Colonial Pipeline and VPN Vulnerabilities

Author Avatar


Posted on July 14, 2021

Want to interview Gerry?


The May 2021 Colonial Pipeline cyberattack was one of the largest and most damaging cyberattacks to date on American infrastructure. It halted the fuel pipeline’s operations, disrupted East Coast gasoline supplies for days, and sent gasoline prices to over $3/gallon for the first time since 2014.

According to a Bloomberg report, the Colonial Pipeline cyberattack can be traced to Colonial’s insufficient diligence in following a number of IT security best practices. The hackers managed to gain access to a legacy virtual private network (VPN), a system not routinely used by employees, using a compromised password that was found in a batch of leaked passwords on the dark web. This particular legacy VPN was also relatively unused – and therefore should have been removed– but multiple employees had access to the account (another risky practice), although it had not been used for some time. The password was still functional, indicating that Colonial Pipeline did not require periodic password changes. It was this series of failures, together with a breach in which a user’s data was exposed, that enabled the hackers to access the Colonial Pipeline network.

After breaching the Colonial Pipeline network, the hackers stole over 100 gigabytes of data and left a ransom note. Within just a few hours, the Chief Executive Officer of Colonial paid the ransom of nearly 75 bitcoins ($4.4 billion), in order to regain access and restore the pipeline’s service. Over half of the ransom has since been recovered by federal authorities.

VPN Vulnerabilities

Last year, as COVID-related closures drove masses of employees to work remotely, the trade press was full of stories about VPN vulnerabilities. With millions of people suddenly accessing networks remotely via vulnerable VPNs and RDPs, cyber criminals saw a big opportunity. Cyberattacks on RDP ports, typically used by remote workers, skyrocketed, along with attacks on VPNs.

As the Colonial Pipeline example shows, vulnerable VPNs remain a big security headache despite all the warnings. There are several ways they can contribute to cyber exposure:

  • The larger number of people working remotely means there are more VPN user accounts that can be compromised, as in the Colonial Pipeline cyberattack.
  • A larger number of accounts also exposes companies to more accounts that can be hacked via brute force attack since, inevitably, some employees choose simple passwords. Neglecting basic password security, people reuse passwords that may have been compromised elsewhere, making it easy for hackers to steal credentials.
  • Many VPNs have vulnerabilities that cybercriminals have been able to exploit. Companies that are slow to install security patches may be exposed for an extended time. Legacy VPNs that aren’t regularly used but are still technically active can be an especially vulnerable weak spot.

Securing VPNs

Some of the things that can help secure VPNs are very basic. Uninstall unused VPNs and cancel obsolete user accounts. Keep software up-to-date, promptly install any security patches. Basic good practices could prevent many attacks, but even the best cyber hygiene is no longer enough.

That’s a primary reason that cybersecurity today is moving toward Zero Trust security. In the wake of several very high profile and damaging cyberattacks, and just a few days after the Colonial Pipeline attack, US President Joe Biden issued an executive order that mandated, among other things, that the Federal government advance toward a Zero Trust architecture, to prevent future attacks.

Zero Trust is not any single technology or piece of software. It is a philosophy, an approach to network security, that treats every user and all network traffic as potentially dangerous. There are many different elements that are required to support a Zero Trust approach, including Identity and Access Management (IAM), Remote Browser Isolation (RBI), microsegmentation, and more.

ZTEdge, a new secure access service edge (SASE) platform, was designed to provide small and medium size enterprises with a comprehensive and cost-effective path to Zero Trust. Several elements of the platform can help secure VPNs to ward off the kind of attacks that hit Colonial Pipeline or even better, replace them with more inherently secure remote access solutions.

One of the key capabilities for enabling Zero Trust – and something that could have prevented the Colonial Pipeline debacle – is a more robust Identity and Access Management (IAM) solution. One of the best ways to prevent data breaches via stolen credentials is to require Multifactor Authentication (MFA). Combining Multifactor Authentication with Single Sign On (SSO), as ZTEdge’s IAM does, enables substantially improved security without putting an excessive burden on users.

But even with solid IAM, there’s still a chance that a cybercriminal could penetrate your network; so it’s essential to minimize any damage that a malicious user could do. ZTEdge includes Zero Trust Network Access, with patent-pending Automated Policy Builder. This microsegmentation-based approach makes it possible to bring least privilege access down to the individual user level, with granular access control, to simplify the process of establishing secure 1:1 person-to-application access. No network level access is permitted, and the risks of an attacker moving laterally within the network are minimized.

Today’s networks are very complex, with users that may be on the internal network or working remotely using resources that may be on the network or in the cloud. With so many different potential paths of attack, Zero Trust’s “assume breach” is a prudent approach. As such, ZTEdge includes an Intrusion Protection System (IPS) that can quickly identify threats on the network and remediate them.


Avoiding becoming a cybercrime victim is getting ever tougher; powerful players, including “cybergangs” and nation-states, engage in cybercrime for huge profits. Ransomware-as-a-service is making it possible for technically unsophisticated criminals to get in on cybercrime, too. ZTEdge was designed as an affordable comprehensive platform that allows small and medium size enterprises to protect their valuable digital assets and ability to work by implementing the strong security that the Zero Trust approach enables.

Share this on:

Author Avatar

About Gerry Grealish

Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.

Recent Posts

“Operation Duck Hunt” Shuts Down QakBot Botnet

The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.

How GenAI is Supercharging Zero-Day Cyberattacks

Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.

Cybercriminals Disdain the Law, But Find Law Firms Attractive

Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.