Security Assessments

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

Properly segment these systems from non-critical networks.
Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
Limit the types of software allowed on your systems.
Eliminate all local administrator accounts to enforce the principle of least privilege.
Have a strong password policy that is strictly enforced for all types of accounts.

nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy. By leveraging penetration testing, managed security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.

February SolarWinds Update

As security researchers continue to delve into the issues surrounding the SolarWinds breach, additional implications and vulnerabilities are coming to light.

Last week researchers discovered 3 additional SolarWinds vulnerabilities that at worst, allow an attacker to achieve remote code execution with elevated privileges.

CVE-2021-25274 affects the SolarWinds Orion platform through the Microsoft Message Queue. The Collector Service doesn’t set permissions on private queues which may allow an attacker to send specially crafted packets to the service to gain remote code execution.
CVE-2021-25275 also affects the Orion platform and may allow an attacker to gain unauthorized access to the back-end database. This vulnerability would likely allow an attacker to gain administrator privileges for the application which can cause a world of trouble.
CVE-2021-25276 affects the SolarWinds Serv-U FTP server. A directory that contains user’s password hashes is accessible to any Windows User that has access to the server’s filesystem. A malicious user could quickly add a user profile that would give them persistent access to the FTP server.

SolarWinds has since addressed these issues that were responsibly disclosed to them. While these vulnerabilities have not been found to be exploited in the wild and appear to be missing from the supply chain attack that we have been so closely following, it is highly recommended that users of the platform install the latest versions. Users of the SolarWinds Orion platform can find information related to the recent update here. Additionally, organizations utilizing the Serv-U FTP functionality can find a hotfix here (ServU-FTP 15.2.2 Hotfix 1). This is a direct .zip download. nGuard has been responding to many requests for services related to this massive SolarWinds breach. From incident response to preventative penetration testing assessments, nGuard is helping our clients to secure their data and protect their customers.

GDPR Fines On The Rise

Since the introduction of the European Union’s General Data Protection Regulation (GDPR) in May of 2018, they have handed out $330.5 million in fines with $192 million in the past year alone. As the GDPR regulation grows in maturity, regulators are growing tougher with their fines. Breach notifications are on the rise, as they have increased 19 percent over the past 12 months. Germany leads the way with 66,527 breach notifications and Italy has had the least with 3,460. Germany, France, and Italy are the top 3 countries that have imposed fines, with a combined $234 million since GDPR was enacted.

With the impact of COVID-19, organizations have been fortunate to have their fines drop significantly with the promise to improve their security posture. Marriott saw their fine reduced to $25 million from the original $123 million during a breach that lasted over 4 years and resulted in the compromise of 339 million guest’s information. British Airways saw their fine reduced to $27 million from the original $230 million as a result of personal data of over 400 thousand customers being stolen when their website redirected to a fraudulent one which collected personal details of customers. This went undetected for over 2 months. The pandemic has provided temporary relief on some fines, but this isn’t permanent. Organizations need to ensure they are following GDPR regulations or it is going to cost them in large-scale fines.

The 4 potential sources of privacy protection are markets, technology, self or co-regulation, and law. GDPR has taken the traditional approach of law to enforce privacy and data protection. With GDPR fines only increasing and being strictly enforced, it does show that laws do not necessarily mean the result will be increased privacy and security. The best piece of advice for organizations having to follow GDPR guidelines is to err on the side of caution, as fines and cumulative damage claims are only going to rise. As GDPR matures and evolves, there may be new, stricter regulations released in the future.

Weak Passwords Lead to Routine Compromises

nGuard continues to observe weak passwords in widespread use across its customer-base, regardless of industry or size. “It’s a major weakness that we continue to identify in a large percentage of our assessments,” states Evan Rowell, National Manager of Security Consulting. “In situations where we are able to obtain access to the encrypted credentials, we’re able to crack large percentages of passwords in seconds, minutes, or hours. We know from experience that standard corporate password policies are typically around eight characters, with some complexity. Most users will choose a familiar word, capitalize the first letter, and add some digits or symbols to the end. Even longer passwords are routinely cracked, so it’s not only a matter of length. Advances in technology make this a huge risk, and many of our new customers are unaware of how easy it is to exploit.”

Most Governmental, Regulatory, and Compliance (GRC) based standards require varying password lengths and complexity, as well as Multi-Factor Authentication (MFA) to address this issue. “There are several techniques that can help strengthen password weaknesses, but the basic premise is to use longer passwords with random character strings. It can be difficult to convince management to train, require, and implement strong password policies, but our team has worked with numerous businesses over the years to do just that.” While MFA helps immensely, and should be required when remotely accessing internal networks or administration of critical systems, Mr. Rowell indicates “it’s not a silver bullet and often can’t stop a determined hacker. That’s why nGuard works to help businesses understand that a layered security approach is the most effective way to defend against attackers. Better password policies, Multi-Factor Authentication, regular assessments, and remediation are all equally important.”

For more information, review nGuard’s Password Database Testing service, or contact us directly.

About nGuard Corporation

nGuard is a leading provider of expert security assessments, managed security services, security incident response, and other advanced security services to organizations across North America & around the world. nGuard’s relentless focus on securing clients, as well as their unmatched security expertise, has helped them become one of the most sought after security firms in North America.

For more information, please visit: www.nGuard.com