Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks


๐Ÿ’ก Newskategorie: Sicherheitslรผcken
๐Ÿ”— Quelle: us-cert.cisa.gov

Original release date: May 11, 2021

Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CKยฎ) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructureย Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entityโ€”a pipeline companyโ€”in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline companyโ€™s information technology (IT) network.[1] At this time, there is no indication that the entityโ€™s operational technology (OT) networks have been directly affected by the ransomware.

CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

Click here for a PDF version of this report.

Technical Details

Note: the analysis in this Joint Cybersecurity Advisory is ongoing, and the information provided should not be considered comprehensive. CISA and FBI will update this advisory as new information is available.

After gaining initial access to the pipeline companyโ€™s network, DarkSide actors deployed DarkSide ransomware against the companyโ€™s IT network. In response to the cyberattack, the company has reported that theyย proactively disconnected certain OT systems to ensure theย systemsโ€™ย safety.[2] At this time, there are no indications that the threat actor moved laterally to OT systems.

DarkSide is ransomware-as-a-service (RaaS)โ€”the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as โ€œaffiliates.โ€ย According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[3],[4]

According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (Phishing [T1566], Exploit Public-Facing Application [T1190], External Remote Services [T1133]).[5],[6] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence [TA0003].[7]

After gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data (Data Encrypted for Impact [T1486]). The actors then threaten to publicly release the data if the ransom is not paid.[8],[9] The DarkSide ransomware uses Salsa20 and RSA encryption.[10]

DarkSide actors primarily use The Onion Router (TOR) for Command and Control (C2) [TA0011] (Proxy: Multi-hop Proxy [1090.003]).[11],[12] The actors have also been observed using Cobalt Strike for C2.[13]

Mitigations

CISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks.

  • Require multi-factor authentication for remote access to OT and IT networks.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
  • Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
  • Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
  • Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement unauthorized execution prevention by:ย 
    • Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
    • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
    • Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.
    • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools.

CISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future.

  • Implement and ensure robust network segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.
  • Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit industrial control system (ICS) protocols from traversing the IT network.
  • Identify OT and IT network inter-dependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.ย Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.ย 
  • Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
  • Implement regular data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. The data backup procedures should also address the following best practices:
    • Ensure that backups are regularly tested.
    • Store your backups separately. Backups should be isolated from network connections that could enable the spread of ransomware. It is important that backups be maintained offline as many ransomware variants attempt to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems to its previous state. Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. (See the Software Engineering Instituteโ€™s page on ransomware).
    • Maintain regularly updated โ€œgold imagesโ€ of critical systems in the event they need to be rebuilt. This entails maintaining image โ€œtemplatesโ€ that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
    • Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.
    • Store source code or executables. It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.
  • Ensure user and process accounts are limited through account use policies, user account control, and privileged account management. Organize access rights based on the principles of least privilege and separation of duties.

If your organization is impacted by a ransomware incident, CISA and FBI recommend the following actions:

  • Isolate the infected system. Remove the infected system from all networks, and disable the computerโ€™s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless. ย 
  • Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists. (See Before You Connect a New Computer to the Internet for tips on how to make a computer more secure before you reconnect it to a network.)
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.
  • Refer to Joint Cybersecurity Advisory: AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity for more best practices on incident response.

Note: CISA and the FBI do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victimโ€™s files will be recovered.ย CISA and FBI urge you to report ransomware incidents to your local FBI field office.

CISA offers a range of no-cost cyber hygiene services to help CI organizations assess, identify and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.

Resources

Contact Information

Victims of ransomware should report it immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBIโ€™s 24/7 Cyber Watch (CyWatch) atย (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

References

Revisions

  • May 11, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

...



๐Ÿ“Œ AA21-116A: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders


๐Ÿ“ˆ 41.08 Punkte

๐Ÿ“Œ Preventing DDoS Attacks on Web-Based Systems: Strategies and Best Practices


๐Ÿ“ˆ 35.24 Punkte

๐Ÿ“Œ DarkSide Wanted Money, Not Disruption from Colonial Pipeline Attack


๐Ÿ“ˆ 32.8 Punkte

๐Ÿ“Œ Industry Disruption: Preventing Product Irrelevance?


๐Ÿ“ˆ 31.34 Punkte

๐Ÿ“Œ Preventing Outages in your SaaS application: Strategies and Best Practices


๐Ÿ“ˆ 29.69 Punkte

๐Ÿ“Œ AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-042A: Compromise of U.S. Water Treatment Facility


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-048A: AppleJeus: Analysis of North Koreaโ€™s Cryptocurrency Malware


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-055A: Exploitation of Accellion File Transfer Appliance


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-076A: TrickBot Malware


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ DarkSide and other gangs exploit companies that aren't prepared for ransomware attacks


๐Ÿ“ˆ 25.86 Punkte

๐Ÿ“Œ Toshiba Business Reportedly Hit by DarkSide Ransomware


๐Ÿ“ˆ 25.82 Punkte

๐Ÿ“Œ DarkSide Ransomware gang targets Toshiba Business


๐Ÿ“ˆ 25.82 Punkte

๐Ÿ“Œ Growth of Ransomware Attacks: Strategies for Preventing & Isolating Them in Your Organization


๐Ÿ“ˆ 24.4 Punkte

๐Ÿ“Œ Preventing Ransomware Attacks on Industrial Networks


๐Ÿ“ˆ 24.4 Punkte

๐Ÿ“Œ Guide To Preventing & Minimising The Impact Of Ransomware Attacks


๐Ÿ“ˆ 24.4 Punkte

๐Ÿ“Œ 6 minimum security practices to implement before working on best practices


๐Ÿ“ˆ 23.52 Punkte

๐Ÿ“Œ 25 Best CDN Providers 2019 (sorted by best ent, best small biz, best budget and best free CDNs)


๐Ÿ“ˆ 23.5 Punkte

๐Ÿ“Œ How to Prevent Ransomware Attacks: Top 10 Best Practices in 2022 | UpGuard


๐Ÿ“ˆ 22.93 Punkte

๐Ÿ“Œ Ransomware attacks can be blocked with these firewall best practices


๐Ÿ“ˆ 22.93 Punkte

๐Ÿ“Œ Best practices for IT teams to prevent ransomware attacks


๐Ÿ“ˆ 22.93 Punkte

๐Ÿ“Œ DarkSide "Court", TrendMicro, & Lessons Learned From Supply Chain Attacks - SWN #123


๐Ÿ“ˆ 22.59 Punkte

๐Ÿ“Œ A Toshiba Business Unit Says It Has Been Attacked By Hacking Group DarkSide


๐Ÿ“ˆ 22.55 Punkte

๐Ÿ“Œ DDoS Attacks on the Gaming Giant Blizzard Causing Worldwide Service Disruption


๐Ÿ“ˆ 21.31 Punkte

๐Ÿ“Œ Automatic disruption of human-operated attacks through containment of compromised user accounts


๐Ÿ“ˆ 21.31 Punkte

๐Ÿ“Œ Technological disruption vs digital transformation vs innovation: What does your business really need in 2021?


๐Ÿ“ˆ 21.27 Punkte

๐Ÿ“Œ Unknown unknowns: CIOs prep for the next major business disruption


๐Ÿ“ˆ 21.27 Punkte

๐Ÿ“Œ 'Sextortion,' Business Disruption, and a Massive Attack: What Could Be in Store for 2023


๐Ÿ“ˆ 21.27 Punkte











matomo