Vulnerabilities & Exploits

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

Properly segment these systems from non-critical networks.
Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
Limit the types of software allowed on your systems.
Eliminate all local administrator accounts to enforce the principle of least privilege.
Have a strong password policy that is strictly enforced for all types of accounts.

nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy. By leveraging penetration testing, managed security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.

February SolarWinds Update

As security researchers continue to delve into the issues surrounding the SolarWinds breach, additional implications and vulnerabilities are coming to light.

Last week researchers discovered 3 additional SolarWinds vulnerabilities that at worst, allow an attacker to achieve remote code execution with elevated privileges.

CVE-2021-25274 affects the SolarWinds Orion platform through the Microsoft Message Queue. The Collector Service doesn’t set permissions on private queues which may allow an attacker to send specially crafted packets to the service to gain remote code execution.
CVE-2021-25275 also affects the Orion platform and may allow an attacker to gain unauthorized access to the back-end database. This vulnerability would likely allow an attacker to gain administrator privileges for the application which can cause a world of trouble.
CVE-2021-25276 affects the SolarWinds Serv-U FTP server. A directory that contains user’s password hashes is accessible to any Windows User that has access to the server’s filesystem. A malicious user could quickly add a user profile that would give them persistent access to the FTP server.

SolarWinds has since addressed these issues that were responsibly disclosed to them. While these vulnerabilities have not been found to be exploited in the wild and appear to be missing from the supply chain attack that we have been so closely following, it is highly recommended that users of the platform install the latest versions. Users of the SolarWinds Orion platform can find information related to the recent update here. Additionally, organizations utilizing the Serv-U FTP functionality can find a hotfix here (ServU-FTP 15.2.2 Hotfix 1). This is a direct .zip download. nGuard has been responding to many requests for services related to this massive SolarWinds breach. From incident response to preventative penetration testing assessments, nGuard is helping our clients to secure their data and protect their customers.

Tesla Targeted in Ransomware Attack

In the last week of August 2020, the FBI successfully detained and arrested a Russian citizen that was attempting to bribe a Tesla employee into carrying out an internal ransomware attack. The 27-year-old Russian citizen, Egor Igorevich Kriuchkov, was arrested by the FBI in Los Angeles while attempting to leave the United States.

The Tesla employee met with Kriuchkov, who offered the employee $1 million to help deliver and introduce the malware into Tesla’s network. The malware was designed to first, exfiltrate data from the network, then encrypt data in the network. Kriuchkov would use the exfiltrated and encrypted data to demand a ransom payment from Telsa. Fortunately, for Tesla, the employee immediately notified Tesla, who then involved the FBI. The FBI, with the assistance of the Tesla employee, carried out a sting operation to arrest Kriuchkov.

Kriuchkov told the employee they would distract Telsa from the malware attack by simultaneously conducting a denial-of-service (DoS) attack. He described to the employee that he had successfully conducted this attack against another company and neither he nor the assisting employee had been caught. Kriuchkov told the FBI he had successfully negotiated a $4 million payment from another company using the same tactics.

These attacks do not only cost organizations money if they decide to pay, but should companies not pay and do not have proper backups, they can spend an extensive amount of time configuring networks in an attempt to return it to a normal state.

This attack comes as no surprise with ransomware continuing to prove as a valuable attack vector for adversaries. Recent ransomware attacks against Garmin and Carnival are just the tip of the iceberg as attackers continue cashing in big paydays. It is being reported that Garmin paid $10 million to attackers for the keys to decrypt their files. These attacks do not only cost organizations money if they decide to pay, but should companies not pay and do not have proper backups, they can spend an extensive amount of time configuring networks in an attempt to return it to a normal state. The City of Atlanta chose not to pay a $52,000 ransom, but ultimately spent $2.6 million and took months to recover from the attack.

With the continuing rise of these attacks, it’s important to take the necessary steps to secure your networks by conducting proper testing, seeking out consulting, and training your workforce on the latest security best practice. These actionable items will help prevent these types of attacks from occurring via a multitude of attack vectors. nGuard is staffed with certified Security Assessors who are ready to work with you and your organization to help prevent this style of attack. Additionally, nGuard provides detailed Incident Response services should your organization be the unfortunate victim of an attack.

Ripple20 nGuard Security Advisory

Recently, a set of vulnerabilities were identified which affect millions of Internet-of-Things (IoT) devices using software developed by a company called Treck. The discovering research firm has titled the whole set of vulnerabilities Ripple20. Types of at-risk devices can include assets such as power supply systems, programmable logic controllers (PLCs), and medical equipment. These vulnerabilities range in severity, with the most severe vulnerabilities discovered leading to remote code execution, exposure of sensitive information, and out-of-bounds writing. Below are two of the vulnerabilities rated as a 10 out of 10, being the most severe:

CVE-2020-11896: The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
CVE-2020-11897: The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via multiple malformed IPv6 packets.

Many affected vendors have already been notified by the research firm who discovered these vulnerabilities and are currently working on fixing and patching the issues. However, a very common trend with IoT devices is the lack of software and firmware updates. Although there are no working Proof-of-Concepts (POCs) for these vulnerabilities in the wild, it is not uncommon for Advanced Persistent Threat groups (APTs) and nation state actors to have the ability, time, and resources to reverse engineer security patches and develop a working exploit quickly. Because of this, nGuard recommends the below remediation strategies.

Take Inventory of Current IoT Devices

Taking an inventory of what is currently in your environment that may have this vulnerable software and removing any device that is not necessary for business related functions helps ensure a reduced attack surface.

Ensure Frequent Software and Firmware Updates

In addition to updating firmware and software of devices, consider reading the patch notes to understand what is being fixed. More often than not, software updates are pushed out to patch a security related flaw.

Conduct Penetration Tests

Include potential high-risk devices in scope for internal penetration tests to gain a better understanding of what an attacker could do.

Conduct Strategic Security Assessments

Initiate strategic security assessments to identify any critical gaps in your security program to protect against and mitigate threats like Ripple20.

Implement Proper Network Segmentation

By segmenting your network and keep high value target devices off of regular business networks, you reduce the risk of an attacker being able to exploit them.

For more information regarding Treck’s response to these vulnerabilities, please visit https://treck.com/vulnerability-response-information.

Critical ZeroLogon Vulnerability: A Must Fix!

Vulnerability Overview

ZeroLogon (CVE-2020-1472) is an immensely critical privilege escalation vulnerability affecting all versions of Windows Servers. A defect in the cryptography used by the NetLogon Remote Protocol known as AES-CFB8 allows unauthenticated adversaries to compromise Domain Controllers in an Active Directory environment. By inserting multiple zeroes into fields used by NetLogon messages, an attacker can achieve the following:

Change the system password of the domain controller.
Obtain valid domain administrator credentials.
Obtain the password hash of any Active Directory user.
Create Golden Tickets.

Want to know more about the technical details behind this major Windows Server vulnerability? Check out the Microsoft Report regarding ZeroLogon.

Want to see just how easy it is for an attacker on the internal network to exploit this vulnerability. Check out this video below!

Skip to 4:12 to see the exploit in action.

Remediation

As you can see from the video above, it takes very little effort for an internal threat actor to fully compromise the Domain Controller. So, what can your organization do in order to ultimately remediate this critical vulnerability?

Fortunately, the solution is straightforward. The August 2020 Security Patch from Microsoft addresses this vulnerability for all affected versions of Windows. In many organizations Domain Controllers tend to fall behind on patches due to the impact updating a Domain Controller can have on many services and applications in the environment. Don’t lag behind on this update!

As security research becomes more prominent, critical vulnerabilities like ZeroLogon are on the rise. nGuard’s team of certified penetration testers are ready to cater to your needs by providing security assessments that bring attention to the weaknesses in your environment. Ready to learn more about nGuard’s Internal Penetration Testing assessment and its positive effects on the overall security landscape of the ever-growing internal network?

nGuard’s Internal Penetration Testing

Outbreak News Alert – NotPetya

On June 27, 2017, an ongoing cyberattack was discovered that utilized a variant of a prior, widespread, ransomware exploit known as Petya. This new attack, dubbed NotPetya by Kaspersky Labs, appeared to originate in Ukraine, but it quickly spread across Europe and the United States. NotPetya makes use of some components of the NSA hacking tools revealed earlier this year from the Vault7 dump by the Shadow Brokers. Researchers have discovered that the creators of the malware did not appear to do it for monetary purposes, noting that many red flags existed to show that this attack was designed to be a “wiper,” simply destroying all infected systems.

Ransomware and other similar malware variants have been extremely detrimental to many organizations already this year. Beginning with WannaCry, and now NotPetya, these vicious pieces of software have exploited security weaknesses that many companies struggle with on an ongoing basis, specifically, deficiencies in patching processes, internal system misconfigurations, and lack of secure practices in general. The cost to organizations can be significant, including consumption of IT personnel, system downtime, and outright data loss. “Essentially, organizations can prevent these types of attacks by maintaining good security hygiene,” states JR Johnson, Senior Vulnerability Researcher with nGuard. “Starting with patch management, good back-up processes and infrastructure, and regular security audits by third-parties. With good security best practices, organizations can almost completely prevent these types of attacks from significantly affecting them.”

Regardless of an organization’s security program maturity, nGuard recommends that organizations take the time to evaluate their resiliency to these types of attacks. Whether it is a strategic assessment of your organization’s security posture or tactical penetration testing to determine the effectiveness of your current security controls, nGuard can help your company be prepared for the next malware outbreak.

About nGuard Corporation

nGuard is a leading provider of expert security assessments, managed security services, security incident response, and other advanced security services to organizations across North American & around the world. nGuard’s relentless focus on securing clients, as well as their unmatched security expertise, has helped them become one of the most sought after security firms in North America.

For more information, please visit: www.nGuard.com