Colonial Pipeline Attack: Wasted $5 Million and uses vulnerable Exchange Servers

Sicherheit (Pexels, allgemeine Nutzung)[German]The dust is slowly lifting around the successful ransomware attack on the US utility Colonial Pipeline. In the meantime, it has become known that the company probably "wasted" a ransom of 5 million US dollars. There was a decryption key, but importing backups was faster. In addition, an audit revealed serious security flaws in the company's IT. For example, a Microsoft Exchange server had security vulnerabilities. Here is a summary of the latest findings from this case.

Ransomware Attack on Colonial Pipeline

I had reported in the article Ransomware attack on US pipeline operator (May 2021) about the successful attack on the largest U.S. pipeline company supplying fuel to the U.S. East Coast. Only its IT was affected by the attack, but pipeline operations were also shut down for security reasons. The consequences were a local state of emergency and rising petroleum prices. As a result, a state of emergency was declared for the affected areas (see Ransomware attack on the US pipeline – the house is burning). In the meantime, the operator has announced that it will resume pipeline operations. 

US$ 5 million ransome wasted

In the last few days it became known via US media that Colonial Pipeline has paid 5 million US dollars to the blackmailers of the Darkside Group. The blackmailers then provided the key and the tools for decryption. However, these tools are said to have been so slow in decrypting that importing the existing backups was quicker. It also emerges that the shutdown of the pipeline would probably not have been necessary and there is the assumption that the shutdown could rather be related to billing issues. Or ist's suspected that the payment was made to prevent the disclosure of the captured documents. 

Exchange server not fully patched

Even more explosive, however, is the information on how the cyber attackers were able to penetrate the company's IT networks. In this tweet, Nicol Perlroth of the New York Times reports that the company was running an Exchange server that was vulnerable via vulnerabilities. 

However, Microsoft and FireEye, the company commissioned with the investigation, do not yet believe that Exchange is the gateway. In this context, it is interesting to note the statement in this article that half of the security incidents in government IT systems are due to a lack of security updates.  

Serious IT security deficiencies in audit

A security audit conducted at the operator three years ago revealed "atrocious" information management practices and "a patchwork of poorly connected and secured systems." That's what an insider tipped off Associated Press, which rehashed the details in this article. U.S. President Joe Biden has taken this as an opportunity to use the recent mounting cases of hacks (SolarWinds, Exchange-Hafnium attack, etc.) to issue a presidential directive to ensure improved cybersecurity in the U.S. (see this article). 

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *