Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities
Zero Trust

Microsoft warns of increasing attacks on internet-exposed OT devices, urges enhanced security measures

May 31, 2024
Microsoft warns of increasing attacks on internet-exposed OT devices, urges enhanced security measures

Microsoft details a rise in attacks targeting internet-exposed, inadequately secured OT (operational technology) devices since late 2023. Multiple attacks have targeted internet-exposed OT equipment in the U.S.’s water and wastewater systems (WWS) in recent months, carried out by various nation-backed actors. These include attacks by the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC)-affiliated ‘CyberAv3ngers’ in November 2023 and pro-Russian hacktivists in early 2024. These ongoing attacks underscore the urgent need to enhance OT devices’ security to safeguard critical systems from being vulnerable targets.

“Microsoft’s analysis of multiple attacks by these actors revealed a common attack methodology: focusing on internet-exposed, poorly secured OT devices,” Microsoft Threat Intelligence wrote in its latest blog post. “This report will illustrate this attack methodology using the high-profile case of the November 2023 attack against Aliquippa water plant, for which CISA released an advisory in December 2023. CISA attributed the attack to the Islamic Revolutionary Guard Corps (IRGC)-affiliated actor ‘CyberAv3ngers,’ tracked by Microsoft as Storm-0784. Microsoft assesses that the same methodology has been utilized by other OT-focused threat actors in multiple other attacks as well.”

The post added that the attacks conducted by OT-focused actors were not limited to public sector facilities but also affected private companies in various countries. “While the public sector has been implored to implement proper risk management and protection of OT systems, the diversity of target profiles illustrates that ensuring OT security in the private sector is equally crucial. Recommendations for organizations to protect against similar attacks and improve the security posture of their OT systems can be found at the end of this report”

The researchers identified that shortly after the outbreak of the Israel-Hamas war, Microsoft saw a rise in reports of attacker activity against OT systems with Israeli affiliation. This included activity by existing groups such as the IRGC-affiliated ‘CyberAv3ngers,’ and the emergence of new groups such as the ‘CyberAv3ngers’-associated ‘Soldiers of Solomon,’ and ‘Abnaa Al-Saada,’ a cyber persona presenting itself as Yemeni. Microsoft tracks both ‘CyberAv3ngers’ and its associated group ‘Soldiers of Solomon’ as Storm-0784.

The systems targeted by these groups included OT equipment deployed across different sectors in Israel, including PLCs (programmable logic controllers) and HMIs (human-machine interface) manufactured by large international vendors, as well as Israeli-sourced OT equipment deployed in other countries. The actors made the attacks public using their Telegram channels, on which they also posted images of the target systems to enhance purported credibility and present evidence for the attack.

Researching the threat actors in question, Microsoft has identified a typical target profile that attackers appeared to focus on internet-exposed OT systems with poor security posture, potentially accompanied by weak passwords and known vulnerabilities.

Microsoft analyzed the publicly available data on the Aliquippa incident to find the victim system and assess how it was compromised. Leveraging researchers’ intimate OT knowledge to interpret the limited details known to the public has enabled the identification of a specific machine that Microsoft believes to be the victim.

According to publicly accessible sources, the targeted system was exposed to the internet, and it suffered both defacement and the shutdown of the pump it controlled. Designated engines that map internet-connected devices and their associated services allowed Microsoft researchers to compile a list of internet-exposed Unitronics devices of the relevant model, which also had a dedicated control port open. This configuration could potentially allow to reprogram the device reprogramming, leading to the observed defacement and shutdown.

The analysis of contextual data narrowed the device profile list, identifying a specific system that could be the victim. This system was geographically situated near the Aliquippa station, with its PLC Name field set to ‘Raccoon Primary PLC,’ consistent with the Aliquippa water station serving Potter and Raccoon townships, and also aligning with a photograph disseminated by the media, depicting a sign that reads ‘PRIMARY PLC’ on the targeted system.

The data gathered throughout the research of the Aliquippa attack case highlights a trend: a common target profile of internet-exposed OT systems with a weak security posture that mirrors other attack cases.

Microsoft detailed screenshots of affected systems with the same red screen and message have been posted by users on the Unitronics forum claiming their equipment was attacked, with similar reports also showing on social media platform X. “Following the incidents, a vulnerability was assigned for the Unitronics default password configuration (CVE-2023-6448), and a patch was issued by Unitronics to require users to fix the issue,” it added.  

“The common target profile for the attack cases analyzed reflects what attackers do to pick an easily accessible and appealing target in the first place,” the researchers noted, “Attackers can, and do, obtain visibility on OT devices that are open to the internet using search engines, identify vulnerable models and open communication ports, and then use the contextual metadata to identify devices that are of special interest, such as ICS systems in water plants or other critical facilities. At that point, a weak password or an outdated system with an exploitable vulnerability is all that stands between them and remote access to the system.”

The growing attention from attackers towards OT systems, observed across various sectors, is particularly concerning due to inadequate security practices on these systems. 

The Microsoft Digital Defense Report 2023 highlights that 78 percent of industrial network devices on customer networks monitored by Microsoft Defender for IoT have known vulnerabilities. Among these, 46 percent utilize deprecated firmware, for which patches are no longer available, while the remaining 32 percent operate outdated systems with unpatched vulnerabilities. For devices that are patched, many still use default passwords or have no passwords at all. 

Microsoft collects statistics on the prevalence of username and password pairs seen used in Microsoft’s sensor network, as was shared in the Microsoft Digital Defense Report 2022. The researchers added that ‘such outdated and vulnerable systems present attractive targets for future attacks, particularly when coupled with internet connectivity and default passwords. In the next sections, we share recommendations for improving the security posture of OT systems to help prevent attacks.’

The analysis of the attack claims in question reveals diverse target profiles. It is therefore vital for organizations of all different sectors to ensure security hygiene for their OT systems to prevent similar threats. Microsoft prescribes adopting a comprehensive IoT and OT security solution to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms. It also calls for enabling vulnerability assessments to identify unpatched devices in the organizational network and set workflows for initiating appropriate patch processes.

Additionally, Microsoft calls upon organizations to reduce the attack surface by eliminating unnecessary internet connections to IoT devices and OT control systems. Verify that no OT system is directly connected to the internet, for example, through IoT routers or Cellular bridged (LTE or 3G). Close unnecessary open ports and services on their equipment, eliminating remote access entirely when possible, and restricting access behind a firewall or VPN when full elimination cannot be achieved.

The post also recommends implementing zero trust practices by applying network segmentation to prevent an attacker from moving laterally and compromising assets after an intrusion. OT devices and networks should be isolated from IT with firewalls and extending vulnerability and exposure control beyond the firewall. It also suggests turning on attack surface reduction rules to prevent common attack techniques such as those used by ransomware groups.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack