Colonial Pipeline attack made possible by compromised VPN password

(Image credit: Image Credit: Geralt / Pixabay)

The investigation into the recent cyberattack on Colonial Pipeline’s computers has revealed that the threat actors made their way into the network via a compromised VPN password. 

The development comes as the US government claims to have recovered most of the $4.4 million ransom paid by Colonial to regain control over its network.

The DarkSide ransomware gang attacked the Colonial Pipeline in early May, and besides encrypting the computers also made away with 100GB of data in a typical double-extortion ploy used by virtually all ransomware operators these days.

Insecure access

Based on input from cybersecurity firm Mandiant, Bloomberg reports that the threat actors were able to compromise the VPN account because it didn’t use multi-factor authentication (MFA), which would’ve added another layer of security on top of the password. 

Last month, Stefan Schachinger, Product Manager, Network Security, IoT, OT, ICS at Barracuda told TechRadar Pro that he believed that Colonial was attacked through an insecure remote access, saying that these need to be properly secured.

“Remote accesses are not insecure per definition but require proper security measures such as encryption and multifactor authentication. Organizations should also implement a layered defence strategy, with multiple technical hurdles that keep attackers and malicious software out,” he told us.

Is cryptocurrency an enabler?

In light of the recent spate of ransomware attacks, the US government took a number of steps to reign in the growing threat. In addition to setting up a dedicated ransomware taskforce, the US Department of Justice (DoJ) has also declared that it will treat ransomware attacks as acts of terrorism

Following the toughened US stance comes news of the government recovering 63.7 Bitcoin  ($2.3 million) that were reportedly paid by Colonial, based on reports of a warrant filed in the US District Court in California. The warrant appears to point to a little-used cryptocurrency wallet with only one incoming transaction, making its identification easier.

John Hammond, senior security researcher at Huntress tells us that he believes the recovery was possible only because the threat actors made a mistake. Hammond thinks cryptocurrencies are the single most enabling factors in modern cybercrime, and their inherent design makes them “a perfect getaway car.”

“It is great to see the thorough investigation and detective work could help recover money for Colonial Pipeline, but unless something is done about cryptocurrencies, we might not be as fortunate again. Whether it is abolishing cryptocurrencies, adding oversight or other safeguards, something has to be changed so at the very least we aren't relying on a mere hope that the criminals made a mistake,” believes Hammond.

Via The Verge

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.