At a glance.
- The US Federal response to the ransomware attack on Colonial Pipeline takes shape.
- SVR shifts tactics in response to British-American exposure of TTPs.
US Federal response to a major ransomware attack on Colonial Pipeline.
Reuters reports that Federal agencies are assisting with the response to the Colonial Pipeline attack, and President Biden has been looped in. (Bloomberg notes that the Biden Administration has committed to act on ransomware and critical infrastructure security.) The Department of Energy is keeping tabs on US energy supply, and the Transportation Security Administration and Cybersecurity and Infrastructure Security Agency (CISA) are also involved. Senate Select Committee on Intelligence member Senator Ben Sasse (Republican of Nebraska) called for strengthened national infrastructure security investments, commenting, “This is a play that will be run again, and we're not adequately prepared."
Transport Topics describes the Federal Motor Carrier Safety Administration’s emergency declaration, which exempts drivers assisting with the crisis from some Federal Motor Carrier Safety Regulations (but not those having to do with vehicle weight, driver’s licenses, or controlled substances.)
Ransomware was already a high Federal priority, according to MSSP Alert, with initiatives and clarion calls coming from Congress and the Departments of Justice and Homeland Security. As we’ve seen, Justice is standing up a ransomware task force and conducting a four month cybersecurity review. Homeland Security is running sixty-day sprints on a variety of cyber issues, including ransomware, and increasing Federal Emergency Management Agency cybersecurity grants. Congress may step up its legislative efforts: the State and Local Cybersecurity Improvement Act, for example, is gaining steam. The Institute for Security and Technology’s ransomware report recommended regulating cryptocurrency and working diplomatic and law enforcement channels.
Wired is skeptical about the ability of measures like these to curb the onslaught, and the New York Times wonders if President Biden’s planned cybersecurity executive order will “be enough,” either. Companies like Colonial Pipeline might not be subject to the order, for one. Among the alternative proposals are command centers that allow CyberCom real time visibility into critical infrastructure incidents, and regulation that sets baseline security standards for key systems. The White House is reportedly engaged in “emergency meetings” about how to defend operators that can’t or won’t defend themselves, despite decades of warnings.
SVR switches gears in response to US, UK exposure of TTPS.
Computer Weekly says the joint advisory out of the UK’s National Cyber Security Centre and US’ FBI, NSA, and CISA describing Cozy Bear’s updated tactics, techniques, and procedures “builds on” the countries’ SolarWinds, WellMess, and WellMail work. Following the airing of its old habits, Cozy has apparently turned to new tricks, involving red team tool Silver, and reported Microsoft Exchange, Pulse Secure, Fortinet, Cisco, Citrix, Oracle, and other vulnerabilities. CyberScoop emphasizes the SVR’s Microsoft Exchange efforts as an example of how an unpatched bug can be a boon for diverse adversaries, and BleepingComputer stresses the impact of info-sharing on the intelligence service’s methods.
We heard from some industry experts on the effects of the joint British-American advisory. Matias Katz, CEO of Byos, emailed to comment that no one should expect exploitation of vulnerabilities to end any time soon. “The old saying 'the only two things certain in life: death and taxes' should be modified to 'death, taxes, and vulnerabilities,'" He said, adding, "One viable strategy for managing this inevitability is network micro-segmentation following a zero trust architecture. With this, vulnerable endpoints can be properly isolated from the network to proactively limit any potential damage that can be done if these vulnerabilities are exploited.”
Saryu Nayyar, CEO of Gurucul, is not surprised to see the Russian operators changing their tactics:
“Once again, we see Russian cyber attacks targeting vulnerabilities in popular networking and web server applications including FortiGate, Cisco, Oracle WebLogic, Citrix, VMWare and F5. As long as there are still unpatched systems accessible on the open internet, we will see attacks like this. The payloads may change depending on what the threat actor is after, but attackers will continue to leverage vulnerabilities in web servers, routers and virtualization software until there aren't any vulnerable hosts to exploit. This series of attacks is a reminder of how important it is to patch security vulnerabilities, and to make sure the network is protected with an up-to-date security stack.”