Team82 Blog / 4 min read
The hallmarks of the Feb. 5 cyberattack against the Oldsmar, Fla., water treatment facility likely paint a picture typical of industrial control system environments where under-resourced staff pressured by mandates for availability and safety, rely on legacy software and inadequate remote access solutions to run an entity responsible for a vital public utility.
Operators inside the Oldsmar facility detected two intrusions from outside the plant on that day, the second of which involved a remote attacker, connected via TeamViewer desktop-sharing software, changing levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is caustic; it is added to water to control acidity and remove certain metals.
The operators' quick action to cut off the attacker's access, supported by safeguards innate to water-treatment systems, kept the contaminated water from ever reaching the public. But underlying their heroism are systemic problems across critical infrastructure that are going to be compounded as more companies bring operational technology (OT) under IT and connect more of these critical systems online.
On Thursday, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert about the Oldsmar compromise, calling out some of these systemic issues, starting with the facility's use of TeamViewer—and the same shared password to access the application—as well as outdated and unsupported versions of Windows 7 to remotely manage water treatment. The Water ISAC also published an advisory.
In an environment where downtime is hardly tolerated, it's not unusual to see legacy Windows 7 machines and other outdated, unsupported software running in production. This is problematic, because in the case of Windows 7, for example, Microsoft ended support for the operating system in January 2020. Systems will no longer receive security or feature updates unless they were on an expensive Extended Security Update plan, which is priced per-device and gets costlier the longer the customer subscribes.
"Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits," CISA warned in its alert. Microsoft in 2019, for example, made an emergency patch available for a critical RDP flaw that was being exploited in the wild. "Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks," CISA added.
The use of free versions of TeamViewer and other remote desktop-sharing and support applications is also not uncommon inside these environments. The COVID-19 pandemic has only heightened the risk posed by these applications as more workforces become increasingly remote and the need for access from outside facilities to key processes becomes necessary.
TeamViewer provides administrators and operators with easy, inexpensive access to facilities, but these applications must be configured with security in mind. Even then, they're not adequate for OT networks. Unlike purpose-built secure remote access solutions, these applications do not adequately log user activities, provide auditing capabilities, or allow for admins to monitor—and disconnect if necessary—remote sessions in real time. They often also do not enable admins to set different user-permission levels, based on roles, for example. Once an attacker has access to the application, as in the case of Oldsmar, they can gain remote control over the control system it's connected to.
Because of how TeamViewer is configured, it allows remote connections to networks that bypass Network Address Translation (NAT) and firewalls. Endpoints that sit on two different networks can still connect, and allow anyone with the right password to connect to a machine running TeamViewer. This is in contrast to Microsoft's Remote Desktop Protocol (RDP), for example, that requires both computers to be on the same network; in these cases, usability may trump security.
CISA's alert includes a lengthy list of mitigations, including a recommendation that industrial enterprises operate on current versions of Windows, use multi-factor authentication, and strong passwords to secure remote connections. Auditing of network configurations is also recommended, as is segmenting systems that cannot be updated.
CISA also cautioned that the use of TeamViewer and other similar applications can be abused not only for remote access to critical processes, but to move laterally across a network, inject malicious code such as remote access Trojans (RATs), and to obfuscate other malicious activity.
"TeamViewer's legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs," the alert said.
In addition, organizations should deploy secure remote access solutions that are designed for ICS environments, ones that allow only authorized users to create sessions, and administrators to monitor and disconnect those sessions in the event of malicious activity. It's also important to have network detection software in place that provides visibility into assets running on an OT network, including out-of-date OSes and software, and also any CVEs associated with those products, allowing administrators to take action.
CWE-284 IMPROPER ACCESS CONTROL:
The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow users, including unprivileged users, to write or overwrite files.
Measuresoft recommends that users manually reconfigure the vulnerable directories so that they are not writable by everyone.
CVSS v3: 5.5
CWE-256: Plaintext Storage of a Password
In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 6.5
CWE-121: Stack-based Buffer Overflow
In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 4.3
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 7.5
CWE-319: CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.
Softing edgeConnector: Version 3.60 and Softing edgeAggregator: Version 3.60 are affected. Update Softing edgeConnector and edgeAggregator to v3.70 or greater.
CVSS v3: 8.0