The VPN login was unused but active at the time of the attack, the report said. Additionally, the password has since been discovered inside a batch of leaked passwords on the dark web, suggesting that an employee of the company may have reused the same password on another account that was previously breached.The Hacker News
The pull quote from this article on the Hacker News is a timely example of what I discussed in Episode 6 of the ConsulPod podcast. Reusing passwords because it is convenient is also dangerous and costly. In this case, so dangerous that the bad actors found a password on the dark web and used a credential stuffing attack on Colonial Pipeline’s VPN infrastructure. Using an administrator’s password, they got direct access into the pipeline’s network and were able to settle down, investigate, learn, prowl and set roots for their attack. No firewall, no intrusion detection system was going to stop this from happening because the password was known. It also cost Colonial $4.4 million in ransom costs and because they paid, more bad actors will be emboldened to commit these attacks on other companies.
The pipeline was shut down for a week. Although there was no long term damage to the oil and gas market, it did create a scare. It’s another example of a relatively critical supply chain organization getting hit by hackers and potentially creating severe and permanent damage. It also did a great job of spotlighting exactly how vulnerable our infrastructure is overall. This is one example, but we can only assume that Colonial is not the only company like it that has severe vulnerabilities.
In the podcast, I state multiple times that everyone needs to be using a password manager to create and securely store long passwords for every account you use. They should be as long as the service allows and unique to every account you have. Once you get into using a password manager, you will wonder how you ever functioned without it. There are free solutions available that are quite sophisticated too. Listen to the episode for more detail or read the transcript. The more of us that get on board with using a password manager, the more difficult it will be for bad actors to get into our systems.