Posted: 6 Min ReadFeature Stories

Symantec Security Summary - May 2021

Ransomware, a new Executive Order and Solar Winds fallout

Ransomware on a roll. Ransomware once again dominated the global stage after a cyber crime gang orchestrated a recent attack against a U.S. pipeline company, shutting down operations and reigniting concerns about the vulnerability of major infrastructure.

Colonial Pipeline, which transports gasoline and jet fuel from Texas to New York, said it shut down 5,500 miles of pipeline in order to contain the breach in which hackers stole nearly 100GBs of data. While company officials said the hackers broke into its business systems, not the systems that control the physical pipeline infrastructure, they shuttered the networks and pipeline for precautionary reasons. The impact of the attack had an immediate impact at the gas pumps and industry experts raised concerns about what this might portend in light of critical infrastructure vulnerabilities. The Department of Transportation put out an emergency declaration aimed at ramping up alternative transportation routes for oil and gas.

Colonial Pipeline, which transports gasoline and jet fuel from Texas to New York, said it shut down 5,500 miles of pipeline in order to contain the breach in which hackers stole nearly 100GBs of data.

The FBI has confirmed that the genesis of the attack was a strain of ransomware called DarkSide, which is believed to be connected to a Russian cyber crime gang. The hacking group countered with a notice on the dark web contending they were looking for opportunities to make money, not to carry out an attack on behalf of a foreign government. In the interim, a contingent of private-sector companies, with help from U.S. agencies, disrupted the ongoing attacks and helped Colonial recover some stolen data, according to sources for a Bloomberg article.

Government ramps up response. With this latest entity in the crosshairs, U.S. Justice Department officials are warning about the growing threat of ransomware attacks and have formed a new task force to root out and respond to the growing threat. According to a memo obtained by CNN, 2020 was the worst year on record for ransomware attacks, including those targeting the DC police department, hospitals treating COVID-19 patients, as well as a growing roster of manufacturers.

The Biden administration is also rolling out a 100-day plan to bolster cyber security for the nation’s electric grid. Among the plan’s goals are to encourage owners and operators of power plants to enhance security incident detection, mitigation, and response; to deploy technologies to ensure real-time situational awareness within industrial control systems (ICS) and operational networks; and to reinforce the IT networks and infrastructure used within facilities. The Biden administration also issued an Executive Order (EO) that lays out  a series of new cyber security requirements for companies doing business with the government in the hopes of forcing changes and improvements that trickle down to private industry.

SolarWinds campaign bigger than we thought. Speaking of Russian hacking, it looks like the 2020 SolarWinds breach, orchestrated by the state-backed Russian hacking group known as APT29 (aka Fritillary, Cozy Bear), is even more widespread than initially expected. New analysis of the supply chain attack has uncovered 18 additional command and control (C&C) servers used in the campaign, making for an estimated 18,000 companies exposed through receipt of the SolarWinds malicious update. Researchers from RiskIQ said the newly-discovered servers represent a “56% increase in the size of the adversary’s known command-and-control footprint,” and will likely lead to newly identifiable targets.

New analysis of the supply chain attack has uncovered 18 additional command and control (C&C) servers used in the campaign, making for an estimated 18,000 companies exposed through receipt of the SolarWinds malicious update.

In other SolarWinds-related news, the China-based Spiral advanced persistent threat (APT) group is believed to be behind a year-long attack that planted the Supernova backdoor on the SolarWinds Orion server in order to carry out reconnaissance, domain mapping, and data theft.

On the heels of all these high-profile incidents, the U.S. Department for Homeland Security’s Cyber Security Infrastructure Security Agency (CISA), the FBI and NSA, along with the UK National Cyber Security Center recently put out a joint advisory warning organizations about new techniques being used by Russian hackers as part of their escalating cyber security campaigns. The advisory cites new tactics such as exploiting vulnerabilities such as Microsoft Exchange zero-days and leveraging the Silver open source tool as part of the evolving Russian playbook to infiltrate networks as companies shore up their defenses in response to heightened awareness.

And then there’s China. It’s not just Russia amplifying information war fare. Hackers with suspected ties to China have exploited the Pulse Secure VPN to gain access to dozens of organizations, including government agencies, defense companies, and financial institutions. Pulse Secure’s Zero Day vulnerability was exploited in the wild by multiple threat actors to install malware on targeted organizations’ networks. Research published by Mandiant has uncovered 12 malware families associated with the Pulse Secure VPN exploit. A patch for the vulnerability will be released this month, and until then, Pulse Secure has released mitigations to guard against exploit attempts.

Even high-tech royalty isn’t being spared. There are reports that the REvil ransomware gang tried to extort Apple to “buy back” stolen product blueprints to avoid having them leak prior to the company’s big spring event earlier this month. The criminals demanded that Apple pay $50 million in the Monero cryptocurrency by May 1st to avoid having confidential data stolen from its Taiwanese partner Quanta Computer be leaked. Some of the documents were leaked online, but the group eventually pulled all references to the attempted extortion event off its dark web blog, and Apple isn’t commenting.

Banks caught in the crosshairs. No surprises here: more evidence to confirm that the shift to remote work has contributed to a significant spike in cyber attacks against banks and insurance firms. The COVID Crime Index 2021 report found that nearly three quarters (74%) of banks and insurers have seen a rise in criminal activity, including increases in botnet attacks (35%); ransomware (35%), phishing (35%), mobile malware (32%), and COVID-related malware (30%).  Insider threats remain an issue for 29% of respondents.

The bottom line: It appears organizations are less secure and customers more at risk of cyber crime and fraud. It’s time to get to work, people. 

Symantec Enterprise Blogs
You might also enjoy
Feature Stories5 Min Read

Symantec Security Summary – April 2021

Cyber attack complexity, ransomware and staying vigilant

Symantec Enterprise Blogs
You might also enjoy
Expert Perspectives2 Min Read

Broadcom Supports White House Executive Order to Increase U.S. Cyber Security Defenses

Great first step to address federal cyber vulnerabilities

About the Author

Beth Stackpole

Journalist

Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.