Pipelines, Ransomware, and The Solution
You’ve probably heard a lot of news about the Colonial Pipeline cyber attack which happened on May 7th. The pipeline was shut down for several days, causing widespread fuel shortages and price hikes. That pipeline delivers almost half of the fuel (gasoline, diesel, heating oil, and jet fuel) to the East coast of the USA, about 100 million gallons of fuel daily. Read on to learn how this could have been prevented, and the steps YOU can take to protect yourself from cyber attacks... |
How Was the Colonial Pipeline Hacked?
Cybersecurity firm FireEye and the FBI have identified the Russian-based DarkSide hacking group as being responsible for the Colonial Pipeline attack. A successful ransomware attack crippled the pipeline operations, and faced with a very difficult and urgent problem, the Colonial CEO agreed to pay a $4.4 million ransom to decrypt the affected systems.
We don’t know the exact attack vector used in this case. It is believed that the hackers gained access to Colonial's computers through the administrative side of the business, rather than the operational side. It could have started with a phishing email, from which an employee was tricked into downloading malware. The attackers may have exploited an unpatched software vulnerability. In the case of the recent SolarWinds hack, it happened via compromised third-party software.
Ironically, this attack may have been facilitated by the “good guys”. As reported in Technology Review, respected computer security vendor BitDefender identified a flaw in the Darkside ransomware code, and released a tool back in January to help affected parties recover from the attack without paying a ransom.
But in doing so, BitDefender publicly tipped off the DarkSide gang to the flaw. The very next day, DarkSide fixed the problem and taunted the world, saying “new companies have nothing to hope for.” If BitDefender had been a bit more circumspect in helping those affected by this particular ransomware, they might have been able to help Colonial quickly mitigate this attack without shutting down the pipeline or paying millions to a criminal hacking operation.
In the wake of the Colonial Pipeline panic, government officials suddenly started making noise about “protecting critical infrastructure” and “national security risks.” New legislation has been proposed, which will undoubtedly have unintended consequences, because that’s what happens when government gets involved with the private sector.
We're From The Goverment And...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a bulletin
titled “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks”. It contains some practical advice for both large companies and individuals, to help them stay safe from ransomware and other malware attacks.
In this bulletin, CISA and FBI recommend several actions to reduce the risk of compromise by malware attacks. I’ve condensed that advice, tailored it to home computer users, and provided links to some of my articles that provide more help and information.
- Use multi-factor authentication. Doing so will make you immune to account hijacking, even if your password is exposed. (See [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts.)
- When multi-factor authentication is not available, use strong passwords and a password manager. (See How Hackable is Your Password? and Is Your Terrible, Insecure Password on This List?)
- Learn how to identify phishing and spear-phishing emails, which are getting increasingly clever, and harder to distinguish from legitimate messages. (See Here's Why Phishing is Getting Worse.)
- Learn how to avoid malicious websites. (See [VIGILANCE] Is it Safe to Click That Link?)
- Update software, including operating systems, and user-installed applications. Consider using a patch management system. (See Keep Your Software Up To Date (or else…))
But Wait, There’s More...
The most important item on the CISA/FBI list of security recommendations was “implement application whitelisting, which only allows systems to execute programs that are known to be safe.”
Now THAT one rings a bell.> For a few years now I’ve been recommending PC Matic also does automatic patch management and driver updates to ensure that all software on your computers are kept up to date. Cyber criminals exploit known vulnerabilities in legit software to gain entry into otherwise well-protected systems. That could very well be the means by which the DarkSide hackers snuck into the Colonial Pipeline operation. Or it could have been an employee who clicked a malicious link, and downloaded malware which enabled the ransomware attack.
In either case, PC Matic would have stopped it cold. See my review and further information about PC Matic in my article What’s New in PC Matic 4.0?
Have you had experience with ransomware? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 28 May 2021
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Geekly Update - 27 May 2021 |
The Top Twenty |
Next Article: Geekly Update - 02 June 2021 |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Pipelines, Ransomware, and The Solution (Posted: 28 May 2021)
Source: https://askbobrankin.com/pipelines_ransomware_and_the_solution.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Pipelines, Ransomware, and The Solution"
Posted by:
brightspark
28 May 2021
Surely a comprehensive backup strategy has to be the best line of defense against ransomware and any serious malware infections?
Posted by:
bb
28 May 2021
and for the follow-up, "Darkside" is now out of business.
It's an interesting story, apparently Darkside got way, way, more attention than they were expecting. They were even "attacked" by parties unknown that knocked them off the Internet. Steve Gibson's Security Now! podcast has the details: https://www.grc.com/sn/sn-819-notes.pdf
Posted by:
Stephe
28 May 2021
Did anybody just click on bb's link above? It's probably perfectly OK, but worth noting that pdf files are one of the commonest vectors of malware.
