Colonial Pipeline ransomware attack linked to Microsoft Exchange vulnerabilities [Updated]
A new day, a new Microsoft Exchange situation.

What you need to know
- Colonial Pipeline suffered a massive ransomware cyberattack that forced it to halt business.
- The attack resulted in oil prices skyrocketing as a result of paused pipeline operations.
- Microsoft Exchange seems to be linked to the root of the cyberattack.
Update May 13, 2021 at 9:15 a.m. ET: Microsoft has provided the following statement: "We have not seen any evidence to support the speculation that this ransomware attack is related to Exchange vulnerabilities. Such a tactic is not consistent with the known behaviors of these attackers."
After months of Microsoft Exchange drama thanks to the Microsoft Exchange Server hacks at the hands of multiple groups, including state-sponsored Chinese hacker group Hafnium, it seems the MS product is back at the center of controversy. This time, it's being linked to the Colonial Pipeline ransomware attacks and subsequent halting of Eastern U.S. oil supplies.
As spotted by The New York Times' cybersecurity reporter Nicole Perlroth, a forensic finding made during an evaluation of Colonial Pipeline noted numerous blind spots that could have led to the security breach, with the "most likely culprit" being vulnerable Microsoft Exchange services.
Interesting forensic finding on Colonial Pipeline: They were STILL using a vulnerable version of Microsoft Exchange (the same systems exploited by Chinese hackers that was revealed in March), among other notable lapses. Per Coalition. pic.twitter.com/TvsEN8S3EwInteresting forensic finding on Colonial Pipeline: They were STILL using a vulnerable version of Microsoft Exchange (the same systems exploited by Chinese hackers that was revealed in March), among other notable lapses. Per Coalition. pic.twitter.com/TvsEN8S3Ew— Nicole Perlr🌻th (@nicoleperlroth) May 11, 2021May 11, 2021
That is to say: It's not guaranteed that Microsoft Exchange issues are to blame for Colonial Pipeline's current problems. Rather, an overall lack of technological sophistication is the root cause of the pipeline operator's issues. Exchange may have played a role, though, if its vulnerabilities were indeed what left Colonial Pipeline open for ransomware attacks.
There are many takeaways from the news, with one being that no major organization should rely on outdated versions of products that were compromised and used in massive government-shaking hacks. What happens from here is anyone's guess, but it stands to reason that every sort of organization and company, be it pipeline operators or otherwise, is going to be reassessing cybersecurity measures to avoid becoming the next national center of attention.
Windows Central Newsletter
Get the best of Windows Central in in your inbox, every day!
Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.
-
From reading the Twitter link in the article there were more possible "culprits" than outdated MS software. "... 'Coalition evaluated Colonial Pipeline and found..... The most likely culprit is vulnerable Microsoft Exchange services, but the organization also exposed SNMP, NTP, and DNS services, which indicates an overall lack of cybersecurity sophistication,
unfortunately. Other possibilities include the numerous network protocols exposed on the internet publidy, as well as targeted virtualization software or SSL VPN access with names that imply ICS network access-also with an invalid certificate--could be culpable vulnerability points......." -
And they were all probably used, or at least identified/evaluated. One vulnerability is a foothold and they'll recon for multiple attack vectors.
-
Underscores why lazy IT is so dangerous. There's a reason companies like Microsoft, Apple, etc, issue security updates. They don't do it just because it's a "fun" thing for them do to.
-
If somebody leaves their purse in an unlocked Honda Accord, is that Honda's fault? The issue is lack of leadership, budget, training, and internal processes. Clearly cybersecurity wasn't a priority.
-
Don't give anyone any ideas. I can see someone actually trying to sue a car manufacturer for something like that. :p
-
Typical irresponsible New York Time reporting. That cub reporter needs to be taught a lesson in getting the facts before going to press. My Lawd!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.