By the CyberWire staff
Colonial Pipeline services restored.
Colonial Pipeline tweeted Saturday that its services had returned to normal.
After a brief disruption on the 18th caused by an IT problem, Colonial Pipeline tweeted that it had quickly resumed full service, and that the brief interruption was not the result of a cyberattack. "Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process. These issues were not related to the ransomware or any type of reinfection," the company said.
Colonial's CEO Joseph Blount confirmed to the Wall Street Journal that he did authorize payment of $4.1 million in ransom to the company's extortionists. The urgency of restoring service, combined with the company's uncertainty about how extensively its systems had been compromised, drove the decision. He acknowledged that deciding to pay the ransom was difficult, and that he knew the decision would be controversial, but he judged the situation analogous to the challenge of restoring service after a natural disaster, like a Gulf hurricane.
The company's decision to pay the extortionists ransom has drawn generally adverse comment (ironic, given that paying $5 million to DarkSide, the gang responsible, apparently didn't aid the recovery, which Colonial Pipeline had to do, in the end, from its own resources). Some, like the US National Security Council's Anne Neuberger, expressed some sympathy for organizations caught in a tough spot. CNBC quoted her as saying, "We recognize that victims of cyberattacks often face a very difficult situation and they have to just balance often the cost-benefit when they have no choice with regards to paying a ransom. Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them.” This is not by any means an endorsement of giving in to extortionists. She pointed to the FBI's unambiguous advice against paying ransom.
And overall the consensus is with CISA, whose advice is summarized by SIGNAL: paying the ransom isn't a good practice. WIRED offers a long summary of the ways in which payment perpetuates a vicious cycle and fuels a bandit economy.
The consensus is also that ransomware attacks against critical infrastructure are likely to be attempted again. An op-ed published by the Australian Broadcasting Corporation frames the incident as a warning that there's worse to come unless the major cyber powers can arrive at some international norms that would produce an effective modus vivendi in cyberspace. The New York Times, in a piece that accepts DarkSide's self-presentation as a group of apolitical criminals, argues that the incident should be assessed in terms of the vulnerabilities it exposed.
Jalopnik's rather sour take on the incident is the observation that the ransomware didn't actually interfere with pipeline operations, just Colonial's ability to bill customers for deliveries, which is why the company shut its systems down. Their piece also quotes some of the communications from DarkSide recounted by Zero Day, like this one: “Before an attack, we carefully analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support will answer them.” Jalopnik's comment is apt enough: "I can’t get over this exchange where the hackers are blasé about the billing breach, and refer Colonial to their customer service as if this were some broadband outage from a [sh**ty] ISP."
Dragos May 27 Webinar: A “Water” Watering Hole Is Discovered
During our investigation into the Oldsmar attack, we discovered a Florida water utility contractor hosting malicious code on their website. Join Dragos’s Sergio Caltagirone and Kent Backman for their take on why intelligence and intrusion analysis aren't always what they seem during this educational webinar co-hosted with The SANS Institute. You’ll learn about approaches to understanding threats and taking action in high-profile and rapidly-changing situations. Register here.
DarkSide may have gone dark, but why?
The DarkSide ransomware gang, which has said (as the Record points out) that it lost control of both servers and at least some of the money it had extorted from victims, said late last week that it was closing down, going out of business. The Wall Street Journal updated its reporting on DarkSide's going-out-of-business announcement. The Journal notes that cybercriminal gangs have been known to announce their retirement only to reappear again after a decent interval, usually under a new name. So it could be, as SecurityWeek puts it, that the DarkSide operators are "running scared." It's also possible, as FireEye tweeted, that the hoods are simply taking advantage of an opportunity to abscond with their criminal affiliates' money in an exit scam. That's happened before, too, but it's a bit early to tell exactly what's going on with them. It would be naive to think that the people behind the scam have retired, gone straight, or moved on to another criminal line.
The gang's statements suggested they were under pressure from American law enforcement and intelligence organizations, but the Washington Post reported that four US officials have quietly denied that any US military, law enforcement, or other agency did anything of the kind. Various DarkSide affiliates have been complaining that the ransomware-as-a-service gang stiffed them of shares of ransom it owed them, which makes it appear likely that DarkSide simply absconded on the plausible pretext that it was being rousted by the Law.
The gang has to this point raked in a fair amount of cash. Elliptic, which identified a Bitcoin cryptowallet used by DarkSide, puts the ransomware gang's take at somewhat more than $90 million. On the average victims paid $1.9 million. They were able to track payments made from forty-seven wallets. DarkSide has claimed ninety-nine successful attacks, which suggests that about half the organizations hit made some payment.
We are thrilled to welcome another great new podcast to the CyberWire network!
8th Layer Insights, where host Perry Carpenter brings in industry experts to discuss how the complexities of human nature affect security and risk. Topics will include cybersecurity, psychology, behavioral science, communication, leadership, and more. Check out the trailer and subscribe to hear the first episode when it drops on Tuesday, May 25th!
Other ransomware gangs grow quiet (at least briefly).
Reuters reports that two other ransomware gangs, AKO and Everest, also went dark over the weekend. While underground criminal websites do from time to time suffer from instability, Recorded Future thinks that in this case the two gangs made a conscious decision to drop offline. Intel 471 has a useful account of where things stood with various gangs as of Friday: a number of groups seem to have skedaddled.
The stand-down seems not to have lasted. By mid-week Reuters was reporting that rates of ransomware activity had returned to near-normal levels.
Who is DarkSide working for?
Themselves, obviously, but possibly also in alignment with the Russian government. Attribution of cyberattacks to specific criminal groups is the last refuge of metaphysics in security, if only because identity conditions for gangs are notoriously slippery and protean. How do you recognize the same gang when it shows up again? Defense One points this out in the case of DarkSide, the group generally regarded as the one behind the Colonial Pipeline attack. The authors, both from RAND, note that, among other things, it would be unwise to accept "DarkSide's" self-presentation as "apolitical." Cyberspace is no stranger to fronts, false flags, cut-outs, and other forms of misdirection.
KrebsOnSecurity notes some evidence of, at the very least, a desire on the part of DarkSide to avoid getting on the wrong side of the Russian organs: "DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that mostly have favorable relations with the Kremlin." More to the point than friendly relations with Moscow, which a number of the former Soviet republics decidedly do not enjoy (consider the case of Ukraine, geographically and culturally hugger-mugger with Russia, but whose relations with its larger neighbor are unfriendly to the point of lethal skirmishing), is the kind of linguistic slop that could facilitate collateral damage to Russian organizations. Better to avoid anyone using Cyrillic characters. And such damage is something a gang operating at the sufferance of the Kremlin, even if not working under state direction, would in all cases want to avoid.
Cybereason, whose work KrebsOnSecurity cites, and which has published an account of DarkSide's methods, finds DarkSide's claims to follow a high-minded, RobinHoodesque code of ethics, implausible. The gang's communiqués suggest that they didn't mean to impose any hardship on individuals, regular Janes and Joes in the line at the gas station:
"If they are to be believed, all they saw was another slow-moving, wealthy target. They were pirates, they tell us, not privateers, and certainly not a nation-state navy. And they are honest pirates who follow a code, and thus deserve some sympathy for this huge, but honest mistake.
"Hornigold, and Every before him, DarkSide wouldn’t be the first criminal organization to appeal to the sympathies of their victims by claiming that they follow a strict code of ethics. It remains to be seen if it will work, or if it’s true. Semi-state sanctioned crime may not repeat itself through the ages, but it often rhymes."
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more. Our new issue comes out Thursday, April 1, 2021.
Conti ransomware hits Ireland's Health Service Executive.
DarkSide isn't the only ransomware gang to make news. Ireland's Health Service Executive has come under a ransomware attack that's interfered with scheduling care, and that may, the Wall Street Journal reports, end up costing the public healthcare organization tens of millions of Euros to remediate. The Irish Times says the Country's Department of Health has also come under attack, probably by the same gang. BleepingComputer identifies Conti as responsible.
Computing reports that Prime Minister Martin says the Irish government has no intention of paying.
Double encryption as a ransomware trend.
WIRED describes a further evolution in ransomware: double encryption. The gangs began by simply rendering victims' data unavailable, moved on to data theft and doxing, and now have begun encrypting data twice. In some cases they use one strain on part of a victims' information and a second strain on the rest, which means that a decryptor will at best restore a fraction of the data. In others the criminals use first one strain, then another, on the entire corpus. Thus a second decryptor is necessary.
A watering hole appears to have been interested in water utilities.
Dragos has an interesting account of a watering hole that appears to have some circumstantial temporal connection to the incident at the Oldsmar, Florida, water utility. Hosted on a water infrastructure construction company's site, the watering hole did not seem to compromise, or deliver malware to, the utility's control systems, instead "collect[ing] legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity."
