Search This Blog

Showing posts with label SCADA Hacking. Show all posts

UK Water Provider Targeted by Clop Group Ransomware

The UK water supplier, South Staffordshire Water fell prey to a CLOP Ransomware attack. Following the attack, the company released a statement mentioning that the exploit had no effect on the systems that distribute water safely. 

South Staffordshire Water plc, also known as South Staffs Water, is a UK water supply firm that supplies water to a small portion of the West Midlands, Staffordshire, and other nearby counties in England.

Over 1,500 square kilometers in the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire, South Staffordshire provides drinking water to about 1.3 million individuals and 35,000 commercial clients.

The company was able to offer Cambridge Water and South Staffs Water customers safe water because of the security measures in place. Additionally, South Staffordshire Water reassures its clients that all service teams are working normally, negating any possibility of prolonged disruptions as a result of the incident.

Alongside carefully collaborating with the relevant governmental and regulatory agencies, the company is looking into the issue. The supplier's identity was published to the Clop ransomware gang's Tor leak site along with a claim of responsibility for the attack.

The wrong firm extorted by hackers

The Clop ransomware gang's Tor leak site through a release on their onion website today stated that Thames Water was their target. They claimed to have gained access to SCADA systems that they could control to affect 15 million users.

The hackers contend that they acted appropriately by not encrypting their data and only stealing 5TB from the hacked systems. Further claims have it that they warned Thames Water of its network security flaws. However, after allegedly failing to reach an agreement on the ransom payment, the actors released the first sample of stolen information, which included passport images, screenshots from SCADA systems used for water treatment, driver's license images, etc.

In a statement released today, Thames Water formally refuted these assertions, further asserting that any accusations of Clop breaching its network were "cyber-hoaxes" and that its services were already at capacity. One significant aspect of the lawsuit is that, among the public material, Clop offers a table of usernames and passwords that includes the email addresses of South Staffordshire and South Staff Water.

This incident occurs as eight locations in the UK are enforcing water rationing rules and hosepipe bans because of extreme drought. Due to the extreme pressure that could be placed on water suppliers to pay the demanded ransom, cybercriminals don't choose their victims at random.

However, for this to happen, Clop must target its threats on the appropriate party. However, given the amount of attention the situation has received, it's likely too late for that at this point.

Cyble: Over 9,000 VNC Sessions Without a Password Found

Virtual network computing (VNC) endpoints that can view and utilize credentials were reported to be vulnerable on at least 9,000 occasions, giving hackers simple access to the data. 

The platform-independent system referred to as Network Computing (VNC) enables users to remotely control other computers, most of which have limited monitoring and adjusting capabilities. Therefore, anyone who compromises VNCs will eventually have access to the underlying systems.

The endpoints can act as access points for unauthorized access, including hackers with malevolent intentions if they are not fully secured with a password, which is frequently the result of neglect, error, or a decision made out of convenience.

As per researchers, the risk of each exposed VNC relies on the kind of underlying system it is in charge of. Some people are discovered to be in charge of a municipality's water control systems, which is quite serious.

Research Analysis 

Over 9,000 vulnerable servers were found when Cyble's security researchers searched the web for internet-facing VNC instances without passwords. China and Sweden are home to the majority of exposed instances, while the United States, Spain, and Brazil round out the top 5 with sizable numbers of unprotected VNCs.

The fact that some of these open VNC instances were for industrial control systems, that should never be accessible to the Internet, only made the situation worse, according to Cyble. Under one of the examined cases, the unencrypted VNC access connected to an HMI for controlling pumps on a remote SCADA system in a nameless manufacturing facility.

Cyble employed its cyber-intelligence systems to keep a watch out for attacks on port 5900, the standard port for VNC, to assess how frequently attackers target these servers. In a single month, Cyble counted more than six million requests. The Netherlands, Russia, and the United States were the major countries from which to access VNC servers.

On hacker forums, there is a large market for accessing vital networks via exposed or compromised VNCs because this kind of access can be utilized for more in-depth network espionage. In other circumstances, security experts provide guidance on how users might actively scan for and find these vulnerable instances.

A long list of exposed VNC instances with very weak or no passwords is presented in a post on a darknet forum that Bleeping Computer has seen.

In this sense, it's crucial to keep in mind that many VNC systems do not accept passwords longer than eight characters, making it essentially unsafe even when both the sessions and the passwords are encrypted.

Servers should never be exposed to the Internet directly, and if they must be accessed remotely, they should at least be hidden behind a VPN to protect access to the servers.

Analysis of Industrial Control System Security

We are presently experiencing IT/OT convergence, which will reveal new hurdles for both IT and OT divisions to overcome. Site engineers have traditionally overseen operational technology with an emphasis on reliability and stability. However, as OT systems become more integrated, these two worlds must start functioning as a single entity. The panorama of industrial cyber risks changed in 2010. Since Stuxnet targeted crucial supervisory control and data acquisition (SCADA) systems, which immediately gained attention on a global scale. 

