BHI Energy, a services and staffing firm for industrial, oil & gas, and power generation markets, says a ransomware attack in late June 2023 started with the May 30 use by attackers of credentials belonging to a “previously compromised user account of a third-party contractor.”
An incident report for the textbook low-hanging-fruit-type ransomware attack shows that cybercriminals used the credentials to reach the company’s internal network through a VPN connection not set up with MFA, poked about undisturbed for a month, exfiltrated 767,035 files including “a copy of BHI’s Active Directory database” and then finally detonated the Akira ransomware a month later on June 29.
BHI Energy reported the incident to its customers four months later on October 17, sharing more details in a letter to the Office of the Attorney General of Iowa, as first published by Bleeping Computer.
BHI has since “extended its deployment of EDR and antivirus software within the environment; performed an Enterprise Password Reset; decommissioned legacy and unused systems; and implemented multi-factor authentication on its remote access VPN,” it said.
Either the use of credentials for a VPN or (a moderate step up the skills ladder by attackers) abusing unpatched vulnerabilities in VPN software, remain a hugely common source of cybersecurity pain for businesses.
The ransomware attack on Colonial Pipeline in 2021 that halted operations on a pipeline moving 2.5 million barrels per day of gasoline, diesel, and jet fuel from Houston to the East Coast also started with use by attackers of a VPN account that had been set up with no MFA. i.e. One user name/password combination was all it took to start the attack.
Organisations successful in having moved most applications to the cloud should seriously consider building out more of a "zero trust" approach which often involve doing away with traditional VPNs altogether, or entails taking a hard look at how and why you are using your VPNs (on-premise file shares hold many smaller organisations back.)
As the Department of Defense has put it bluntly: "VPNs pose a threat to enterprise security. They create a path in the network perimeter and provide access to network resources after authentication. The conventional approach cannot provide a method to intelligently confirm the identities of users and entities attempting to access the network or provide adaptive policy enforcement based on authentication.”
Network defenders can also review Implementing Phishing-Resistant MFA.