Colonial Pipelines’​ $4.4m USD ransomware attack was caused by a simple password breach

An investigative consultant has revealed that last month’s historical ransomware attack against Colonial Pipelines was committed through a simple password breach.

The attack – which led to a five-day-long service outage and a $4.4 million USD payout – was initiated by the ransomware group, Darkside, through an inactive account that had neither been disabled nor secured with two-factor authentication.

The account was a Virtual Private Network (VPN) account, meaning that once the account was hacked it provided Darkside with a direct tunnel to Colonial Pipeline’s corporate network.

From there, the hackers went unnoticed while they set up and deployed the devastating ransomware attack.

When you take a step back and examine the wider economic impacts of this attack, it can be surprising to hear that a simple password breach is the root cause of it all.

The shutdown of Colonial Pipeline’s system left roughly 10,000 gas stations in the Eastern United States without a fuel supply, and ultimately resulted in price hikes that tipped the national average over $3 for the first time in 6 years.

Furthermore, this controversial attack has raised questions about what due diligence looks like in the current cybersecurity landscape.

Namely, as a vendor that supplies nearly half of the USA’s fuel supply on the east coast, could Colonial Pipelines be considered negligent for their lack of two-factor authentication, or for failure to close the inactive account?

A putative class-action lawsuit has been lodged against Colonial Pipeline arguing the above case. Furthermore, Colonial Pipeline’s decision to pay out the $4.4 million USD ransom has been bought to question as potentially unethical; with many industry experts concerned that it could incite further attacks of this nature in the future.

At the end of the day, a few simple security steps could have significantly reduced the risk of ransomware and potentially prevented this attack. Regardless of the size of your business, here are a few changes that you can make to majorly improve your cybersecurity:

• Enforce a password policy: The password for the compromised VPN account has since been found on the dark web in a batch of leaked passwords. This indicates that the password was potentially lost in a separate breach, and re-used in the VPN account.
  
  A strong password policy exists to patch these kinds of holes. Enforce rolling password changes at least once every six months, and don’t allow the same password to be re-used by your staff.

• Enable two-factor authentication: Two-factor authentication exists so that in the event of a stolen or cracked password, a second method of authentication is required. Microsoft is quoted as saying 99.9% of attacks can be blocked by two-factor, and it’s as easy as a few clicks to set up.

• De-active unused accounts: One thing that we’re often guilty of is leaving un-used accounts open. Whether we merely forget or procrastinate the closure of work accounts, it can lead to a devastating compromise in security. Create a formalised procedure for cataloguing and routinely reviewing work accounts, and include steps to terminate them when no longer needed.