Ransomware Attacks on CNA, Colonial Pipeline, and JBS the Result of Minor Security Lapses

Ransomware attacks in 2021 have increased to record levels and no industry sector is immune. Cyber threat actors have become bolder and have conducted an increasing number of attacks on healthcare organizations, where the lack of access to systems and data has put patient safety at risk, while attacks on critical infrastructure have threatened food production and fuel availability.

The escalation of attacks in the United States has forced the U.S. government to step up efforts to counter ransomware attacks, which are now considered a national security issue akin to acts of terrorism. The threat is being dealt with on several levels – pursuing the leaders of ransomware operations, the affiliates who conduct the attacks, the initial access brokers that give the gangs the foothold in the networks then need to deploy ransomware, as well as hitting the gangs financially by disrupting their attempts to launder the proceeds and cash out.

One of the most important measures being taken is raising awareness of the threat of ransomware and encouraging businesses to improve their defenses. Businesses are being encouraged to implement cybersecurity solutions to block the main attack vectors is important, but oftentimes attacks exploit relatively minor security failures.

This week, the U.S. House of Representatives Committee on Oversight and Reform issued a memo to staff that provided information on an investigation into the ransomware attacks conducted on Colonial Pipeline, JBS Foods, and CNA Financial Corporation. These high-profile attacks all resulted in ransoms being paid to the attackers for the keys to decrypt files and prevent the release of stolen data.

CNA Financial Corporation is one of the largest insurance companies in the United States. In March 2021, it was attacked by a ransomware group known as Phoenix and paid a ransom of $40 million. In May 2021, Colonial Pipeline, which operates a fuel pipeline serving the U.S. East Coast, was attacked using DarkSide ransomware and paid a ransom of $4.4 million. JBS Foods, a company that processes one-fifth of the U.S. meat supply, was attacked by the REvil (Sodinokibi) ransomware gang and paid a ransom of $11 million.

All three of these attacks were made possible because of relatively minor security failures. The attack on CNA Financial Corporation occurred as a result of a phishing attack, where an employee was tricked into accepting a fake web browser update from a commercial website that installed malware that provided the attackers with access to the network.

The attack on Colonial Pipeline saw the attacker use a single stolen password for a legacy VPN profile. The attack on JBS Foods was the result of a single weak password on an old network administrator account that had not been disabled. These three attacks could have been prevented, not with expensive cybersecurity solutions, but by following cybersecurity best practices.

It is not possible to prevent all phishing emails from reaching user inboxes, so it is vital for security awareness training to be provided to the workforce. Employees need to develop the skills to allow them to recognize malicious messages, and training needs to be ongoing to keep security fresh in the mind.

Simple security measures could have prevented the Colonial Pipeline attack. Credential theft must be expected, so it is vital for 2-factor authentication to be implemented on email accounts and remote access systems. The legacy VPN profile at Colonial Pipeline had not been configured to require a one-time passcode before access was granted. The legacy profile should have been disabled, but 2-factor should have been active on that account.

The attack on JBS Foods exploited one of the most common security flaws – weak passwords. The old administrator account should have been disabled, but it should not have been possible for a weak password to be set on an account with admin privileges. Password policies should have been enforced, and a simple solution such as a password manager could have been used. Password managers have secure password generators that will suggest unique, complex passwords for accounts and make setting complex passwords simple. That single weak password cost the company $4.4 million for the ransom payment alone.

Ransomware threat actors may conduct highly sophisticated attacks but all too often they occur as a result of relatively minor security lapses. As the Committee on Oversight and Reform explained, “Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.” Those measures should include regular security awareness training, audits of accounts, robust password policies, and 2-factor authentication.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news