Julie PreissJune 7, 2021
White House Raises Alarm on Ransomware Following Attacks on JBS USA and Colonial Pipeline
On Thurs., June 3, the White House sent an open letter to U.S. businesses urging immediate action to defend against a spike in ransomware attacks characterized as “serious and increasing.” The official memo follows a string of high-profile strikes, including Colonial Pipeline, JBS USA, the largest meat producer in the world, and Steamship Authority of Massachusetts, whose ferry service is in high demand during the summer.
The administration outlined five steps organizations should take now including: system backup and offline storage, patching vulnerabilities, testing incident response plans, penetration testing and network segmentation. These are sound recommendations against which we have a few comments and suggestions.
The attacks against JBS USA and Colonial Pipeline remind us how essential it is to constantly run backup routines and check for indicators of compromise. In both incidents, the companies said the attack didn’t impact their backup servers. While it can take time to restore the entire network and disclose affected systems, they can likely return to an operational state in a timely manner.
Outdated software with known vulnerabilities enables most cyberattacks, so it’s important to keep third-party software up to date. Currently, the most commonly used vulnerabilities in these attacks include:
- CVE-2019-19781: widely used by ransomware groups like Sodinokibi to exploit outdated Citrix servers
- CVE-2019-11510: used to exploit vulnerable Pulse VPN appliances
- ProxyLogin: a set of Microsoft Exchange vulnerabilities currently being used by several malware families—including the new EpsilonRed—to exploit on-premises Exchange servers.
If the company has internet-exposed systems, these vulnerabilities can carry an attack without the need to trick an employee. They also open the gate for other common infection vectors based on weak credentials exploitation. This is especially common in attacks carried by remote desk protocol.
In September 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing a Analysis Center (MS-ISAC) released a joint Ransomware Guide detailing some practices that companies should engage to reduce the risks regarding ransomware attacks. The document is split on two parts, prevention and response. In the response section, they note the need for a comprehensive, step-by-step checklist to follow.
Regular pen testing is essential to find and fix all the vulnerabilities that can used in any in-house software exposed to the internet. For internet-exposed systems, most attacks still rely on the exploitation of known vulnerabilities, so keeping systems up to date is a must. Routine pen tests on these exposed systems--especially if the company develops the system itself—is also recommended. Attackers can try to detect those vulnerabilities to deploy their malware, so detecting them internally before a criminal does is important.
Segmenting the network is the only way to prevent an infected system from being used to compromise others in the same network. Impacted systems must be isolated and possibly taken off-line at a switch level if there are multiple systems or subnets impacted. Even if a system is not exposed to the internet, another compromised system or user can exploit vulnerabilities by moving laterally across the network. We highly recommend segmenting the network and isolating access to systems by employees and others. This can limit a breach to only a few servers. Adopting this kind of Zero Trust model reduces the scale of compromise and helps to speed up recovery.
Although not specifically mentioned in the recent White House advisory, it’s essential to note that people often represent the weakest link in a company’s security. They accidentally click on things and download without understanding potential consequences. We must train them to recognize social engineering attacks, like spam e-mails, directed ads, malicious SMS messages … and more physical techniques like dropping an infected USB stick in a building for an employee to pick up and plug in.
To combat the likelihood of a successful attack through the “employee” vector, it’s essential that organizations adopt a Zero Trust methodology. Always assume that an employee credential can be compromised! Then validate access with a multi-factor authentication, segment the employee network from the systems network and only give critical systems access to an employee for what is needed to do their job … and nothing more.
The Evolution of Ransomware
Since 2020 we have been covering the evolution of ransomware attacks. Previously, a ransomware attacker would just encrypt the data in the targeted machine and demand a ransom pay for the secret key, or decryptor, so you could get your files back. Nowadays, with very few exceptions, ransomware attacks are only launched after the attackers have gathered as much data as possible. So even if your backups are up to date, the attackers will try to extort you by threatening to publish the data.
This new cybercrime "business model” is proven to be more profitable. So much so that in the past few days the creators of Babuk Ransomware announced on its dark web blog they will no longer encrypt data in affected networks. Instead, after breaching your system, they will focus on stealing data and publishing it if the target doesn't pay the ransom. The group also launched a platform—a deep web site named Payload Bin—to publish data from their attacks and from other groups that decide to "partner" with them. Our team already got access to Payload Bin website to monitor their leaks. So far, to promote the website, they are hosting a few CD Projekt Red's games source code, leaked in February of this year.
Ransomware attacks are increasingly disrupting people’s lives and work … and new ransomware families are being discovered all the time. It will take cooperation between the public and private sectors to curtail the efforts of these motivated attackers. The long-term impact on daily life can be significant, as evidenced by the long gas lines following the Colonial Pipeline incident and potential meat shortages resulting from the JBS hack. The message is resoundingly clear: follow best practices to defend against ransomware and stay ever vigilant.