By Lior Hammer | Mar 12, 2020

Recent reporting on Lemon Duck, a new malware campaign targeting global manufacturers, is among the latest reminders of an enduring facet of the industrial cyber threat landscape: attacks on Windows machines with unpatched vulnerabilities in the Server Message Block (SMB) protocol stack. SMB security flaws continue to emerge, as evidenced by Microsoft accidentally releasing an advisory for a new “wormable” vulnerability in SMBv3 (CVE-2020-0796) on March 10.

Indeed, systems using SMB protocols have long been appealing targets for threat actors due to the prevalence of SMB vulnerabilities that, if exploited, can enable malware to self-spread laterally through connected systems. This is exactly what we’ve seen with Lemon Duck, as well as myriad previous attacks that have impacted the operational technology (OT) networks on which industrial enterprises and critical infrastructure rely.

One of the earliest examples of such an attack was in 2008 when the now-infamous Conficker Worm spread globally, infecting millions of Windows machines by exploiting SMB vulnerability MS08-067. It’s been more than a decade since the initial infection, but Conficker continues to be detected in the wild today.

Another well-known example impacting industrial targets is the LockerGoga attack, which leveraged stolen credentials or brute-forcing to gain access to Windows-based networks and subsequently spreading via SMB protocols. LockerGoga severely disrupted numerous industrial firms in early 2019, forcing several plants to shift to manual operations.

Another notable example is NotPetya, the ransomware attack that wreaked widespread havoc in 2017. Although NotPetya did not specifically target industrial environments, its self-spreading capabilities—which, similar to Conficker and Lemon_Duck PowerShell, were enabled by an SMB vulnerability—caused the ransomware to unintentionally infect and damage OT networks around the world. NotPetya has since been widely recognized as the costliest and most destructive cyber attack in history.

These three examples comprise just a portion of those in which SMB protocols proved to be a major infection vector.

Moreover, it’s crucial to recognize the significant threat such attacks pose to OT networks, which typically leverage SMB protocols to support the core functionalities of OT assets such as human-machine interfaces (HMIs), engineering stations, and historians, among others. Attacks that interfere with the operations of these assets can have a tremendous impact on process integrity, hindering the ability to control and monitor critical processes.

Our team at Claroty is intimately familiar with this threat and committed to helping our customers understand and mitigate it. To that end, we’ve spent years developing the following detection engines that can identify and help neutralize such attacks before they impact key assets:

  • Signature-based behavior detects known threats based on publicly known and indigenous signatures for malicious network traffic. This capability is enhanced with Claroty threat intelligence feeds, enabling an up-to-date database of threats that can be detected automatically.
  • Custom rule-based detection allows users to define and set alerts for potentially malicious network traffic patterns, supporting rapid investigations and the ability to prohibit specific types of traffic, such as SMB connections.
  • Anomaly-based detection leverages Claroty’s deep packet inspection (DPI) capabilities to automatically segment your OT network into virtual zones where communication patterns between zones are clearly defined. Pattern deviations indicating potential threats result in a real-time, fully contextualized alert.
  • Security behavior detects known techniques and behavior patterns that have been used by attackers and alerts the network security team for further investigation
  • Operational behavior identifies OT operations occurring in your network across proprietary and open-source protocols, including configuration downloads and uploads, mode changes, key state changes, and firmware updates.

Together, these detection engines can quickly identify threats present within your OT network. Once a threat has been detected, Claroty assesses the validity and urgency of the alert to facilitate rapid action before key network components are impacted.

Deep visibility, continuous monitoring, and rapid detection are essential for defending your OT network, but preventative measures are also key. Many OT cyber threats can be prevented by consistent, well-informed vulnerability management practices. Claroty supports this best practice by keeping track of vulnerabilities within OT networks, such as outdated protocols, weak passwords, and common vulnerabilities and exposures (CVEs) relevant to the specific software versions on which your systems are running.