Although the high profile ransomware incident impacting the US oil pipeline system Colonial Pipeline has attracted significant attention, the subsequent discussion has lacked a network-centric view of the general behaviours and detection possibilities associated with ransomware deployment.
Gigamon executive Joe Slowik presents an overview of the event, the behaviours linked to similar ransomware operations, the importance of network visibility, and possibilities for network detection and monitoring to meet these adversaries and related malicious activities head-on.
Colonial Pipeline suffered a ransomware incident on May 7. While all available information indicates that ransomware impacted only enterprise IT systems for Colonial, the company pre-emptively shut down linked industrial control systems (ICS) out of an abundance of caution.
Subsequently the intrusion and resulting disruption were linked to a ransomware variant known as DarkSide. Active since at least August 2020, DarkSide operates under a ‘Ransomware as a Service’ or ‘affiliate’ model where the group provides double-extortion ransomware services to other entities that execute the actual network breach and capability deployment.
DarkSide then manages negotiations and payment to both decrypt a victim’s information and to stop the selective leaking of data exfiltrated from the target network.
While DarkSide-related activity has continued in a relatively steady state since its initial discovery in 2020, the Colonial Pipeline incident is notable given its disruptive impact. While neither the first notable cyber intrusion in pipeline systems, nor the first ransomware event on pipeline infrastructure, Colonial’s pre-emptive shutdown of critical systems triggered a halt in their operations.
The disruption induced reactions from panic buying of gasoline through statements from the White House. Although Colonial was able to begin restoring operations as early as May 12, 2021, the shock and short-term impacts of the event were felt across both policymaker and information security circles.
Ransomware entity intrusion tradecraft
DarkSide ransomware impacted multiple victims since discovery in 2020. Yet while this ultimate payload inducing network disruption (and data theft for extortion) is concerning, defenders should focus on the preliminary steps enabling ransomware execution rather than the ransomware family itself.
In this respect, given the ‘affiliate model’ through which adversaries deploy DarkSide, the ransomware variant can be linked to multiple behavioural profiles.
Multiple vendors provide insight into initial access, entrenchment, and subsequent lateral movement activity linked to DarkSide deployment. Among the most notable examples are the following:
- Initial reporting from Digital Shadows in September 2020
- Cyberreason Nocturnus’ overview of activity in April 2021
- Varonis reporting, subsequently updated after the Colonial incident
- An overview of recent DarkSide behaviours from FireEye, also after the Colonial incident
- Observations from incident response engagements from Sophos
- Further analysis from Palo Alto Unit 42
These are all valuable contributions to the discussion concerning DarkSide’s deployment, and my company highly recommends that defenders review these items for awareness and to become familiar with this threat.
Yet all these items largely focus on host-based actions and observations, which is unsurprising, as most of the entities in question are involved in host-based security solutions. In addition to these observations, defenders possess a multitude of options for tracking behaviours over the network related to DarkSide deployment, as well as other ransomware operations.
Initial access mechanisms
Adversary deployment of DarkSide ransomware is linked to a variety of initial access mechanisms, as one would expect given that multiple entities relate to its use. Based on a review of available literature and analysis, my company identifies the following as primary Darkside affiliate mechanisms to initially breach victim networks:
- Phishing activity leveraging malicious attachments
- Credential replay attacks against external-facing services, such as Remote Desktop Protocol (RDP)
- Use of publicly disclosed exploits against external-facing services, such as vulnerabilities in externally accessible VPN appliances (including CVE-2021-20016).
While these represent known vectors linked to DarkSide affiliate operations, the specific mechanism used to infiltrate Colonial Pipeline is not known at present. Nonetheless, these initial intrusion mechanisms align well with common tradecraft associated with not only criminal operations (such as ransomware), but also advanced persistent threat (APT) or state-directed intrusions.
While one specific VPN exploit is called out in research from FireEye, my company assesses that other publicly disclosed exploits have likely been used as part of intrusions leading to ultimate ransomware deployment more generally.