No offence intended to bb — just a thought...
Posted by:
Brian B
28 May 2021
@Stephe,
Well said. Anybody who was interested in the article would have gone to Steve's site direct, and searched for the referenced article. Alternatively, if SuperShield is installed and active, following the link direct would deny access if it was unsafe.
Posted by:
RandiO
29 May 2021
I am inclined to think that if Colonial Pipeline people only followed AskBob's advice/guidance on how to backup, they may have been $4.3Million ahead of their problems.
Posted by:
Bart
29 May 2021
You object to the gummint regulating the private sector. Isn't that what happens when the private sector doesn't act responsibly? Critical infrastructure lacked adequate security and we all paid the price. Should we allow that to keep happening? If it happens again, won't you ask why nothing was done to prevent it?
Posted by:
Martin J Gouldthorpe
29 May 2021
Thanks again, Bob, for your wise words. The work that my wife and I do in our translation business contains sensitive, personal information. Finally I decided we should go the "extra mile" in protecting our clients information. I made the decision to go with Avast Ultimate plus VPN on all our devices. Also, all of our passwords have been in the protective custody of Last Pass for quite sometime. Yes, the cost may sound expensive but the peace of mind we now have is worth every cent. Our computers function smoothly, speedily and seem to pick up everything of a questionable nature. Following installation, the first time I went to our bank's website an notification window popped up, advising, "Three attempts to track your activity at this site prevented and removed."
Posted by:
Sarah L
29 May 2021
“ New legislation has been proposed, which will undoubtedly have unintended consequences, because that’s what happens when government gets involved with the private sector.”
As opposed to the entirely predictable thefts, burglaries, and kidnapping that occur when the private sector is left to itself.
That was not the best lead in to describing the situation around the oil pipeline being shut down on account of a private sector firm’s error.
Posted by:
Sarah L
29 May 2021
“ New legislation has been proposed, which will undoubtedly have unintended consequences, because that’s what happens when government gets involved with the private sector.”
As opposed to the entirely predictable thefts, burglaries, and kidnapping that occur when the private sector is left to itself.
That was not the best lead in to describing the situation around the oil pipeline being shut down on account of a private sector firm’s error.
Posted by:
Marty
29 May 2021
Thanks Bob. Another great article that is spot on.
I started using PC-matic a few years ago and have been totally pleased. I love the way it blocks anything that isn't white listed.
Posted by:
kevin
29 May 2021
Does PC Matic maintain a global whitelist as part of the decision-making it does for ALL its users? If so, an individual user (or even PC Matic's own screeners) may deem a program "OK" at some point but then a version that only SEEMS to be the same (and actually is corrupted) begins to circulate unimpeded.
Though Bob did not experience much of a burden in handling false positives, many of us won't be confident to dismiss warnings if we are not familiar with all the background processes launched in the normal course of using a computer. The more often you get asked to approve the launch of programs you don't know about, the more likely you are to bypass the interruptions and always say "Yes", which will eventually open the door to problems.
Most people will say OK to a request to run Java and Flash content even though those are now known to be bad risks. In fact, is it possible for even an historically "safe" program that everyone recognizes and which PC Matic allows to run, (such as MS Office or Acrobat Reader) to be launched by malicious script that uses that trusted program to execute its dirty work and remain undetected until it's too late? As an example, all recent Windows versions include an onboard encryption engine that will certainly be on the whitelist. What's to stop an attacker's script from invoking that existing "trusted" engine to encrypt your files and then hide the key from you until you pay up?
Posted by:
Cork
29 May 2021
The fastest way to significantly reduce the number of ransomware attacks is for corporations to replace all Microsoft Windows operating systems with a more secure alternative. The inherent issues with Windows will continue to result in a whack-a-mole game until it is replaced with a modern operating system.
Posted by:
Nat Gildersleeve
29 May 2021
As a longtime reader dating back to the Tourbus days, I have found Bob's advice invaluable. When he recommended PCMatic, I changed and have not had a problem since.
Posted by:
Brad
30 May 2021
I thought this was an excellent article on phishing email and how to spot malicious links. If you're looking for some material on phishing to share with family and friends this is a good one. It also includes a link to Google's Phishing Quiz.
The Most Common Way People Get Hacked & How to Avoid It
https://medium.com/geekculture/the-most-common-way-people-get-hacked-how-to-avoid-it-c62eeedf57d6
Posted by:
Phil
09 Jun 2021
Thanks Brad, handy link. Ideal for a few vulnerable members of my family.
Posted by:
TheOptimist
10 Jun 2021
Interesting but quaint security ideas. The reality is that if you are connected to the internet and you are targeted (because you have deep pockets) then there is no defense.