The Reality Behind the Colonial Pipeline Attack
An authentication and identity management nightmare…?
It’s been all over the news in the last twenty-four hours: An increasing number of gas stations on the East Coast are without fuel! About 15 percent of gas stations in North Carolina, 9 percent in Virginia and 8 percent in Georgia do not have gasoline, and those numbers are rising dramatically. Nervous drivers are forming sometimes mile long lines at gas stations with the hope of filling up their tanks, maybe to gain some precious time before this gasoline shortage rapture finishes us all. Now, how did we go from energy independence to such a nightmare overnight? The answer sounds quite disconcerting: It all started with the theft of a password.
The Colonial Pipeline hack timeline.
So, let’s start from the beginning. The Colonial Pipeline, which delivers about 45 percent of the fuel used on the East Coast, shut down Friday, May 7, after a ransomware attack by a gang of criminal hackers called DarkSide occurred the day before. DarkSide is one of dozens of ransomware gangs that specialize in double extortion: The cybercriminals steal an organization’s data (in the case of Colonial Pipeline, 100 gigabytes of data) before encrypting it. They then threaten to dump that data online if the victim doesn’t pay up, creating a second disincentive to trying to recover without paying. As a result of the hack, Colonial Pipeline stopped all pipeline operations over the weekend, hence the current shortage of gasoline.
The Ransomware process: 3 common scenarios.
In general, how does the ransomware process start? In a great majority of cases, a ransomware gets in through a business email. For example, an employee receives an email from HR prompting him to click on a link and share his current credentials before changing his password for security reasons. This is called a phishing email. The cybercriminals are in. Other cases of ransomware can compromise pieces of hardware (security cameras or IoT devices, for example) with very poor security practices, like default passwords. On a sidenote, as a Houstonian who worked on projects associated with blockchain for IoT, our oil refineries are filled with highly vulnerable IoT devices…
A third scenario is an employee being hacked while accessing his employer’s systems remotely. Actually, does an employer know whether an employee takes all known and necessary precautions to log into the company’s systems? Does this employee use a VPN? None of that really matters, because if the employee needs to enter a username and a password for VPN authentication, the company is at risk of a cyber-attack. And, if user data is stored in a centralized repository, then the cybercriminal truly feels like a kid in a candy store. Remember Colonial Pipeline’s 100 gigabytes of data stolen just like that?
Colonial Pipeline hack: Compromised VPN authentication.
Guess what? Per FireEye, the cybersecurity company involved in the detection and prevention of major cyber-attacks, DarkSide’s modus operandi for ransomware operations lies in authentication attempts against corporate VPN infrastructure immediately prior to the start of interactive intrusion operations. The authentication patterns are consistent with a type of brute-force attack known as password spraying. More precisely, password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. So, the cybercriminal uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the hacker to remain undetected by avoiding rapid or frequent account lockouts. And early evidence in the Colonial Pipeline hack show that DarkSide obtained initial access through corporate VPN infrastructure using legitimate credentials. And the use of legitimate credentials infers that an employee’s identity was compromised…
To conclude: Password authentication is inherently flawed.
What needs to happen so decision-makers finally undergo a paradigm shift in the way they authenticate in company systems and enterprise applications? The notion of password management is a myth, simply because passwords are the source of 80 percent of attacks leading to identity compromise and consequently to data breaches. Passwords cannot be managed. They must be eliminated and replaced by passwordless solutions that verify indisputably the identity of the user, who needs to authenticate.