A ransomware attack last week was successful in closing down the Colonial Pipeline and cutting off one of our nation’s most precious resources to millions of Americans. People in the Mid-Atlantic and elsewhere were unable to get gasoline after the pipeline was taken offline, being forced to either wait in massive fuel lines or remain stuck at home.
The attack was perpetrated by the DarkSide ransomware group and reportedly took nearly 100 gigabytes of data out of the Colonial Pipeline network in just two hours. It was part of a double-extortion scheme that is one of the group’s hallmarks.
DarkSide has very likely perpetrated attacks like this before, so it wasn’t necessarily novel. They also do not get involved in geo-politics. DarkSide says it has a code of ethics and states the hackers will never attack hospitals, schools, universities, non-profit organizations, and government agencies. The hacking group runs a quasi-professional operation, with its website having a press room, mailing list and a hotline for their victims to call.
After gaining access to its targets, DarkSide actors deploy ransomware to encrypt and steal sensitive data. The actors then threaten to publicly release the data if the ransom is not paid. The DarkSide ransomware uses Salsa20 and RSA encryption. While the DarkSide organization is profiting through attacks such as these, those of us in the cybersecurity industry are trying to fully understand precisely how they originate and unfold. We also want to make sure we are providing education.
We are particularly interested in the Colonial Pipeline attack because FireEye in their report pointed to the possible use of a collaboration app, Slack, as the mechanism for communication to the C2 server.
Now typically, ransomware originates in email. In this particular instance, it appears DarkSide delivered a malicious payload through an email, with a link to Google drive. This is their novel technique. According to FireEye Research, Mandiant’s tracking of five clusters of threat activity that have involved the deployment of DarkSide, the uncharacterized group, UNC2628, has previously deployed relays configured to proxy C2 communications through the Slack API.
It is important to point out this is not solely a tactic that could unfold through Slack. This could be executed using Twitter, Telegram, WhatsApp, or any number of encrypted apps that can avoid detection by traditional EDR and network traffic analysis. SafeGuard Cyber provides security, including malware detection, for over 50 digital encrypted channels precisely because every encrypted channel is a candidate to communicate with ransomware. We have seen this with other ransomware attacks that have taken place.
Another key aspect to the Colonial attack is that social engineering was very likely involved during the initial compromise stage, baiting somebody to click on that Google link to download a malicious file(s). One of the uncharacterized groups identified by FireEye in its Shining a Light on DarkSide Ransomware Operations report, UNC2465, has used this method in the past.
Now if it turns out that DarkSide used a digital communication channel entry point for the attack, such as WhatsApp, or Slack, or social media, SafeGuard Cyber would have been successful in stopping the attack from the onset. In the case of Colonial Pipeline, an organization with a very small security team, it’s plausible that they could have benefitted from a technology that can provide visibility and alerts for threats that arise on digital channel endpoints that fall outside of network security perimeter.
Sophisticated malware also needs to be controlled remotely. It used to be that they could have used IRC or other port-based methods, but that becomes harder as more vulnerability scans take place. So the tactic of ransomware using encrypted communication that’s hard to detect is becoming more and more of a reality.
Hackers can communicate using the Slack API out to the C2 server, which holds the encryption key for the communications with the malware. Once the malware is established, they need to tell it what to do next; they need to communicate with it; and then the malware communicates back to the control server. This method is also used to exfiltrate data by the malware. The cyber crime group takes advantage of the Slack.com API and the easy-to-use API approach; that makes it a prime candidate for a covert C2 encrypted channel. Since companies whitelist Slack for normal web browsing, it is difficult to detect the traffic. SafeGuard Cyber protects customers' Slack.com instances holistically and can detect such traffic to create disruption to the ransomware. SafeGuard Cyber might have been able to disrupt the process at the Colonial Pipeline.
A takeaway to consider here while the investigation unfolds, is that endpoint DLP solutions do not work in cloud-based communications because they were designed for devices. They do not see traffic over the https or encrypted chat.