Ransomware at Colonial Pipeline. US cybersecurity Executive Order. Warnings on Avaddon & Cozy Bear. Verizon's DBIR is out.

DarkSide ransomware disrupts Colonial Pipeline.

Colonial Pipeline disclosed last Saturday that it had been the victim of a ransomware attack, and had taken some systems offline as a precautionary measure. The attackers accessed business systems from which they stole nearly a hundred gigabytes of data before they locked Colonial computers and demanded ransom.

The US FBI confirmed that the DarkSide ransomware gang was responsible. A FireEye report on DarkSide emphasized the group's ransomware-as-a-service, affiliate model. It's a selective operation but not a monolithic one. FireEye currently tracks five "clusters" of DarkSide threat activity. "Affiliates retain a percentage of the ransom fee from each victim. Based on forum advertisements, this percentage starts at 25 percent for ransom fees less than $500,000 USD and decreases to 10 percent for ransom fees greater than $5M USD."

The attack represents a major disruption of the US energy sector, WIRED noted, and Reuters reported that oil futures indeed rose in anticipation of shortages. The incident is seen, POLITICO said, as a major challenge to the US Administration, which is investigating the attack and has issued an emergency waiver of some trucking safety regulations to enable road transportation to make some of the expected shortfalls good.

Colonial Pipeline has offered updates on its recovery throughout the week. Some pipelines have operated under manual control since Monday, and have moved existing inventory. As the company prepared to restart deliveries, they took delivery of an additional two-million barrels, which they began to pump as service was more fully restored. (The company appeared also to be addressing some concerns about its pipelines' physical security, having "increased aerial patrols of our pipeline right of way and deployed more than 50 personnel to walk and drive ~ 5,000 miles of pipeline each day.") Colonial restarted its pipeline operations Wednesday evening, and late Thursday said it had resumed delivering product through its lines to all the markets it serves. That said, it's expected to be several days until service returns to normal, and some customers may experience intermittent disruption over the course of recovery.

Colonial Pipeline is said to have paid DarkSide almost $5 million in ransom.

Bloomberg reports that Colonial paid DarkSide operators nearly five-million dollars in cryptocurrency within hours of the attack’s discovery. Their sources are two anonymous persons “familiar with the transaction.” A third source, also unnamed, says the US Government is aware of the payment. Other outlets had reported, prematurely, that Colonial Pipeline had decided not to pay the ransom. Since Bloomberg's report, however, other outlets, including the Wall Street Journal, have also run the payment story.

So did paying up pay off? Yes and no. The DarkSide operators did deliver a decryptor to Colonial Pipeline, but sources say that ”the tool was so slow that the company continued using its own backups to help restore the system.” So they got the decryptor, but may not have found it particularly useful. That's bad news, at some level, for everyone involved: Colonial is out $5 million, other organizations (the New York Times notes) are chagrined by the fuel the payment poured onto the bandit economy, and (as Joseph Cox tweeted) the hoods themselves will find it difficult to make their case for payment in future attacks. If the decryptors are less than fully successful, then why throw good money after bad?

The payment of ransom is likely to lend further impetus to developing effective laws and regulations governing response to ransomware attacks. There’s a growing movement among insurers announcing their decision not to cover ransom payments, and governments are likely to make it more difficult for victims to pay up. Doing so fuels a bandit economy, and there’s a growing consensus among legislators and regulators, and in industry as well, that only disrupting ransomware’s business model will clap a stopper over this corner of the criminal market. 

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an Alert that offers a set of best practices to protect against ransomware-induced business disruptions. The Alert was prompted by the attack against Colonial Pipeline, and it includes in its introductory section the preliminary conclusion that DarkSide ransomware affected Colonial's IT systems only, and had no direct effect on the company's OT networks. The best practices CISA advocates are familiar. The Alert closes with a statement strongly discouraging any victim from paying the ransom their attackers demand: "Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered."

Attribution of the Colonial Pipeline ransomware attack, and suspicion of state involvement.

The Voice of America reported that US Homeland Security Secretary Mayorkas promised Congress a "whole-of-government" response to the incident.

