Back in May, the Colonial Pipeline's operations came to a halt following a ransomware attack. In just a few weeks, a cybersecurity executive order was put in place, ransom was paid, and the FBI even managed to recover most of it.
But now that the attack vector has been revealed, the details show that ransomware isn't the only issue enterprises should worry about — but passwords as well.
Led by cybercriminal gang DarkSide, a cyberattack against the Colonial Pipeline forced the organization to stop all operations on May 7, 2021, in order to deal with the incident.
The gang asked for a ransom payment in exchange for decrypting the company's data. Colonial alerted the FBI immediately and paid up in the form of a $4.4 million ransom payment. However, the FBI revealed most of that payment has been recovered.
Following this, Colonial CEO Joseph Blount confirmed in recent testimony to the US Senate Committee on Homeland Security and Governmental Affairs that the attack, disappointingly, happened thanks to the compromise of a single password.
The DarkSide gang was able to acquire the password to a VPN account that was no longer in use yet remained active. The single-factor authentication method granted the attackers access to Colonial's IT network and, in turn, its sensitive data.
The incident highlights several mistakes that are critical for enterprises in order to avoid falling victim to similar attacks — one being a lack of multi- or two-factor authentication.
The breach is a clear example of how an IT-driven compromise can shut down OT environments. For organizations, especially those operating critical national infrastructure, the likelihood of and potential for a ransomware attack must be taken into account.
Following a huge spike in enterprise ransomware incidents in 2020, the growing risk underscores the need for every enterprise to assess its risk posture and address its security gaps, with a remediation policy in place. This needs to happen now.
There's also the need for organizations to seriously consider increasing their investments in cybersecurity in order to ensure good security "hygiene."
Although Omdia's ICT Enterprise Insights 2021 survey revealed that 60% of manufacturing companies are planning to increase investment in cybersecurity, which is promising, that still leaves another 40%. This group, although the minority, are maintaining or potentially reducing investment. With high-profile attacks like the Colonial Pipeline highlighting the significant risks, companies must do more to be prepared. Proper security hygiene requires a layered approach, and part of that is updating and maintaining passwords.
The CEO highlighted how the compromised password wasn't something easily guessable like "Colonial123," but that's beside the point when access was granted simply by stealing it. Credentials are a huge risk factor when it comes to compromise. The 2021 "Data Breach Investigations Report" (DBIR) by Verizon highlighted that a majority (61%) of breaches were attributed to leveraged credentials.
The Colonial Pipeline attack clearly highlights the importance of a multilayered approach to cybersecurity and specifically ransomware prevention; no stone must be left unturned, no matter how basic it may seem. Just one forgotten user account can provide all the opportunity an attacker needs.