Colonial Attackers Used Compromised VPN CredentialsAccessed VPN Account No Longer Used; Lacked Multifactor Authentication
Investigators have uncovered that ransomware operators gained access to Colonial Pipeline Co. via a VPN account that was no longer regularly used and didn't have two-step verification enabled.
The credentials for the VPN account turned up in another data breach, but it's not clear what service was breached, says Charles Carmakal, senior vice president and chief technology officer of FireEye’s Mandiant division, which investigated the Colonial Pipeline attack. It's unknown, however, exactly how the attackers sourced the credentials but it doesn’t appear to have been a phishing attack, he says.
Colonial Pipeline Co. was hit by ransomware on May 7. The ransomware affected some of its business systems but as a precaution, it voluntarily shut down its 5,500-mile pipeline. The pipeline supplies petroleum products throughout large portions of the eastern U.S. The outage, which lasted around six days, resulted in more than 10,000 gas stations running out of fuel.
Experts say the cause of the breach, first reported by Bloomberg, demonstrates the need for organizations to practice basic IT security hygiene, including turning on two-step verification and disabling accounts that are no longer used.
Matthew Gribben, cybersecurity expert and former GCHQ cybersecurity consultant, says that the attack could have easily been prevented with two-step verification and good auditing of user accounts.
"Colonial Pipeline has said the account in question was no longer active at the time of the attack but could still be used for VPN access, which raises the question: Why was a deactivated account still enabled for the VPN?," Gribben notes. "We see time and time again that the major point of weakness in businesses' cyber defense is user identity rather than systems, and this can be prevented with really easy-to-implement security measures like two-factor authentication and continuous access evaluation and conditional access policies."
Javvad Malik, security awareness advocate at KnowBe4, says the majority of cases of ransomware or other intrusions within organizations occur as the result of a handful of root causes - social engineering, such as phishing, or unpatched software or weak credentials.
"So, these are the areas organizations should address as a priority. While these may seem like basic security controls, they are the underpinnings of an organization's overall security posture, and neglecting them can lead to catastrophic breaches even if other controls are in place."
Ransom Partly Recovered
The investigation into the Colonial Pipeline attack continues, and Congress will hold hearings on both Tuesday and Wednesday (see: Colonial Pipeline CEO to Testify at Congressional Hearing).
Lawmakers are expected to ask Colonial Pipeline CEO Joseph Blount about why the firm paid 75 bitcoins, worth $4.4 million in early May, to the DarkSide criminal gang to obtain a decryption. The tool turned out to work too slowly, according to Bloomberg, and Colonial Pipeline began restoring systems from its own backups (see: Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
In a surprising twist on Monday, the Justice Department announced that it had recovered 63.7 of the 75 bitcoins that Colonial Pipeline paid to the attackers. Due to fluctuations in bitcoin's price since the ransom was paid, the 63.7 bitcoins now represent only $2.3 million.
But the development marks a remarkable sign of the government's capability to trace ransom payments, and the possibility that interdiction into cryptocurrency payments could be a key strategy to fight ransomware gangs (see: $2.3 Million of Colonial Pipeline Ransom Payment Recovered).
The recovery was possible because Colonial Pipeline contacted law enforcement officials soon after it was attacked, according to Deputy Attorney General Lisa Monaco and FBI Deputy Director Paul Abbate.
Executive Editor Jeremy Kirk contributed to this report.