Ransomware gangs often work with Initial Access Brokers (IABs) who provide access to organizations’ networks. IABs specialize in breaching organizations’ defenses, then sell access to ransomware gangs, who are highly specialized in the next phase of the attack. To gain an initial foothold in networks, IABs use a variety of tactics including exploiting known vulnerabilities that have not been patched, conducting brute force attacks on Remote Desktop Protocol (RDP) to guess weak passwords, phishing attacks to obtain credentials, and password spraying attacks, when username/password combinations from previous breaches are tried against the accounts of their targets.
Many of these techniques exploit a common weakness – poor password practices: Default passwords are not changed and those passwords are easy to find online; weak passwords are set that are highly susceptible to brute force attacks; passwords are reused across multiple platforms, so when there is a data breach at one entity, that password can be used to gain access to many other accounts. Organizations can implement many advanced cybersecurity solutions, from next-generation firewalls to enterprise-class antivirus solutions, spam filters, and web filters, but these defenses can all be undone by poor password practices.
With tensions rising due to the potential invasion of Ukraine by Russia, warnings have been issued to all critical infrastructure entities in the United States about the risk of cyberattacks. Ukraine has been targeted, and there are fears that as the conflict escalates, those attacks will be extended to countries that assist Ukraine, and cyberattacks on critical infrastructure could well be conducted.
The Texas Reliability Entity (Texas RE), a non-profit corporation with a mission to ensure the effective and efficient reduction of risks to the reliability and security of the bulk power system in the state, has urged all utilities in the state to take action to address password weaknesses. While cyberattacks can be highly sophisticated, it is far more common for systemic weaknesses to be targeted, and passwords are one of the most common weaknesses that can be easily exploited.
Referencing the ransomware attack on Colonial Pipeline by the DarkSide ransomware gang, which disrupted fuel supplies to the Eastern Seaboard of the United States for a week, William Sanders, a cybersecurity principal at Texas RE, said the reuse of passwords from one system to another and other careless password practices are often the way that networks are breached, and could have been the way the Darkside gang gained access to Colonial Pipeline’s network.
“Studies have shown that over half of respondents are reusing passwords, said Sanders. “Of those, 44% admitted to reusing passwords between personal and work accounts. So, this can be very problematic.” Reuse of personal passwords for work accounts can open the door to password spraying attacks.
Sanders explained the Colonial Pipeline attack involved a compromised password that had been obtained by the threat actors. The password was discovered in a dark web data leak and was publicly available. “It’s possible that the Colonial Pipeline employee had reused a password between work and personal accounts, and the Colonial account was no longer in use, but it had not been disabled; it was still enabled and had access to their VPN,” said Sanders. The VPN did not have multifactor authentication enabled – another security failure. The attackers were not able to access the operational technology but were able to compromise computers used for other systems, including billing.
To reduce the risk of these attacks, multifactor authentication should be enabled and all organizations should ensure they have good password practices. While password changes should occur, making changes too often, which was once one of the NIST password recommendations, is no longer considered a good password practice as it encourages employees to recycle passwords, including those from personal accounts.
One approach that has been shown to improve password security is a password manager. Password managers have secure password generators, that can suggest passwords that are resistant to brute force attacks. Bitwarden, as an example, allows administrators to set complexity requirements for those passwords – 12 characters, at least one upper- and lower-case letter, 1 symbol, and one digit for example. Passwords do not need to be remembered as they are stored securely in a password vault, which is encrypted. Employees only need to create a long passphrase to access their vault. Password managers reduce the risk of password reuse and the setting of weak passwords and can greatly improve security, especially when coupled with multifactor authentication.
Sanders recommended utilities apply NERC’s Critical Infrastructure Protection (CIP) reliability standards to low-impact systems, including billing systems, as the Colonial Pipeline attack demonstrated major disruption can be caused even if OT is not involved. Currently, the CIP standards only apply to high- and medium-impact bulk electric system (BES) cyber systems