Israel appears to have thwarted a large-scale attempt at a critical-infrastructure cyber attack against its national water supply. An internal report from Israel's Water Authority indicates that the incident occurred between Friday, April 24 and Saturday, April 25.
According to a statement from Israel's National Cyber Directorate, the attempted attack targeted the command and control systems of Water Authority's wastewater treatment plants, pumping stations, and sewage infrastructure. A follow-up statement from the Water Authority and National Cyber Directorate reported the incident appeared to be coordinated, but no damage had occurred.
Organizations affected by the attempted attack were ordered to immediately reset the passwords for all of the facility's operational technology (OT) systems—especially those related to chlorine control—and ensure all control software was updated. If it's not possible to change the passwords for certain systems, personnel were advised to disconnect these systems from the internet entirely.
This attempted attack highlights that while water infrastructure often eludes the public's attention as a major source of cyber risk, it remains susceptible to both targeted and non-targeted threats. A combination of legacy systems, growing connectivity, and federated management—most water utilities are owned and operated at a local level—warrants a high prioritization of cybersecurity for the water and wastewater sectors on a global level.
As with most OT systems, our water infrastructure demands a granular level of visibility to detect not only latent threats on the network, but also anomalies that might be indicative of a threat or could subject the network to even novice hackers. Misconfigurations and known vulnerabilities effectively lower the barriers to entry for threat actors and increase the risk of exploitation. Furthermore, as information technology (IT) networks converge with OT networks, owners and operators of water infrastructure should be ever-vigilant against account compromises that might grant an attack direct access to industrial control systems. This includes employees and third-party vendors that are accessing the infrastructure remotely.
The security and reliability of critical infrastructure—such as water, power, and telecommunications—is more essential than ever amid the current global pandemic. For more insight into securing critical infrastructure in our current global environment, check out our recent, three-part blog series from Admiral (Ret.) Michael S. Rogers, Chairman of Claroty's Customer Advisory Board: (part 1), (part 2), (part 3).
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
CWE-121 STACK-BASED BUFFER OVERFLOW:
The affected product is vulnerable to a stack-based buffer overflow. An unauthenticated attacker could send a malicious HTTP request that the webserver fails to properly check input size before copying data to the stack, potentially allowing remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor:
Ruijie Reyee OS versions prior to 2.260.0.1329 contains a a feature that could enable sub accounts
or attackers attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services.
CVSS v3: 6.5
CWE-1391 Use of Weak Credentials:
Ruijie Reyee OS versions prior to 2.260.0.1329 uses weak credential mechanism that could allow
an attacker to easily calculate MQTT credentials.
Ruijie reports that the issues have been fixed on the cloud and no action is needed by end users.
CVSS v3: 7.5