Microsoft has stressed the importance of securing internet-exposed operational technology (OT) solutions after a series of cyber attacks aimed at such environments since late 2023.
“The repeated assaults on OT solutions underscore the essential requirement to enhance the security stance of OT systems and thwart critical systems from being vulnerable targets,” mentioned the Microsoft Threat Intelligence team stated.
The corporation pointed out that a cyber breach on an OT system could enable malevolent individuals to manipulate crucial parameters utilized in industrial operations, either programmatically via the programmable logic controller (PLC) or through the graphical controls of the human-machine interface (HMI), leading to malfunctions and operational disruptions.
Additionally, it highlighted that OT systems frequently lack sufficient security measures, making them susceptible to exploitation by adversaries and conducting attacks that are “comparatively simple to carry out,” a situation exacerbated by the additional risks brought about by directly linking OT solutions to the internet.
This not only renders the solutions detectable by attackers through internet scanning utilities but also allows them to be weaponized for initial access by exploiting feeble login credentials or outdated software with recognized vulnerabilities.
Just a week ago, Rockwell Automation released a precautionary notice advising its clients to disconnect all industrial control systems (ICSs) not intended to be linked to the publicly available internet due to “escalated geopolitical tensions and adversarial cyber operations worldwide.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued its own notification highlighting pro-Russia hacktivists targeting susceptible industrial control systems in North America and Europe.
“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters,” the agency stated. “In each instance, the hacktivists maximized set points, altered other configurations, disabled alarm mechanisms, and revised administrative passwords to block the WWS operators.”
Microsoft also reported that the beginning of the Israel-Hamas conflict in October 2023 resulted in a surge of cyber assaults against internet-exposed, inadequately protected OT assets developed by Israeli corporations, with many of these carried out by factions like Cyber Av3ngers, Soldiers of Solomon, and Abnaa Al-Saada associated with Iran.
The assaults, as per Redmond, targeted OT equipment deployed across various industries in Israel that were produced by international suppliers as well as those sourced from Israel but implemented in other nations.
These OT solutions are “chiefly internet-exposed OT systems with weak security stance, potentially accompanied by fragile passwords and recognized vulnerabilities,” the tech giant added.
To counter the perils posed by such threats, it is advisable for organizations to ensure security practices for their OT systems, specifically by diminishing the attack surface and incorporating zero trust methodologies to thwart attackers from maneuvering within a breached network.
This event occurs while OT security firm Claroty analyzed a malicious software called Fuxnet that the Blackjack hacker group, suspected to be sponsored by Ukraine, allegedly employed against Moscollector, a Russian enterprise managing a vast system of sensors for monitoring Moscow’s subterranean water and sewage infrastructure for emergency detection and response.
BlackJack, which shared insights regarding the incident at the beginning of last month, described Fuxnet as “Stuxnet on steroids,” with Claroty indicating that the malware was likely transmitted remotely to the target sensor gateways using protocols such as SSH or the sensor protocol (SBK) over port 4321.
Fuxnet possesses the ability to irreversibly damage the file system, obstruct access to the device, and physically devastate the NAND memory chips on the device by continually writing and rewriting the memory to render it inoperable.
Moreover, it is designed to rewrite the UBI volume to prevent the sensor from rebooting, and ultimately corrupt the sensors themselves by sending an overflow of inauthentic Meter-Bus (M-Bus) messages.
“The perpetrators devised and deployed malware targeting the gateways and erased file systems, directories, deactivated remote access services, routing services for each device, rewrote flash memory, destroyed NAND memory chips, UBI volumes, and undertook other actions that further disrupted the operation of these gateways,” Claroty remarked.
According to statistics shared by Russian cybersecurity firm Kaspersky earlier this week, the internet, email platforms, and removable storage devices emerged as the foremost origins of threats to computers in an organization’s OT infrastructure in the initial quarter of 2024.
“Malicious actors utilize scripts for various purposes: gathering information, monitoring, redirecting the browser to a malevolent site, and uploading different categories of malware (spyware and/or clandestine crypto mining tools) to the user’s system or browser,” it expressed. “These propagate through the internet and email.”
About Author