Humans can operate and manage an industrial facility utilizing computer systems employing OT, which consists of programmable logic controllers (PLCs), intelligent electronic devices (IEDs), human-machine interfaces (HMIs), and remote terminal units (RTUs). These systems are linked to sensors and devices on the site, which could be a factory or a power plant. 

Industrial control systems are a common name for this set of process control equipment (ICSs). These technologies allow hackers to act based on what they see on the screen, in addition to providing information to them. Operational technologies have always been created with safety and availability in mind, but with relatively minimal care for cyber security. This is a significant contrast between OT and IT. 

Stuxnet: What is it? 

As per reports, Stuxnet influenced countless rotators at Iran's Natanz uranium advancement office to wear out. Afterward, different gatherings modified the infection to explicitly target foundations like gas lines, power stations, and water treatment offices. It is assessed that the US and Israel cooperated to make the malware. 

Industrial facilities have possibly "air-gapped," demonstrating that there is no connection between the organization inside the office and the organizations outside. This postures one of the obstructions in arriving at these regulators. A portion of the world's richer countries has figured out how to get around this countermeasure, regardless. 

 Iran benefited from the assault 

"The attack by Stuxnet opened the world's eyes to the idea that you can now design cyber weapons that can harm real-life target" said Mohammad Al Kayed, director of cyber defense at Black Mountain Cybersecurity. You could gain access to a nation's whole infrastructure and, for instance, turn off the electricity. In just this manner, Russia has twice attacked Ukraine.

Iran gained from the hack that the appropriate tool stash can likely be utilized to target ICS. It likewise noticed the power of those assaults. Somewhere in the range of 2012 and 2018, specialists saw an ascent in cyberattacks against Saudi Arabian modern offices as well as those of different nations nearby. 

"A virus program called Shamoon was one example. Three distinct waves of the virus have struck Saudi Arabian industrial facilities. The original version affected a few other businesses and Saudi Aramco. In a few years, two new variants were released. All of them exploited Saudi Arabian petrochemical firms and the oil and gas sector" stated Al Kayed. Saudi Arabia was a target since it has numerous manufacturing plants and sizable oil production operations. It is Iran's rival in the area and a political superpower. 

Connecting OT and IT invites vulnerability

When ICS is connected to an IT network, hacks on those systems are even simpler. By exploiting the IT network first, malicious actors can remotely attack OT assets. All they need to do is send an expert or employee who isn't paying attention to a phishing email. When industrial control systems are connected to an IT network, attacks on those systems are even easier. 

Al Kayed proceeds, "Anybody can bounce into designing workstations and other PC frameworks inside a modern site. Now that they understand how one can remotely put the malware on such modern control frameworks. Although they don't at first need to think twice about designing workstations at the office, there is a method for doing so because it is connected to the corporate organization, which is in this manner connected to the web. You can move between gadgets until you show up at the ideal design workstation in the petrochemical complicated or the power plant. "

Saudi government takes measures 

The targeted nation can acquire the necessary skills, possibly repair the weapon used against it, and then go after another target. Saudi Arabia, which has numerous manufacturing plants, is the nation in the area with the main threat on its front. Therefore it makes sense that the Iranians exploited what they had learned to strike its strongest rival in the region. 

However, the Saudi government is acting to stop similar attacks from occurring again. The National Cyber Security Authority (NCA) created a collection of legislation known as the Essential Cybersecurity Controls (ECC), which are required cyber security controls, to stop the attack type mentioned above. One of the only nations in the area having a security program that goes beyond IT systems is Saudi Arabia right now. It has also taken into account the dangers to OT infrastructure. 

Guidelines for ICS security 

The protection of industrial control systems is currently a global priority. A thorough set of recommendations for defending industrial technology against cyber security risks was released in 2015 by the US National Institute for Standards and Technology (NIST). Four important lessons can be learned from the attack on Iran and the ensuing attacks on Saudi Arabia:

  • The first step is to separate OT from IT networks. 
  • Utilize an industrial intrusion detection and prevention system and anti-malware software. 
  • The main targets of attacks on OT networks are HMIs and PLCs. Use specialized technologies, such as data diodes, which accomplish what a network firewall accomplishes logically but in a physical way.
  • Monitoring is a crucial step: "Security monitoring" is a frequent IT practice. But not many OT facilities do that currently.

Vulnerability in Siemens Switches allows hackers to gain admin access

A Security researcher has discovered two potential vulnerabilities in Siemens Ethernet switches allows a remote attacker to perform administrative operations.

The vulnerabilities were discovered by Eireann Leverett, Senior security consultant for IOActive and have been reported to Siemens.

The first vulnerability(CVE-2013-5944) could allow hackers to perform administrative operation over the network without authentication.

The Second vulnerability (CVE-2013-5709) could allow hackers to hijack web sessions over the network without authentication. This is due to insufficient entropy in its random number generator.

Siemens produced a patch within 3 months.  Customers of Siemens are advised to apply the SCALANCE X-200 firmware update.

