Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Pipeline ransomware attack: US invokes emergency transport rules to keep fuel flowing

The US Department of Transportation (USDOT) invoked emergency measures after Colonial pipeline company fell victim to a ransomware attack last week. The emergency measures will allow fuel to be more easily transported by road. Colonial is responsible for 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, and fuel used by the US military. The company took systems offline after learning of the attack, temporarily halting operations. USDOT’s Federal Motor Carrier Safety Administration (FMCSA) has issued a Regional Emergency Declaration temporarily relaxing certain laws involving road transport of fuel. The exemptions apply to vehicles transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.

Analyst Notes

On May 10th, the FBI confirmed that the Darkside ransomware group is behind the attack. Darkside runs a ransomware-as-a-service business. They emerged in mid-2020 and although a free decryptor for their malware was released in January they quickly rebounded with Darkside 2.0. In order to combat ransomware, organizations must ensure employees are properly trained on best security practices. Multi-Factor Authentication (MFA) is necessary to protect any account, especially email accounts of employees who have access to sensitive information. Cyber threat actors often target email accounts because access to a victim’s email account allows them to reset passwords to many other online systems easily. Passwords alone are not enough to protect sensitive information, especially if employees choose the same or similar passwords for multiple sites—criminals and government backed hackers alike often use lists of passwords leaked from other websites when they attempt to guess passwords for email accounts or remote access accounts. The Binary Defense Counterintelligence service monitors for leaked information, including passwords, associated with clients’ brand names and domain names. If a threat actor gains access to corporate network via a VPN or other remote access facility using an employee’s password, it can be difficult to detect the intrusion and distinguish the attacker’s activity from that of the employee whose account was compromised. To defend against such attacks, it’s important to monitor user account activity for patterns of behavior, and detect when employee accounts run unusual programs, attempt to access administrator accounts, or move laterally to other systems that they normally don’t access. Binary Defense’s Security Operations Task Force monitors clients’ workstations and servers 24/7 to detect attacks based on possible attacker behaviors and prevents intrusions in the early stages to keep companies from suffering major damage.