Announcing our Memorial Day sale.
Next week only, subscribe to get one month free when you sign up for an annual Pro subscription! That’s one month of access to all of our premium content that keeps you ahead of developments in cyber. Be on the lookout on our website starting May 24th!
Android apps with cloud misconfigurations.
Researchers at Check Point say their examination of twenty-three Android applications found thirteen apps that exposed data of more than a hundred-million users. The problem lies in the developers' misconfiguration of such cloud services as RealTime Database, notification managers, and storage. The report finds that among the more common poor practices was the embedding of push notification and cloud storage keys in the apps themselves.
Trends in phishing.
Palo Alto Networks' Unit 42 has found that the controllers of BazarLoader, malware that backdoors infected Windows hosts, is now using trial subscription phishbait to direct victims to a call center that walks them through the process of installing the loader. They're calling the operation "BazarCall."
INKY describes an ongoing criminal campaign that uses phishing to induce the victims to give up their email credentials. The phishbait is a bogus RFP (request for proposals) and the emails originate from compromised accounts that are generally known to the recipients. They were staged from the cloud-based content-sharing system Adobe Spark.
Proofpoint is also seeing abuse of cloud content-sharing services. In this case the platforms affected are from Microsoft and Google. This approach, the company notes, lends an appearance of legitimacy to criminal phishing attempts.
Patch news.
Microsoft will retire Internet Explorer on June 15th, 2022, the Verge reports.
Crime and punishment.
A 21-year-old London man, Teige Gallagher, has been sentenced to four years and three months in a UK prison for sending scam text messages posing as the country's National Health Service (NHS), Computing reports. The Crown Prosecution Service (CPS) stated, "Gallagher had been sending out bulk text messages to members of the public claiming to be from various commercial organisations such as banks and from the NHS. The victims were asked for personal financial information, including questions relating to their bank accounts and bank cards. In the case of the NHS, Gallagher set up web pages based on the GOV.UK website, which claimed it needed this information to verify who victims were and their entitlement to receive the vaccine. The police found iPhones at Gallagher’s home containing messages purporting to be from the NHS, various banks, and Netflix. On one of the phones more than 2,000 telephone numbers were found, believed to be a list of victims who were sent scam SMS messages."
Amazon has extended its ban on law enforcement use of its facial recognition software indefinitely, the Washington Post reports. The company initially banned police use of the software last June to "give Congress enough time to implement appropriate rules."
Courts and torts.
Reuters reports that Ireland's High Court has allowed the Irish Data Protection Commissioner to go forward with an inquiry into Facebook's data flows from the EU to the US. The court stated, "For the reasons set out in this judgment, I refuse all of the reliefs sought by FBI (Facebook Ireland) and dismiss the claims made by it in the proceedings....FBI has not established any basis for impugning the DPC’s (Data Protection Commissioner’s) decision or the PDD (Preliminary Draft Decision) or the procedures for the inquiry adopted by the DPC."
The UK's Information Commissioner's Office (ICO) has fined a coronavirus contact tracing company £8000 for using people's data for marketing purposes, Naked Security reports. The company, Tested.me, did technically ask for consent when users signed up, but the ICO found the wording of the consent form to be too broad and ambiguous. The ICO stated, "The company sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to meet the government’s contact tracing rules."
Pennsylvania's Attorney General Josh Shapiro has opened an investigation into a breach of COVID-19 contact tracing data that may have affected data belonging to 72,000 people, the Daily News reports.
Policies, procurements, and agency equities.
Now that operations have returned to normal, the DarkSide ransomware assault on Colonial Pipeline has moved into its after-action review stage, as legislators grill the company and third parties seek to extract lessons. BankInfoSecurity says that two bills influenced by the incident, the Pipeline Security Act and the CISA Cyber Exercise Act, are under consideration in the US House of Representatives. The former would sort out responsibility for pipeline security between the Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration (TSA); the latter would require that CISA establish a national program in which Government and industry could test their infrastructure's resilience against a range of cyberthreats.
Sergei Naryshkin, director of Russia's SVR, told the BBC that, not only was Russia not behind the SolarWinds compromise, but that in fact the American intelligence services were. Probably. And the British services, too. Probably. Mr. Naryshkin is "flattered" by the accusation that the SVR did it, but such charges are not only false, but "pathetic."