Eireann is scheduled to demonstrate the vulnerabilities and release proof-of-concept code for organizations to check their own devices, at next week's S4 SCADA security conference in Miami.

Vulnerability lets Hacker to access Building Control System of Google's Australian office

Earlier this year, Security Researchers Billy Rios and Terry McCorkle from Cylance demonstrated a newly discovered zero-day attack on the Industrial control system at the Kaspersky Threatpost Security Analyst Summit.

The Industrial control system is a computer-based system used to control electronic door locks, lighting systems, elevators, video surveillance camera, electricity and boiler system via the internet - used by the military, hospitals and others

The researcher noted the security flaw in the Tridium Niagara AX Framework allows a hacker to access the sensitive file of the system, "config.bog" file which contains username and password for all devices.

Their research reveals the Internet giant Google using Tridium Niagara for various Building Management Systems in their Google Wharf 7 building is also affected by this zero-day vulnerability.

Although Tridium has released a patch for the system, Google's fails to patch the vulnerability which allowed the researchers to access the config.bog file of Tridium device used by the Google.

The credentials stored in the config.bog file allowed them to get into the admin panel of the device.  The panel gave access to a variety of Building Management features including "Active Alamrs", "Active overrides", "Alarm console".

Researchers reported this issue to the Google Vulnerability Rewards Program (VRP).

The researchers stated more than 25,000 of building using the Tridium Niagara AX system that haven't patched the security hole are vulnerable to hack.

"If Google can fall victim to an ICS attack, anyone can." Researcher noted.

Hackers breached Industrial heating system using backdoor

Earlier this year, Hackers breached the Industrial Control System (ICS) network of a New Jersey air conditioning company by exploiting a backdoor vulnerability in the system, according to an FBI memo(

The hackers first breached the company’s ICS network by exploiting the vulnerabilities in Tridium Niagara ICS system , that allowed access to the main control mechanism for the company's internal heating, ventilation, and air conditioning (HVAC) units.

According to the memo, the security breach occurred in February and March 2012 , few weeks after @ntisec posted a tweet indicating that hackers were targeting SCADA, and something had to be done to address SCADA vulnerabilities.

The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities.

Although the controller for the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. The link posted by the hacktivist provided the same level of access to the company's control system as the password-protected administrator login.

The logs from controller showed hackers has gained access to the system from multiple unauthorized international and US-based IP addresses.

Hackers hack into the Control System of US water utility and Destroyed pump

 Hackers hack into the Control System of US city water utility and destroyed a pump. According to the Joe Weiss, a managing partner for Applied Control Solutions report , hackers hacked into the maker of the Supervisory Control and Data Acquisition(SCDA) software used by the utility and stole customers user id and Passwords. The Intruders launched the attack using Russian based IP address.

The hackers were discovered on Nov. 8 when a water district employee noticed problems in the city’s Supervisory Control and Data Acquisition System (SCADA). The system kept turning on and off, resulting in the burnout of a water pump.

Forensic evidence indicates that the hackers may have been in the system as early as September, according to the “Public Water District Cyber Intrusion” report, released by the Illinois Statewide Terrorism and Intelligence Center on November 10.

The theft of credentials raises the possibility that other customers using the vendor’s SCADA system may be targeted as well.

Hackers can exploit Vulnerability in ICS and open the Prison door

Computerized  U.S prisons has critical vulnerability, a hacker can successfully break the system and remotely open cell doors.

Also hacker can shutdown all internal communication system through the prison intercom system and crash the facility’s closed-circuit television system, blanking out all the monitors.

"You could open every cell door, and the system would be telling the control room they are all closed,” said John J. Strauchs, a former CIA operations officer who helped develop a cyber-attack on a simulated prison computer system and described it at a hackers’ convention in Miami recently.

The security systems in most American prisons are run by special computer equipment called industrial control systems, or ICS. They are also used to control power plants, water treatment facilities and other critical national infrastructure. ICS has increasingly been targeted by hackers because an attack on one such system successfully sabotaged Iran’s nuclear program in 2009.

A hacker could exploit this vulnerability by overloading the electrical system that controls the prison doors, locking them permanently open.

We validated the researchers’ initial assertion … that they could remotely reprogram and manipulate” the special software controllers that run the systems,Sean P McGurk, a former Department of Homeland Security cybersecurity director, told Washingtontimes.

Teague Newman, another member of their team, said ICS systems are not supposed to be connected to the Internet.

“But in our experience, there were often connections” to other networks or devices, which were in turn connected to the Internet, making them potentially accessible to hackers, he said.

They turn on the Internet for remote maintenance of the kit could be carried out without the need for contractors to visit the jail. In some cases ,networks used to enable prison staff to access the net were poorly segmented from SCADA control systems.

Using the USB drive,An attacker can infect the system with Malware such as Stuxnet,Duqu . A targeted malware-infected email might also be used to introduce a SCADA worm into a prison environment.