Given the significant increase in disclosure and subsequent use of exploits targeting external-facing appliances such as VPN concentrators, network defenders should anticipate rapid moves by a variety of adversaries, whether related to DarkSide or not, to take advantage of such potential ingress points.
Lateral movement and command and control activity
Once inside victim networks, DarkSide-related intrusions leverage a combination of built-in system tools (such as ‘LoLBins’) and publicly or commercially available tools for varying levels of network communication and functionality. Such items are deployed to both spread throughout the victim network, as well as to maintain command and control (C2) over any implants or tools. Examples include:
- The Sysinternals remote command execution utility PSExec
- Commercially available remote access tools such as TeamViewer
- The PuTTY-related application Plink
- The commercially available (but frequently pirated or cracked) Cobalt Strike
- The publicly available Custom Command and Control (C3) framework
- Network enumeration tools such as ADRecon and BloodHound for mapping victim Active Directory instances
- Tunneling C2 traffic, including RDP, via The Onion Router (TOR) to mask activity
Additionally, adversaries leverage built-in tools such as RDP and server message block (SMB) connections to enable tool or capability deployment and lateral movement in victim environments, combined with continuous credential harvesting via tools such as Mimikatz.
At this stage, endpoint-related visibility becomes valuable in assessing an intrusion in many cases. However, even the best endpoint visibility on its own is insufficient to track, detect, and monitor elusive adversaries.
This is especially the case for internal network movement. By pairing network monitoring and visibility with robust network security monitoring, defenders can ensure that all possible avenues for intruder operation are accounted for.
Like the initial access vectors, the lateral movement and C2 mechanisms identified here are hardly unique to DarkSide deployment. Instead, these techniques encompass behaviours also deployed by entities ranging from APTs to other, criminal actors.
By establishing monitoring for either external communication linked to the tools or techniques listed above, or examining internal communication flows for lateral movement activity, defenders can identify malicious behaviours even when endpoint and similar visibility can be evaded.
One other component to DarkSide-related operations, along with some other ransomware families, is the use of ‘double extortion’ to prompt payment. In addition to encrypting data, victim information is stolen with threat of publication unless payment is made.
Identifying large-scale data exfiltration in progress can be an indicator of imminent disruptive actions, and if caught in time may allow for defenders to respond quickly to prevent further harm. Based on reporting from researchers at Red Canary on general trends in this space, as well as specific observations on DarkSide, the following tools and techniques appear associated with ‘double extortion’ operations:
- Use of cross-platform, free tools such as Rclone or WinSCP
- io-focused tools such as MEGAcmd or MEGAsync
Although not conclusively proven, media reporting indicates at least in the Colonial incident that criminals leveraged cloud hosting infrastructure, specifically from Digital Ocean, as an intermediary for data exfiltration as part of this process.
The above behaviours provide a variety of potential detection possibilities. Examples include simple tracking of large, anomalous traffic flows indicative of large-scale data exfiltration to use of specific service and destination combinations (such as WinSCP to an Autonomous System Number (ASN) associated with a cloud provider).
Network visibility and monitoring
The mechanisms identified above are not distinct to DarkSide deployment; this provides a substantial benefit to defenders in that identifying general techniques associated with such intrusions will enable defensive coverage over a wide number of potential adversaries.
Moreover, given the efforts by DarkSide-related entities (as well as numerous other threats) to evade endpoint detection and response (EDR) solutions as part of fundamental tradecraft, bolstering host-centric visibility with robust network monitoring can enable organisations to detect such operations at multiple phases of the cyber kill chain.
Establishing network visibility and monitoring not only at the network edge but also for internal network traffic can enable powerful defensive responses covering a variety of threats. Looking at the behaviours identified in the previous sections, various defence and alerting mechanisms emerge from initial access through lateral movement and code execution.
