Colonial Pipeline attack made possible by compromised VPN password

(Image credit: Image Credit: Geralt / Pixabay)
Audio player loading…

The investigation into the recent cyberattack on Colonial Pipeline (opens in new tab)’s computers has revealed that the threat actors made their way into the network via a compromised VPN (opens in new tab) password. 

The development comes as the US government claims to have recovered (opens in new tab) most of the $4.4 million ransom paid by Colonial to regain control over its network.

The DarkSide ransomware (opens in new tab) gang attacked the Colonial Pipeline in early May, and besides encrypting the computers also made away with 100GB of data in a typical double-extortion ploy used by virtually all ransomware operators these days.

Insecure access

Based on input from cybersecurity (opens in new tab) firm Mandiant, Bloomberg reports that the threat actors were able to compromise the VPN account because it didn’t use multi-factor authentication (MFA), which would’ve added another layer of security on top of the password. 

Last month, Stefan Schachinger, Product Manager, Network Security, IoT, OT, ICS at Barracuda told TechRadar Pro (opens in new tab) that he believed that Colonial was attacked through an insecure remote access (opens in new tab), saying that these need to be properly secured.

“Remote accesses are not insecure per definition but require proper security measures such as encryption and multifactor authentication. Organizations should also implement a layered defence strategy, with multiple technical hurdles that keep attackers and malicious software out,” he told us.

Is cryptocurrency an enabler?

In light of the recent spate of ransomware attacks, the US government took a number of steps to reign in the growing threat. In addition to setting up a dedicated ransomware taskforce, the US Department of Justice (DoJ) has also declared that it will treat ransomware attacks as acts of terrorism (opens in new tab)

Following the toughened US stance comes news of the government recovering 63.7 Bitcoin  ($2.3 million) that were reportedly paid by Colonial, based on reports of a warrant filed in the US District Court in California. The warrant appears to point to a little-used cryptocurrency wallet (opens in new tab) with only one incoming transaction, making its identification easier.

John Hammond, senior security researcher at Huntress tells us that he believes the recovery was possible only because the threat actors made a mistake. Hammond thinks cryptocurrencies (opens in new tab) are the single most enabling factors in modern cybercrime, and their inherent design makes them “a perfect getaway car.”

“It is great to see the thorough investigation and detective work could help recover money for Colonial Pipeline, but unless something is done about cryptocurrencies, we might not be as fortunate again. Whether it is abolishing cryptocurrencies, adding oversight or other safeguards, something has to be changed so at the very least we aren't relying on a mere hope that the criminals made a mistake,” believes Hammond.

Via The Verge (opens in new tab)

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.