The investigation into the recent cyberattack on Colonial Pipeline’s computers has revealed that the threat actors made their way into the network via a compromised VPN password.
The DarkSide ransomware gang attacked the Colonial Pipeline in early May, and besides encrypting the computers also made away with 100GB of data in a typical double-extortion ploy used by virtually all ransomware operators these days.
The threat actors were able to compromise the VPN account because it didn’t use multi-factor authentication (MFA), which would’ve added another layer of security on top of the password.
Remote accesses are not insecure per definition but require proper security measures such as encryption and multifactor authentication. Organizations should also implement a layered defence strategy, with multiple technical hurdles that keep attackers and malicious software out
The US government took a number of steps to reign in the growing threat. In addition to setting up a dedicated ransomware taskforce, the US Department of Justice (DoJ) has also declared that it will treat ransomware attacks as acts of terrorism.
Following the toughened US stance comes news of the government recovering 63.7 Bitcoin ($2.3 million) that were reportedly paid by Colonial, based on reports of a warrant filed in the US District Court in California. The warrant appears to point to a little-used cryptocurrency wallet with only one incoming transaction, making its identification easier.