In June, the CEO of Colonial Pipeline revealed that the ransomware attack that disrupted the company’s operations and sparked fuel shortages around the United States began as many attacks do — with stolen credentials.
In this case, those credentials belonged to a legacy VPN account that was not protected by multifactor authentication (MFA). It is a nightmare scenario for security teams — a security blind spot that led to the disruption of business operations. With so many employees working remotely, securing VPN systems is a critical part of enterprise security.
When the COVID-19 pandemic forced businesses to close down their offices, the amount of VPN usage spiked. As it increased, so too did the pressure on organizations to ensure the VPN system was patched, secure and available. This same pressure has continued to exert its force a year later, as recent research revealed a significant jump in attacks against VPN vulnerabilities during the first quarter of 2021.
Some of these attacks have been linked to state-sponsored threat actors, like those the National Security Agency (NSA) warned about in April that targeted known vulnerabilities in the Pulse Secure Connect and FortiGate VPN products. Other attacks take the form of phishing attempts designed to trick victims into giving up their VPN credentials. To complete this ruse successfully, threat actors can craft an email that resembles a message from the IT staff that prompts the recipient to reset their VPN password.
The focus on compromising digital identities is a staple of modern data breaches and a reminder to organizations to practice basic security hygiene. As a critical system, VPNs should be protected via strong passwords. During the U.S. Senate committee hearing in June when he discussed the attack, Colonial Pipeline CEO Joseph Blount Jr. said the password for the compromised account was “complicated” and not a “Colonial123-type password.” However, given that the purpose of a VPN solution is to provide secure access, there should be more than one layer of protection to safeguard the system.
One of the principal mechanisms of implementing identity-first security is enabling multifactor authentication (MFA). MFA can utilize SMS tokens, user biometrics or other approaches. When properly implemented, it significantly reduces the probability of a successful attack involving a stolen credential. Nothing is foolproof, but the ultimate goal of security is to raise the bar threat actors have to hurdle in an attack. For organizations considering adopting a zero trust architecture, MFA represents a basic step toward providing stronger identity assurance.
In a world of remote workforces and cloud computing, such assurance has to be the focus of security efforts. Identity management is now being recognized as a core function of security and IT operations more generally. One of the challenges facing businesses today is to bring these groups, as well as other stakeholders such as Human Resources and others, to the table to establish, review and maintain the provisioning and deprovisioning of identities in the business. This process is often complicated, not just because of the sheer number of identities, but also because decisions about access rights can also be a source of friction within organizations.
Still, the importance of effectively managing the full identity lifecycle does not vary based on office politics. As it turns out, the compromised account at the center of the Colonial Pipeline breach was orphaned. Accounts without active owners are a danger for any organization. Left unmonitored, these accounts allow attackers to take advantage of the account to potentially do everything from sending phishing emails to accessing sensitive data.
Orphaned accounts can appear for several reasons. One of the biggest culprits behind their creation is a failure to delete users who have left their organization. According to research from the Identity Defined Security Alliance, only 34% of organizations revoke system access when an employee leaves, posing a significant risk. Orphaned accounts can also appear due to promotions, demotions or even the change of an email address. To prevent this situation, organizations should rely on as much automation as possible. The more manual the processes of provisioning and deprovisioning users are, the more likely it is there will be errors and security gaps introduced into the organization.
The fact that the VPN password was found on the Dark Web offers another wrinkle to the story. The Dark Web is not updated in real-time, meaning that usernames and passwords found there may have been there for significant amounts of time. Making matters worse, it is not uncommon for users to use common credentials across multiple sites. For example, in one instance, credentials obtained from a password dump containing LinkedIn credentials were used to access enterprise applications. One leaked password can cause damage that extends well beyond the application the credentials were created for. When a password is obtained in this manner, the complexity of the password is irrelevant. This adds to the need for requiring MFA and moving away from passwords wherever possible.
While the attackers used ransomware in the case of Colonial Pipeline, stolen credentials and orphaned accounts can be abused to perform all manner of malicious activity. For IT, let the incident serve as a reminder. For organizations today, strong identity governance is part and parcel of strong security — and the price for a single mistake can be steep.