Ep 34 Colonial Pipeline ransomware attack
34. Colonial Pipeline ransomware attack or Backup, Shmackup...¶
A Closer Look at the DarkSide Ransomware Gang - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/#more-55529
Colonial Pipeline attack: Everything you need to know- https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/
Colonial Pipeline ransomware attack linked to a single VPN login
https://www.engadget.com/pipeline-ransomware-010631984.html
Hackers Breached Colonial Pipeline Using Compromised Password
Hello and welcome back to USB our Guest Cyber Security tips. I’m Theo, here to help you demystify cyber security topics and hacks. Today’s episode is about the Ransomware attack that occurred on May 7th that forced Colonial Pipeline to shut down its operations.
Alright, There are a few moving parts
From ZDNet - the victim, Colonial Pipeline provides 45% of the east coast's fuel including gasoline, diesel, home heating oil, and jet fuel and transports fuel to almost all east coast states.
From Krebs on Security- The Ransomware gang DarkSide - If you didn’t know any better you would think their advertisement aimed at affiliates to use their ransomware was Legit off of LinkedIn. The advertisement bills Darkside as a Ransomware-as-a-service platform. What does that mean? Much like how I described in the RAT’s episode- You, me, anyone can go on any “Dark-mart” website and download a Ransomware service. You’d select your Ransomware, add to cart and pay with crypto... or would it be gift card codes…. Anyway, my point is, anyone can do this and run the Ransomware-as-a-service like they run any other program on their computer.
From Bloomberg - The compromise - Mandiant, part of FireEye was brought in to respond to the attack. They told bloomberg that Compromised VPN login credentials were used to access Colonials system. I have not been able to find what level employee’s credentials were used. The compromised accounts password has been discovered in a batch of leaked passwords on the dark web. What does that mean? Speculating and generally here, because the details have not been made public, but that password could have been included in a brute force or dictionary attack to attempt to access Colonial’s systems.
The repercussions - upon Colonial bringing down their system to mitigate the damage done by DarkSide, east coast gas prices shot up midday and sent droves of people to gas stations to stockpile fuel. Some gas stations were reporting outages. On May 13th Colonial had reported that operations were up running again.
The case for not reusing passwords - By reusing passwords, the bad guys found an attack vector. If a data breach occurs, the passwords end up on a new list on the dark web waiting to be bought and used in another attack. Best advice here is, Stop reusing passwords. What’s the best way to avoid reusing passwords? Use a password manager. The easiest one to use is in your browser. In my opinion, if you don’t have any way to keep track of your ‘different’ passwords, this is a good place to start. Then listen to my episode on passwords. I’ll include it in the show notes or scroll up or down to get to it.
The case for having backups - Backing up your system is the easiest way to mitigate a ransomware attack. If you were to be infected by ransomware then you could restore from backup. By backing up your systems regularly you can give ransomware the middle finger.
That's all for today's episode. If you have a topic you would like me to cover drop me a line at anchor.fm/usbog or email me at usbourguest@gmail.com. If I've helped you in any way please consider telling friends or family about the podcast. Or rate and review the podcast on whatever platform you use to listen. Thank you for listening and have a great day.