Last month, hackers infiltrated Colonial Pipeline’s computer network, which resulted in the massive shutdown of its pipeline.
The pipeline provides nearly one half of the fuel supply for the Southeastern United States. Colonial Pipeline elected to pay a ransom demand of nearly $4 million the same day. The pipeline was shut down for six days, and it resulted in a run on fuel stations throughout the Southeast.
In light of upcoming Congressional committee meetings, Colonial Pipeline made Joseph Blount, CEO, and Charles Carmakal, Mandiant senior vice president, available to speak publicly about the causes of the breach.
On Friday, Bloomberg reported that a compromised password for an inactive account was used to breach Colonial Pipeline’s network. An unused user account (the user no longer worked for Colonial Pipeline) had not been deactivated, and the account still had access to VPN. The user likely had reused his or her password on non-corporate accounts, which resulted in the user’s password being available on the Darkweb (after compromises of other non-corporate web sites). It isn’t known how the attackers obtained the username; however, it is very easy to obtain usernames via other methods. As an example only (there is no proof of this being used at Colonial Pipeline), Exchange Server Outlook Web Access has error reporting that would allow an attacker to accurately guess a username.
The VPN system used to compromise the company’s networks was not protected by multifactor authentication (MFA): at least for the user account that was leveraged in the attack. VPN (virtual private network) is used by many companies to provide remote access to users.
On assessment, more than 80 percent of the time, we find externally exposed systems without MFA (including cloud apps), and more than 90 percent of the time, we find poor password/user account hygiene.
Defense is always less expensive than recovery: our hand is always extended for either (defense or recovery). Please compute safely.