Attackers accessed a VPN account that was no longer in use to freeze the company’s network in a ransomware attack whose repercussions are still vibrating.
It took only one dusty, no-longer-used password for the DarkSide cybercriminals to breach the network of Colonial Pipeline Co. last month, resulting in a ransomware attack that caused significant disruption and remains under investigation by the U.S. government and cybersecurity experts.
Attackers used the password to a VPN account that was no longer in use but still allowed them to remotely access Colonial Pipeline’s network, Charles Carmakal, senior vice president at FireEye’s cybersecurity consulting firm Mandiant, told Bloomberg in an interview, according to a published report on the news outlet’s website.
The news once again highlights the importance of password security, as it comes on the heels of a separate report that hackers leaked the largest password collection to date – a 100 gigabyte file called “RockYou2021” containing 8.4 billion passwords – on a popular hacker forum earlier this week.
Indeed, the password used for the Colonial attack also was discovered inside a batch of leaked passwords on the dark web, according to Bloomberg, and company officials and investigators are still unclear about how hackers obtained the password in the first place.
“We don’t see any evidence of phishing for the employee whose credentials were used,” Carmakal told Bloomberg. “We have not seen any other evidence of attacker activity before April 29.”
He speculated that perhaps the password may have gotten into the wrong hands when a Colonial employee used it on another account that was previously hacked, according to the report.
The news once again highlights the inherent insecurity of what is still the most commonly used security method for allowing employees to access corporate networks, even though there are numerous multi-factor authentication and identity-management methods available to organizations for securing sensitive data.
It also shows how easy it is for anyone with nefarious intent to gain access to someone’s password and use it for financial gain or disruption, with large caches of passwords lifted from cyberattacks constantly being dumped online by hackers, observed one security expert.
“The bar is now ridiculously low for attackers to come into contact with such large sums of data, virtually undetected,” Mike Puglia, chief strategy officer at unified IT management software firm Kaseya, said in an email to Threatpost. “It requires minimal technical ability, and the financial cost to carry attacks out is negligible.”
Buying credential lists and attack kits can be done by “anyone” and yield 0.2 percent 0.5 percet success rates on targets that comprise “a small number of environments that everyone uses,” he said.
“As long as the success rates remain high and the cost and effort remains low, these attacks will continue to increase,” Puglia said.
Colonial Pipeline, which serves the eastern U.S., first reported that it was the victim of a ransomware attack on May 7. The attack shut down a pipeline that covers the entire eastern seaboard as far north as New York as well as southern states and caused major disruption, including fuel shortages across the region, a sharp rise in gas prices and airlines scrambling for fuel.
The attack’s effects were so dire that President Joe Biden declared a state of emergency, and Colonial Pipeline ended up paying the ransom – about $4.4 million in Bitcoin – to the DarkSide ransomware gang for a decryption tool so it could restore systems disabled in the attack.
Indeed, financial gain was always the motivation for the attack, with DarkSide publicly stating in the days following the incident that the disruption it caused was mere collateral damage and not the group’s original intent.
The FBI and Department of Justice managed to track Colonial Pipeline’s ransom payment through a number of cryptocurrency wallets controlled by DarkSide and have now clawed back approximately $2.3 million worth of bitcoin from the ransomware-as-a-service (RaaS) gang’s digital wallet, they said earlier this week.