Lessons from the Colonial Pipeline Breach

One of the largest, most economically devastating ransomware attacks occurred less than a month ago, and details of the attack are starting to become clearer. So what was the catalyst for this attack? It was as simple as a compromised password.

As initially reported by Bloomberg, DarkSide was able to breach Colonial Pipeline and inject ransomware, crippling their infrastructure and causing a gas shortage on the East Coast. Mandiant’s Charles Carmakal noted that, as they have gone through their Incident Response with Colonial, they have not seen “any evidence of phishing for the employee whose credentials were used.” This means that DarkSide was able to illicitly obtain and use a password without standard e-mail phishing or other social engineering techniques. How was DarkSide able to do this?

How Did DarkSide Get the Credentials

Since the attack, the password associated with this breach has been seen circulating on the Dark Web. This password has likely been circulating long before the Colonial breach occurred.

Threat actors, like DarkSide, use a combination of methods to identify a password, from lists of easy-to-guess passwords found in cracking dictionaries, to actual passwords from data breaches found on the Dark Web. Once the threat actor has their list, they can run their attack in a few different ways, which could be anything from a harder hitting brute-force or password spray attack or the slow and methodical technique of associating compromised passwords to users within Active Directory.

In this case, the account that was hacked was a disabled user, associated with a VPN account. Disabled accounts can make for a prime target to threat actors who often target the low-hanging fruit, as disabled accounts often have the bare minimum protection.

Security Starts with Passwords

One of the most basic ways to immediately increase the security of any organization begins at the password level. While there has been a push to move towards passwordless-authentication, passwords will be here for a long time to come. Every organization should be following password best practices which include things like having users set long passphrases and scanning for any compromised passwords. It is clear from the Colonial attack that many organizations are not addressing these critical components as a part of their organizational security planning.

NIST changed its password recommendations four years ago, encouraging organizations to check passwords for compromise at creation and continuously monitor for future compromise due to the prevalence of password reuse. However, a large number of organizations still heavily rely on the outdated 90-day password reset and complexity standards.

Verizon reports that 80% of data breaches are the result of compromised credentials. The push needs to be made to adopt the new NIST standards and have a tool like Enzoic in place that will be able to automatically monitor for compromised credentials and help get them removed from the Active Directory environment before becoming a risk to the organization. Being proactive about password security in this manner is one of the quickest and most effective ways to increase the security of an organization.