Last week Colonial Pipeline, one of the largest pipelines in the US, was hit by a ransomware attack from the Dark Side cybercrime group. While many pertinent specifics about the attack are not known, FireEye and US Cybersecurity and Infrastructure Security Agency (CISA) have shed some light on how Dark Side’s malware works.

These two posts point out some common Tactics, Techniques, and Procedures (TTPs) that all organizations should be on the lookout for as indicators of attack:

  • Password spraying against Virtual Private Network (VPN) devices. Legitimate user credentials found and used.
  • Malware exploits against SonicWall VPN (disabling Multi-Factor Authentication). Vulnerability has been patched.
  • Use of phishing emails for initial compromise.
  • Creation of domain accounts for attacker use.
  • Use of Mimikatz for capturing more credentials and escalating privileges.
  • Use of Cobalt Strike, BEACON, BLOODHOUND, TeamViewer, RDP, and F-Secure Labs' C3 (a red teaming tool) for recon, lateral movement, and C2 comms.
  • Use of rclone to exfiltrate data to cloud hosting locations.
  • Deletion of backups and Windows volume shadow copies.
  • Use of ESXi to disable cloud snapshots.
  • Use of PsExec and PowerShell to encrypt victim files.
  • Use of NGROK utility to allow remote access through defenses.

US CISA and FBI published a Joint Cybersecurity Advisory listing specific MITRE ATT&CK Techniques:

Phishing [T1566]

Exploit Public-Facing Application [T1190]

External Remote Services [T1133])

Persistence [TA0003]

Data Encrypted for Impact [T1486]

The Onion Router (TOR) for Command and Control (C2) [TA0011]

These TTPs map to MITRE ATT&CK techniques and many security tools on the market today can detect these kinds of malicious activities. It is imperative for enterprises to have robust and updated security infrastructure in place to deter cyber-attacks. Multi-Factor Authentication, Unified Endpoint Management, Vulnerability Management, Endpoint Protection/Detection & Response, Network Detection & Response, email/web security gateways, Privileged Access Management, Security Orchestration Automation & Response, and Cloud Security are some key components that can provide visibility and remediation in case of intrusions.

Our recommendations

All organizations should take the opportunity to review their security architecture to ensure that the principles of defense in depth and least privilege are present, and if not, move to address any gaps in functionality and staffing as soon as possible. If your organization needs assistance with assessing your security posture and/or making security tools choices, please contact our advisors.

See also