Monitoring external scanning or authentication brute force activity can be difficult given the sheer volume of activity from multiple services, malicious actors, and other entities. Yet being able to differentiate security-significant ‘signal’ from background “noise” is critical in articulating meaningful, sustainable network defence.
For example, identifying exploit scanning activity, such as for the VPN vulnerability linked to DarkSide deployment above, may rapidly result in numerous alarms for various commercial or academic scanners attempting to identify vulnerable instances. Instead of attempting to chase every single potential vulnerability scan, defenders should seek higher-quality, lower-volume detections to ensure focused and efficient operations.
By viewing network security events not as atomic, discrete objects but as interrelated items linked through time and execution, powerful possibilities emerge for detection and analysis.
For example, identifying linked activity such as a vulnerability scan of an external-facing service (or an explicit attempt to exploit that service) followed by scanning or authentication activity from that victim host to other, internal hosts within the network can flag likely initial intrusion actions and adversary attempts to expand access.
By linking the discrete observations into a complex, high-confidence analytic of malicious behaviour, defenders can not only ensure response to only high-severity, high-confidence events, but also alert on tradecraft linked to numerous threat actors.
Similar methodologies apply to credential stuffing, brute force, or guessing activity. Again, a variety of scanners and other items will likely be engaged in such activity on a daily basis.
But identifying instances of dedicated scanning or brute forcing from a single source, or such activity followed by anomalous network traffic from the recipient of such activity, can narrow observations to likely compromise scenarios. Defenders can then vector resources and efforts appropriately to these events to initiate incident response operations, minimising time to detection and time to recovery.
Other possibilities exist related to specific services and protocols. For example, in DarkSide operations deploying parties tunnel RDP via TOR in order to mask operations. While evading attempts to identify external RDP connections, this still requires communication to TOR nodes.
Tracking and identifying TOR nodes and related traffic can serve as a potentially powerful way to either enable more robust monitoring or, if blocked, reduce network attack surface.
Similarly, by identifying combinations of activity such as network traffic flows indicative of large-scale data movement or exfiltration to untrusted or unfamiliar network infrastructure or ASNs, key portions of the “double extortion” model can be flagged prior to completion.
Internal network communication
Network monitoring and defence does not end at the perimeter; to deal with current threats (whether criminal actors or APTs) such visibility and response must extend to internal network communications.
By leveraging a visibility fabric or deploying dedicated sensors inside the perimeter to track host-to-host traffic and similar flows, defenders can gain valuable visibility into adversary behaviour that can identify intrusions in progress that boundary monitoring or EDR solutions otherwise miss.
For example, DarkSide deployment, along with multiple other actor behaviours, frequently uses credential theft followed by mapping a share over SMB for file transfer, then execution, via a tool such as PSExec.
Identifying the concrete behaviours behind this activity and establishing alerts when these events are identified in sequence (authentication to host, SMB share mapped to another host, followed by file transfer of an executable or scripting object to the newly mapped host) can reveal instances of lateral movement.
While it is possible such actions could identify legitimate system administrator activity, in well-orchestrated environments such instances can be rapidly dispositioned, while the existence of an analytic identifying these linked network-specific events can flag actions related to a variety of threat actors.
Additional opportunities include monitoring of traffic flows and authentication activity, such as when an adversary deploys legitimate tools such as RDP. In these cases, identifying a number of attempted or successful authentication attempts from a single host to multiple hosts inside the network can indicate an adversary attempting to break out of an initial network foothold.
Further visibility, including being able to track precisely what credentials or user accounts are used, can reveal compromised accounts and other valuable response information.
Overall, the goal is to establish a combination of visibility into internal network traffic flows and combine this with an understanding of adversary tradecraft and operations to produce high-confidence alerting on observed activity.
When paired with external network monitoring and endpoint defence, network defenders can severely impede adversary operations, ensuring multiple potential detection points throughout the attacker’s lifecycle.