Breached Colonial VPN password was complex, but reused

Security Key
(Image credit: Pixabay)

The compromised VPN password that allowed DarkSide operators to get into Colonial Pipeline’s network had been used on multiple websites, according to new insights into the attack.

The revelation was made by Charles Carmakal, senior vice president and CTO at Mandiant, which is the incident response division of cybersecurity firm FireEye that has been roped in to assist with the investigation into Colonial’s ransomware attack.

Carmakar further shared that the password was “relatively complex….in terms of length, special characters and case set” as he addressed a House Committee on Homeland Security hearing on the cyberattack, together with Colonial Pipeline’s CEO, Joseph Blount.

Mandiant had earlier shared that equipped with the password the Colonial attackers wouldn’t have faced much resistance logging into the network, as the VPN account didn’t use multi-factor authentication (MFA).

Password hygiene

Security experts have reiterated that using single passwords no longer counts as an effective strategy to prevent break-ins, and are pretty much useless without additional layers of security implemented by the use of MFA.

“Even the strongest, most complex passwords can be found living on the dark web, and without MFA these attacks will continue to occur,” Patrick Tiquet, VP of Security at Keeper Security tells TechRadar Pro.

He further adds that liability, either in the form of a duplicated password or a former employee maintaining account access after departing the company, is around every corner, and that “proper password hygiene is paramount in eliminating occurrences of attacks” like Colonial’s. 

From a wider perspective, Tiquet believes that while the new ransomware guidance of the Cybersecurity and Infrastructure Security Agency (CISA) helps businesses respond to a ransomware attack, their focus should still be on proactive protection.

“Additional effective preventative measures include disabling unnecessary access, isolating networks, keeping current on patches, enforcing least-privileges, and maintaining offline backups of important data,” says Tiquet listing some of the best practices that business should adopt to shield themselves from such attacks.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.