The hallmarks of the Feb. 5 cyberattack against the Oldsmar, Fla., water treatment facility likely paint a picture typical of industrial control system environments where under-resourced staff pressured by mandates for availability and safety, rely on legacy software and inadequate remote access solutions to run an entity responsible for a vital public utility.
Operators inside the Oldsmar facility detected two intrusions from outside the plant on that day, the second of which involved a remote attacker, connected via TeamViewer desktop-sharing software, changing levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is caustic; it is added to water to control acidity and remove certain metals.
The operators' quick action to cut off the attacker's access, supported by safeguards innate to water-treatment systems, kept the contaminated water from ever reaching the public. But underlying their heroism are systemic problems across critical infrastructure that are going to be compounded as more companies bring operational technology (OT) under IT and connect more of these critical systems online.
On Thursday, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert about the Oldsmar compromise, calling out some of these systemic issues, starting with the facility's use of TeamViewer—and the same shared password to access the application—as well as outdated and unsupported versions of Windows 7 to remotely manage water treatment. The Water ISAC also published an advisory.
In an environment where downtime is hardly tolerated, it's not unusual to see legacy Windows 7 machines and other outdated, unsupported software running in production. This is problematic, because in the case of Windows 7, for example, Microsoft ended support for the operating system in January 2020. Systems will no longer receive security or feature updates unless they were on an expensive Extended Security Update plan, which is priced per-device and gets costlier the longer the customer subscribes.
"Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits," CISA warned in its alert. Microsoft in 2019, for example, made an emergency patch available for a critical RDP flaw that was being exploited in the wild. "Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks," CISA added.
The use of free versions of TeamViewer and other remote desktop-sharing and support applications is also not uncommon inside these environments. The COVID-19 pandemic has only heightened the risk posed by these applications as more workforces become increasingly remote and the need for access from outside facilities to key processes becomes necessary.
TeamViewer provides administrators and operators with easy, inexpensive access to facilities, but these applications must be configured with security in mind. Even then, they're not adequate for OT networks. Unlike purpose-built secure access solutions, these applications do not adequately log user activities, provide auditing capabilities, or allow for admins to monitor—and disconnect if necessary—remote sessions in real time. They often also do not enable admins to set different user-permission levels, based on roles, for example. Once an attacker has access to the application, as in the case of Oldsmar, they can gain remote control over the control system it's connected to.
Because of how TeamViewer is configured, it allows remote connections to networks that bypass Network Address Translation (NAT) and firewalls. Endpoints that sit on two different networks can still connect, and allow anyone with the right password to connect to a machine running TeamViewer. This is in contrast to Microsoft's Remote Desktop Protocol (RDP), for example, that requires both computers to be on the same network; in these cases, usability may trump security.
CISA's alert includes a lengthy list of mitigations, including a recommendation that industrial enterprises operate on current versions of Windows, use multi-factor authentication, and strong passwords to secure remote connections. Auditing of network configurations is also recommended, as is segmenting systems that cannot be updated.
CISA also cautioned that the use of TeamViewer and other similar applications can be abused not only for remote access to critical processes, but to move laterally across a network, inject malicious code such as remote access Trojans (RATs), and to obfuscate other malicious activity.
"TeamViewer's legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs," the alert said.
In addition, organizations should deploy secure access solutions that are designed for ICS environments, ones that allow only authorized users to create sessions, and administrators to monitor and disconnect those sessions in the event of malicious activity. It's also important to have network detection software in place that provides visibility into assets running on an OT network, including out-of-date OSes and software, and also any CVEs associated with those products, allowing administrators to take action.
CWE-345 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY:
In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions.
Update to Access Commander version 3.2.
CVSS v3: 4.7
CWE-345 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY:
In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.
Update to Access Commander version 3.2.
CVSS v3: 6.3
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker to write files on the filesystem to achieve arbitrary remote code execution.
Update to Access Commander version 3.2.
CVSS v3: 7.2
CWE-290: AUTHENTICATION BYPASS BY SPOOFING
Snap One OVRC cloud uses the MAC address as an identifier to provide information when requested. An attacker can impersonate other devices by supplying enumerated MAC addresses and receive sensitive information about the device.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 7.5
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaimed devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.
OvrC Pro: All versions prior to 7.3 are affected.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 9.1
