Colonial Pipeline hackers gained access via unprotected VPN account: password leaked, no MFA

1 password leaked; 1 pipeline down...

Wondered how the Colonial Pipeline hack happened? Now we know: the DarkTrace cybercrime affiliates who shut down the US's largest energy pipeline last month gained access to Colonial Pipeline's network via a neglected VPN account that had been set up with no multi-factor authentication (MFA).

A single password leak, in short, was enough to halt operations on a pipeline that moves some 2.5 million barrels per day of gasoline, diesel, and jet fuel from Houston to New York.

That's according to an interview with Mandiant CTO Charles Carmakal published by Bloomberg June 4, which points to some rudimentary cyber hygiene failures at the pipeline company, which did not have a Chief Information Security Officer. Mandiant was involved in the incident response and Carmakal was given approval to speak ahead of testimony by Colonial Pipeline's CEO Michael Blount’s to Congress next week.

A password for the account -- which was not in use but had not been shut down -- has since been discovered inside a batch of leaked passwords on the dark web. It was not immediately clear when it leaked or how. The employee/contractor whose password it was may have recycled it; the attackers then somehow matched it with a correct username.

“We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,” Carmakal said. “We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.”

See also: From C2 to C3: Hackers are getting esoteric when covering footprints, calling home.

The news validates the perennial urge by both public and private sector security organisations to "get the basics" right. (Stolen credentials were the number one vector for data breaches in 2019, according to this Verizon Data Breach report.) The attackers did not manage to pivot from the IT to the Operational Technology (OT) network, Carmakal affirmed to Bloomberg's William Turton and Kartikay Mehrotra. Colonial Pipeline paid the cybercrime group a $4.4 million ransom shortly after the hack.

Haveibeenpwned.com -- a free site that lets people assess if they may have been put at risk due to an online account of theirs having been compromised -- lists over 613 million real world passwords that have previously exposed in data breaches, and over 11 billion accounts.

Companies and boards aghast at the seeming ease with which cybercriminals are gaining access to organisations and overwhelmed by the seeming scale of the effort needed to shore up their security can use the National Cyber Security Centre (NCSC)'s "10 steps to cybersecurity" guide.

This spans risk management, engagement and training, asset management, architecture and configuration, vulnerability management, identity and access management, data security, logging and monitoring, incident management, and supply chain security and can be worked through methodically by those with the resource to do so. (Don't have it? Now may be the time to ask for it...)

Find The Stack on LinkedIn