Securing critical infrastructure has been a growing concern for many years as major breaches spanning a wide range of industrial sectors consistently make headlines. The latest being the recent attack on Colonial Pipeline from a cyber-criminal group named Darkside, which came only days after the U.S. Department of Energy (DOE) announced a 100-day Plan to accelerate cybersecurity detection, mitigation and response across the electric utilities subsector and the U.S National Security Agency (NSA) released an advisory on ensuring the security of OT.

While the DarkSide attack only affected Colonial’s IT network, the company made the proactive decision to shut down their OT network so that the ransomware could not move laterally from the IT network to the OT network. Many years ago, OT networks were often air-gapped and didn’t have connectivity to IT systems. This reduced the overall risk of cyber threats impacting operations. Today, the reality is that these two network domains are widely becoming more converged to drive business improvements. This connectivity, while delivering business value, also introduces new risks that threaten the operational resiliency of the OT network that must be addressed.

How did the attack occur?
Perpetrated by DarkSide, of which Brian Krebs provides a closer look at this ransomware gang, first appeared on Russian language forums in August 2020 and provides a “Ransomware as a Service” platform to infect organizations with ransomware. FireEye also shines a light on the operations of DarkSide ransomware. There is a version for both Windows and Linux.

Multiple sources report this ransomware leverages several threat vectors to gain access and install the ransomware on the device.

1. There was exploitation of a bug in SonicWall (CVE-2021-20016) that had been already patched by the vendor
2. There was the use of TeamViewer to maintain connection to the devices and to also find other locations within the network to install the TeamViewer client
3. The group leveraged rclone.exe to move gigabytes of data off the internal network and to an external source
4. The file power_encryptor.exe was then leveraged to encrypt files and leave ransom notes

CISA and FBI have published specific technical recommendations on this in Alert (AA21-131A), “DarkSide Ransomware: Best Practices for Preventing Business Disruptions from Ransomware Attacks.”

As IT and OT networks continue to converge, there are several areas that organizations should focus on to ensure proper integration and security across the entire enterprise. These activities span people, processes, and technology:

People:

• Align business concerns with the current threat environment
• Create a roadmap for how OT and IT teams will work together
• Build a culture of security
• Ensure the different OT and IT responses and actions are aligned to mitigate operational risk

Processes:

• Assess current processes and identify weak links; create a roadmap aligned to risk
• Bring IT and OT together to build data collection processes that monitor and secure high-risk assets

Technology:

• Establish a complete IT, OT, IoT asset inventory and network baseline
• Backup critical assets and test for data integrity regularly
• Ensure proper security hygiene
• Patch management – employ a tool that can identify assets in need of patching in near real-time.
• Understand current state of network communications between IT and OT domains and identify must have network flows for business operations
• Develop a segmentation strategy across IT and OT networks to minimize attack vectors, monitor traffic, manage access, and isolate threats
• Continuously monitor the critical networks with automated, agentless tools using passive, active, or hybrid methods

How Forescout can help to secure your IT/OT/IoT converged infrastructure

• Providing a complete and granular asset inventory of both your IT, OT and IoT assets
• Monitoring the boundaries between IT/OT
• Detecting anomalies & lateral movements in the OT network
• Spotting unforeseen changes in the network communication behaviors, such as unforeseen connections or anomalous network logins
• Helping network segmentation to reduce the “blast radius” and increase confidence in containment
• Through the specific IoCs & alerts (see below for DarkSide)

Indicators of Compromise (IOCs) & Additional Information
Forescout has made available a package of IOCs for the eyeInspect Threat Library which conducts an automated and expansive series of checks to detect weaknesses and threats.

Recently added:

• 29 IP-addresses
• 47 MD5 hashes
• 21 domains
• The C&C is reported to run over Tor; eyeInspect has a large (6700, recently updated) list of Tor exit nodes (IP-addresses)

Several of the existing checks of the eyeInspect Threat Detection Add-Ons can help to cover the above-described scenario when the targets are Windows machines (not inclusive of all possible checks to spot unauthorized access). Updates will be implemented as new information is uncovered.

• Detection of potential reconnaissance attempts based on MSRPC/DRSUAPI (Directory Replication Service protocol) over DCOM/SMB
• Detection of potential reconnaissance and user accounts manipulation attempts based on MSRPC/LSARPC (Local Security Account Remote protocol) over DCOM/SMB
• Detection of potential reconnaissance and user accounts manipulation attempts based on MSRPC/SAMR (Security Account Manager Remote protocol) over DCOM/SMB
• Detection of potential reconnaissance attempts based on MSRPC/SRVSVC (Server Service Remote protocol) over DCOM/SMB
• Detection of potential reconnaissance and lateral movement attempts based on MSRPC/SVCCTL (Service Control Manager Remote protocol) over DCOM/SMB

In today’s interconnected world, bad actors only need to find one vulnerability to exploit an organization’s network and data, whereas cybersecurity pros must focus on securing the entire enterprise (IT, OT, IoT) against a growing number of threats and attack vectors. Forescout is here to help you do that.

Active Defense for the Enterprise of Things.