Categories
Security

Don’t drink the water — it’s been hacked

That’s a scary title, isn’t it? It could have been the headline in newspapers this week had it not been for the watchful eye of a water treatment plant operator in Oldsmar, Florida.

Last week, a hacker (or group of hackers) attempted to poison a Florida city’s water supply by accessing a dormant remote access software platform. If it hadn’t been caught in time, at least 15,000 people could have been affected.

Law enforcement, including the FBI, the Secret Service, and the Pinellas County Sheriff’s Office are currently investigating how the threat actor got in and who would want to do this. What we know so far is that a plant operator at the Oldsmar water treatment facility noticed someone remotely accessing the computer system he was monitoring — once at about 8:00am and again at 1:30pm — to open the function that controls the amount of sodium hydroxide (lye) in the water.

Lye is used to treat acidity in water by raising its pH levels and removing heavy metals. Too much lye in the water could cause skin burns and rashes — and the hacker changed the lye ration from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase. After the attacker left the system, the operator quickly reduced the lye concentration level back to normal, so there was no adverse effect on the water. Importantly, the water treatment plant had redundancies in place, so if the operator had missed the hacker’s intrusion, the system would have caught the change in time.

So, what was this? A test by nation-state actors? An attempt to severely harm the townspeople of Oldsmar? As of this writing, there are no indications that this was targeted attack. The Pinellas County Sheriff’s office doesn’t have a suspect but is following leads — none of which point to terrorism. It may simply have been an act of vandalism. Vulnerable Internet-connected Industrial Control Systems (ICS) are not difficult to find.

In the case of the Oldsmar water treatment facility, the attack was neither successful nor sophisticated. A remote access software tool was either exposed to the open Internet or accessed via brute force/password. (Although law enforcement say they don’t know how hackers got onto the system, a CNN source counters that a password was required to operate the software remotely.) Unfortunately, a sophisticated attack isn’t required to render a dangerous result, and what happened at Oldsmar simply highlights how many critical infrastructure systems are vulnerable.

IT and security professionals charged with securing vital infrastructure needn’t panic — the first priority here isn’t shielding against complex zero-days or advanced persistent threats. Instead, it’s the kind of grunt work facing all in cybersecurity today, such as patching, air-gapping, and enforcing two-factor authentication. My advice for anyone in infrastructure or others using remote access software:

  • Be careful with how much remote access software you deploy on your network. You should never leave this software unused for long periods, especially if it’s left open to the Internet.
  • Ensure that the remote access software you do have is configured properly. Open it only to staff that require remote access, and require they access it using a strong password and 2FA.
  • Remote Desktop Protocol (RDP) should be kept closed or used with protection, such as our Brute Force Protection module in Malwarebytes Nebula.

To learn more about the hack of the Florida city water facility, read our blog on Malwarebytes Labs:
https://blog.malwarebytes.com/hacking-2/2021/02/hackers-try-to-poison-florida-citys-drinking-water/

Categories
Security

Brute force attacks increasing on open RDP ports

Ever watch a procedural cop show where the lead detective is some kind of password savant? Then you know this scene: The detective walks into a suspect’s apartment, finds a locked computer, and, after his partner complains they’ll need NSA hackers to get in, cracks the tricky password in a single try. While I love a good Hollywood cybersecurity gaffe, the truth is Detective Special Skills actually would have a decent chance at getting into that computer if he knew the suspect’s name and attempted using a few of the most popular default passwords today. (I’m looking at you, 1-2-3-4-5.)

But let’s say this suspect is a little more tech savvy and has a stronger, unique password in place. That’s game over, right? No getting in? Unfortunately for us good guys trying to protect our personal or business data, the answer is no. By using brute force attacks that automate trial and error, cybercriminals are able to run thousands or even millions of username and password combinations until they crack the code for credentials.

COVID-19’s grip on the global workforce has remained tight for nearly three quarters, keeping the majority of corporate employees — including technicians, security, and IT staff — confined to their homes. The repercussions of ongoing work-from-home conditions continue to be felt, especially a generally weaker security posture for all organizations, the natural result of having a distributed workforce. One such repercussion is a massive increase in open RDP ports, from 3 million in January 2020 (pre-Covid) to 4.5 million in March (post-Covid).

Cybercriminals of course pounced immediately, and to our detriment, they keep throwing everything they’ve got at us. COVID-19 misinformation, scams, social engineering laced with malware, Emotet and more of its friends, digital card skimmers, targeted ransomware attacks, and now brute force attacks, which themselves are methods of endless, everything-but-the-kitchen-sink attack.

Brute force attacks are typically automated or conducted via application, which allows threat actors to “set it and forget it,” coming back to their target once the app notifies them of a successful crack of the desired credentials. And lately, they’ve been cracking open a lot of RDP ports, exposed to the Internet so that remote workers can access company resources from home or IT staff can troubleshoot employee devices remotely.

Once cybercriminals have brute forced their way into an open RDP port, they can launch ransomware attacks, install keyloggers or other spyware on target organizations, or conduct espionage or extortion — pretty much a nightmare scenario. To protect against brute force attacks and shield RDP ports, I recommend:

  • Limiting the number of open ports
  • Restricting access to RDP ports to only those that need it
  • Enhancing security of the port and the protocol (with security software that blocks malicious IPs from compromised servers, for example)
  • For remaining RDP port users, disabling legacy usernames, rotating passwords, and enabling 2FA

At Malwarebytes, we’re now exploring new protective features to combat rising brute force attacks on open RDP ports. Stay tuned for some news on that soon!

To learn more about brute force attacks on the rise and how to protect open RDP ports, read our blog on Malwarebytes Labs: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/

For advice on how to protect RDP access from ransomware attacks: https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

And for a refresher on best security practices for all work-from-home employees: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/