[BreachExchange] Colonial Pipeline attack: Hacking the physical world

Thu May 20 15:06:40 EDT 2021

https://www.welivesecurity.com/2021/05/19/colonial-pipeline-attack-hacking-physical-world/

While detractors have argued that threats against physical infrastructure
are overstated and largely theoretical, the growing list of organizations
that have been successfully attacked suggests otherwise. And now the media
is full of reports of the flow-on effects of the ransomware attack leveled
against Colonial Pipeline by the DarkSide cybercriminal gang. In fact, a
lot has happened since – US President Joe Biden has signed an executive
order aimed at improving the nation’s cyber-defenses and the company has
restarted normal operations, while DarkSide claims to have shut up shop and
there are also reports that Colonial Pipeline paid the gang $5 million in
ransom.

Regardless, while the investigation into the attack is ongoing, detection
of Win32/Filecoder.DarkSide has been in play since October 2020, so
attackers wouldn’t seem to be using some super-sneaky, state-sponsored
zero-day exploit to compromise their targets.

For years we’ve noted would-be attackers quietly probing around critical
infrastructure targets, even launching attacks against specific, high-value
targets such as in the examples listed above. This shows no sign of
slowing. When those attacks occurred, we were asked whether we’d see
similar efforts in the North American market. We said yes. We were right.

It’s interesting that in the case of NotPetya (aka Diskcoder.C), the
specific pieces of the attack by themselves were also not super-crazy zero
days. In the current environment, the reality is that attackers don’t need
to burn zero days; they can get in without them.

By spending significant time understanding a target’s network and
infrastructure, specially crafted attack sequences are surprisingly
effective with a high degree of off-the-shelf threats we’ve known about for
years.

While there has been significant security effort by critical infrastructure
operators in recent years, they are starting with decades-old equipment,
networking gear, and communications protocols to begin with. This means
they have little more than serial protocols (with no security), Modbus,
which isn’t much better, or one of a handful of others that are similarly
insecure. They forklifted in security gateways and have made strides, but
it’s still relatively easy to find chinks in the security armor. They’re
ramping up secure communication technologies, but the effort still feels
nascent.

Add to this the impact of shutting down some chunk of physical
infrastructure we mostly take for granted, and attackers have low-hanging
fruit ripe for the picking.

Meanwhile, critical infrastructure operators attempt to lure security
specialists away from Silicon Valley to work on some remote mountaintop
securing a critical facility with its ageing technology. This can be
unalluring and, therefore, a hard sell if the other option is a hot startup
in large city.

But when the lights, water, fuel, or communication networks suddenly stop,
expect renewed focus on critical infrastructure security.

And while there are serious groups of technology pundits ramping up
specific initiatives to thwart ransomware, it’s unnerving knowing that
attackers can still be effective using years-old threats we thought we were
all protected against and had solved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/42bf7cfe/attachment.html>