Archive for June 6, 2021

#Fail: American Pipeline Company Got Pwned Because Of A Compromised Password

Posted in Commentary with tags on June 6, 2021 by itnerd

Remember the ransomware attack of Colonial Pipelines which took down a major pipeline along the east coast of the US, and in the process severely constrained the fuel supply for millions of Americans? Well, we now know how the hackers got in. And it’s a illustration as to why password hygiene is important:

The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. Hackers gained entry into the networks ofColonial Pipeline Co.on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said. 

The account’s password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked, he said. However, Carmakal said he isn’t certain that’s how hackers obtained the password, and he said investigators may never know for certain how the credential was obtained. The VPN account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial’s network using just a compromised username and password. It’s not known how the hackers obtained the correct username or if they were able to determine it on their own. “We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,” Carmakal said. “We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.” 

A little more than one week later, on May 7, an employee in Colonial’s control room saw a ransom note demanding cryptocurrency appear on a computer just before 5 a.m. The employee notified an operations supervisor who immediately began to start the process of shutting down the pipeline, Colonial Chief Executive Officer Joseph Blount said in an interview. By 6:10 a.m., the entire pipeline had been shut down, Blount said. It was the first time Colonial had shut down the entirety of its gasoline pipeline system in its 57-year history, Blount said. “We had no choice at that point,” he said. “It was absolutely the right thing to do. At that time, we had no idea who was attacking us or what their motives were.”

So, what would have stopped this hack from happening? Well, having multi-factor authentication would have helped because the hackers would have required not only the password, but a token or some other authentication device to get in. But since they wouldn’t have either a token or some other authentication device, they would have been kept out. Colonial needs do up their game on that front. But Colonial should have done a better job of making sure the VPN password that was used was changed frequently or erased if it wasn’t needed. The fact that it was available and then leaked to the dark web is a problem. and Colonial needs to do something about that too.

My advice to every business out there of any size. Use this as a case study to make your IT environments more secure. After all, you don’t want to be the next guy who gets pwned.