One aspect of that response is likely to be diplomatic. According to a report published in SecurityWeek, when he was asked during a media availability Thursday whether President Putin or his government were aware of the attack, US President Biden said: "I am confident that I read the report of the FBI accurately and they say they were not, he was not, the government was not. We do not believe—I emphasize—that the Russian government was involved in this attack. But we do have strong reason to believe that the criminals who did the attack are living in Russia. That's where it came from." President Biden did say that he thought the issue of Russian control over criminal groups operating from its territory would probably come up during this summer's Russo-American summit talks.

An official disavowal of belief of direct Kremlin involvement may be motivated by the way the incident looks like deniable sabotage. The Russian government has used fronts, cut-outs, and contractors before, and one of the responsibilities of sovereignty is preventing attacks on other nations by people operating from one's territory. And if there were marque and reprisal in cyberspace, it might well look a lot like a ransomware attack: the government sees its adversaries disrupted, and the cyber privateers get (in this case) about $5 million in alt-coin. CNBC offered an example of this kind of speculation, which, we emphasize, is exactly that: speculation, but plausible speculation.

The criminal ransomware underground may be feeling some stress, too.

The Wall Street Journal wrote Friday that the DarkSide gang intends to shutter its operations, a story they source to FireEye, a company whom Colonial Pipeline has brought in to deal with the ransomware attack it sustained, that the DarkSide ransomware-as-a-service gang has told its affiliates that it intends to shutter its operations. The criminals communicated to some affiliates that they’d lost access to their infrastructure, and that they were under pressure from US law enforcement. Flashpoint researchers say the gang complained that it had lost its blog, its payment servers, and its DOS servers. They also said that funds in their payment servers, both theirs and their customers, had been extracted and sent to parts unknown. So it seemed a good time to call it quits. 

How seriously this exit should be taken remains to be seen. Other ransomware gangs have disbanded under pressure before, only to reconstitute themselves later, perhaps under a different name. But for now at least DarkSide affiliates continue to inflict their ransomware on other targets. The Colonial Pipeline incident is merely the highest profile disruptive attack. Kyodo reports that the group has claimed the exfiltration of some seven-hundred-forty gigabytes of sensitive information from Toshiba Tec Corp.'s operation in France. And BleepingComputer has confirmed that DarkSide also claims to have hit Essen-headquartered chemical distributor Brenntag. The gang says Brenntag paid them the equivalent of $4.4 million in cryptocurrency two days ago, an amount negotiated down from DarkSide's original demand of $7.7 million.

Criminal businesses have some of the same needs as legitimate ones, among which needs are marketing, because it pays to advertise. The Record reports that one popular hacking forum, XSS (formerly known as DaMaGeLab) has announced it will no longer accept advertising for ransomware services. The site’s admin posted a note yesterday to the effect that “Lockers (ransomware) have accumulated a critical mass of nonsense, [B.S.], hype, noise.” As has been the case with other fora in the past, XSS’s firm resolution to sin no more may have been prompted by a kind of near-death, or at least near-prosecution, experience. They'll forego the revenue to avoid the scrutiny.

Flashpoint has taken a closer look at XSS. The forum’s proprietors appear to feel that Moscow was getting ready to hang them out to dry: “Peskov,” that is, Russian President Putin’s press secretary, “is forced to make excuses in front of our overseas ‘friends’ this is a bit too much.” The admin linked to an article in Kommersant, a Russian news site, that ran under the title “Russia has nothing to do with hacking attacks on a pipeline in the United States,” which they apparently read as a menacing disavowal.

Australia, US, warn of Avaddon ransomware threat.

DarkSide isn't the only ransomware gang presenting an active, ongoing threat. The Australian Cyber Security Centre (ACSC) and the US FBI have warned, BleepingComputer reports, that the Avaddon threat group is active against targets worldwide. Like DarkSide, Avaddon operates as an affiliate network. Its ransomware-as-a-service offerings have been active, the ACSC says, against targets in at least twenty countries, across seventeen sectors.

A scorecard for Cozy Bear.

A joint advisory issued Friday by the UK's National Cyber Security Centre (NCSC) and three US agencies (CISA, FBI, and NSA) describes the tactics, techniques, and procedures (TTPs) Russia's SVR foreign intelligence service used in the SolarWinds compromise and elsewhere. The advisory is specific and unambiguous in attributing the attacks to the SVR. It's big point is that the SVR uses publicly available exploits for scanning and exploitation of vulnerable systems. A list of exploits the SVR is known to have used is provided, with the qualification that the list can't be regarded as exhaustive. In its choice of targets the SVR has recently shown a willingness to compromise trusted software supply chains. It also scanned for vulnerable instances of Microsoft Exchange Server, activity hitherto associated for the most part with Chinese intelligence operations. BleepingComputer notes that a foreseeable reaction to the US and UK advisories has indeed been observed: the SVR is changing both its targeting and its TTPs.

