced the creation of a CISO Consortium and the 2021 CISO Challenge for cybersecurity team leaders to test knowledge of compliance and regulation, risk assessment, management KPIs, threat and vulnerability management, sign up here.
* Terminology explained here.
A flyer from ABS Group, ‘Cybersecurity services for the oil, gas and chemical industries’ announces that ‘Cyber criminals worldwide are expanding their attacks from the IT systems that control your business data to the OT and industrial control systems that run your operations’. OT in oil and gas is ‘highly specialized, with network connections that are vulnerable to attack’. ABS cites a 2020 analysis from Lawrence Livermore National Laboratory* that concluded ‘The oil and gas industry is unaware of potentially useful technologies that have been developed for ensuring cyber-security of other infrastructure systems, such as the electric grid. Leveraging these technologies—and the science and engineering behind them—can provide some low hanging fruit that can greatly improve cyber-security in the ONG industry without significant investments in terms of time and money.’ ABS partners with Obrela Security Industries on a managed services package that improves visibility and control of industrial cyber risks. More from ABS Group.
* Dragonstone Strategy – State of Cybersecurity in the Oil & Natural Gas Sector.
aeCyberSolutions, the Industrial Cybersecurity division of aeSolutions, has announced ICS Cybersecurity Risk Screening, a new service to assist industrial organizations in understanding the worst-case risk to operations should their industrial control systems (ICSs) be compromised. Cybersecurity risk screening exposes potential cyber risk to operations and shows how assets can be grouped into zones and conduits, allowing budgets and resources to be applied appropriately. More from aeCyberSolutions.
Bayshore Networks, a specialist in ‘active protection’ for OT/ICS Networks, has added OTfuse Lite to its Modular Industrial Control Cyber Security Platform of products. OTfuse Lite sells for $999 MSRP and provides threat detection, policy learning and enforcement in a solid-state device with a 5-year warranty.
Syed Belal from OT Cybersecurity Consulting Services, blogging on the ISA website, provides advice on the ‘Top 7 OT Patch Management Best Practices’. Unlike the IT environment, patches cannot all be installed on OT assets because of incompatible hardware, lack of vendor approval and the possibility of a patch crashing the asset. Patches may need wait until the next shutdown, leaving the asset vulnerable. Risk can still be mitigated with alternative controls, a.k.a. ‘patching smart’. Read the full best practices here.
The EU Commission has unveiled a new EU Cybersecurity Strategy plan, a ‘key component of shaping Europe’s digital future. The Strategy will ‘bolster Europe’s collective resilience against cyber threats’. Download your copy here (the Darktrace folks are reading it now).
Giesecke+Devrient has launched StarSign Key Fob, a biometric access device that controls employee access to company assets, ‘at the highest security level, in a convenient way’. The key fob supports two-factor authentication, adding fingerprint identification to the coin-sized device. More from Giesecke+Devrient.
Mission Secure has upgraded its OT Cybersecurity Platform with a new ‘OT security score’ that helps users focus resources on activities delivering the biggest impact. Other new features enable faster, more efficient incident investigations and response, and improved bandwidth utilization for low bandwidth cellular and satellite communications systems. More from Mission Secure.
Siemens Energy has rolled-out ‘MDR’, an AI-driven cybersecurity monitor and detection service for the energy industry. MDR is powered by Eos.ii, Siemens security incident event management system. (SIEM). Eos.ii is an ‘interoperable and manufacturer-agnostic’ platform that aggregates IT and OT data from Siemens process security analytics (PSA) threat stream and contextualizes it to pinpoint understand anomalous behavior. In summary – MDR uses the Eos.ii SIEM which embeds PSA (any more acronyms Siemens?) Read the Eos.ii whitepaper here.
© Oil IT Journal - all rights reserved.