Colonial Pipelines' $4.4m USD ransomware attack was caused by a simple password breach

An investigative consultant has revealed that last month's historical ransomware attack against Colonial Pipelines was committed through a simple password breach.

The attack - which led to a five-day-long service outage and a $4.4 million USD payout - was initiated by the ransomware group, Darkside, through an inactive account that had neither been disabled nor secured with two-factor authentication.

The account was a Virtual Private Network (VPN) account, meaning that once the account was hacked it provided Darkside with a direct tunnel to Colonial Pipeline's corporate network.

From there, the hackers went unnoticed while they set up and deployed the devastating ransomware attack.

When you take a step back and examine the wider economic impacts of this attack, it can be surprising to hear that a simple password breach is the root cause of it all.

The shutdown of Colonial Pipeline's system left roughly 10,000 gas stations in the Eastern United States without a fuel supply, and ultimately resulted in price hikes that tipped the national average over $3 for the first time in 6 years.

Furthermore, this controversial attack has raised questions about what due diligence looks like in the current cybersecurity landscape.

Namely, as a vendor that supplies nearly half of the USA's fuel supply on the east coast, could Colonial Pipelines be considered negligent for their lack of two-factor authentication, or for failure to close the inactive account?

A putative class-action lawsuit has been lodged against Colonial Pipeline arguing the above case.

Furthermore, Colonial Pipeline's decision to pay out the $4.4 million USD ransom has been bought to question as potentially unethical; with many industry experts concerned that it could incite further attacks of this nature in the future.

At the end of the day, a few simple security steps could have significantly reduced the risk of ransomware and potentially prevented this attack. Regardless of the size of your business, here are a few changes that you can make to majorly improve your cybersecurity:

Enforce a password policy: The password for the compromised VPN account has since been found on the dark web in a batch of leaked passwords. This indicates that the password was potentially lost in a separate breach, and re-used in the VPN account.

A strong password policy exists to patch these kinds of holes. Enforce rolling password changes at least once every six months, and don't allow the same password to be re-used by your staff.

Enable two-factor authentication: Two-factor authentication exists so that in the event of a stolen or cracked password, a second method of authentication is required. Microsoft is quoted as saying 99.9% of attacks can be blocked by two-factor, and it's as easy as a few clicks to set up.

De-active unused accounts: One thing that we're often guilty of is leaving un-used accounts open. Whether we merely forget or procrastinate the closure of work accounts, it can lead to a devastating compromise in security. Create a formalised procedure for cataloguing and routinely reviewing work accounts, and include steps to terminate them when no longer needed.

Not sure about the next steps to take for your cybersecurity? Visit cyberaware.com for key safety tips and takeaways.