Verizon's DBIR is out.

Verizon's annual Data Breach Investigations Report is out. In brief, ransomware is up, as are social engineering in general and misrepresentation in particular: "Eighty-five percent of breaches involved the human element. Phishing was present in 36% of breaches in our dataset, up from 25% last year. Business Email Compromises (BECs) were the second-most common form of Social Engineering." Compromised clouds were more common than compromised on-premises systems, Verizon found.

And there’s a good news, bad news story here, too. The report says, “The good news? Fourteen percent of simulated breaches had no impact. But don’t count on that for your organization’s security plan. The median for incidents with an impact was $21,659, with 95% of incidents falling between $826 and $653,587.” 

Patch news.

May 11th was Patch Tuesday. Microsoft addressed a total of fifty-five vulnerabilities, four of them rated "critical." Adobe fixed problems in several versions of Acrobat and Acrobat Reader. The Zero Day Initiative has a summary of these patches and their implications. Onapsis (which calls this month's Patch Tuesday a "calm" one) has an account of the fourteen fixes SAP released. Siemens issued fourteen advisories for its systems, nine of which, SecurityWeek writes, cover issues in third-party components.

Crime and punishment.

Four gentlemen have taken guilty pleas to US Federal RICO charges, that is, charges under the Racketeering Influenced and Corrupt Organizations Act, involving their operation of a bulletproof hosting service that provided infrastructure for cyber criminal gangs. The malware hosted by their service included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit. The US Department of Justice says that the four, Russian citizens Aleksandr Grichishkin and Andrei Skvortsov and two of their employees, Lithuanian citizen Aleksandr Skorodumov, and Estonian citizen Pavel Stassi, face up to twenty years imprisonment. They’re scheduled for sentencing, respectively, on June 3rd, June 29th, July 8th, and September 16th.

Stars and Stripes reports that US Federal prosecutors have asked for a sentence of seventeen years in the case of Peter Rafael Dzibinski Debbins, a former US Army Special Forces officer. Mr. Debbins took a guilty plea last November to a charge of participating in an espionage conspiracy with Russian agents between December 1996 and January 2011. His attorney has asked for leniency on the grounds that Mr. Debbins suffered from “psychological pathologies.”

Courts and torts.

A leading Germany data protection regulator, the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), is using a GDPR order to stop Facebook from collecting personal data from WhatsApp users for three months, Computing reports. The order is in response to WhatsApp's new terms of services, which users are required to consent to by May 15th. Hamburg's data protection commissioner Johannes Caspar stated, "The order is intended to safeguard the rights and freedoms of the many millions of users throughout Germany who give their consent to the terms of use. My objective is to prevent disadvantages and damages associated with such a black-box procedure." A WhatsApp spokesperson told Reuters, "As the Hamburg DPA's claims are wrong, the order will not impact the continued roll-out of the update. We remain fully committed to delivering secure and private communications for everyone."

Snapchat's parent company Snap has suspended two Snapchat apps, Yolo and LMK, after the company was hit with a lawsuit by the mother of an Oregon teen who took his own life last year, the Los Angeles Times reports. The lawsuit claims that the teen had been bullied for months on the two anonymous messaging apps. A Snap spokesperson stated, "In light of the serious allegations raised by the lawsuit, and out of an abundance of caution for the safety of the Snapchat community, we are suspending both Yolo and LMK’s Snap Kit integrations while we investigate these claims."

Policies, procurements, and agency equities.

President Biden Wednesday evening signed his Administration's long-anticipated Executive Order on Improving the Nation's Cybersecurity. "It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security," and the President says he expects the Federal Government to lead by example. The Order calls for "bold changes" and "significant investments" to protect and secure its computer systems. "The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT))." It formalizes the responsibilities the Cybersecurity and Infrastructure Security Agency (CISA) has for functional oversight of Federal Civilian Executive Branch (FCEB) Agencies, but it also prescribes important roles for the FBI and Defense agencies (notably the National Security Agency).