The winner of the InfoSec Candy of The Summer Award has been announced. The 2010 award go to "The Hard-Coded Admin Credential Issue in Various SCADA Systems".
There has been a looot of talk about the supervisory control and data acquisition (SCADA) system security and compliance during the past few years, no? I am sure you have stumbled across it and possibly also wondered about the lack of concrete details and depth regarding the vulnerabilities in and attacks against the SCADA systems. You know...the "ok, I agree, we need SCADA compliance, but what does that really mean?" feeling many articles about the issue leave you with. What can we do to harden these obviously vulnerable systems?
Mr. James Arlen seems to feel it also as he has invited the community in the BlackHat USA 2010 to sit down, discuss openly and have a little "fireside chat" this afternoon (Las Vegas time) to define the baseline in SCADA security. I feel like this really is needed.
We have now one concrete SCADA compliance issue at hands. Various SCADA systems apparently lack reliable database access control. These systems really have to be run in isolated enviroments accessable only via well protected and properly authenticating hopping stations.
The database admin credentials for Simatic WinCC SCADA systems are hard coded, should not be changed according to the vendor and now very publicly known and maliciously used in the wild. The password was curiously initially leaked to public in April, 2008., but now even your grandmother knows them. Yep. She is just not telling them to you.
Very serious issue indeed, but still maybe not The Candy without checking out how it was re-disclosed publicly this summer. We were quite ironically linked to the WinCC default configuration flaw by a very curious Windows LNK file 0-day detected this summer in the wild by the Belarus security company VirusBlokAda.
See their initial advisory here.
They discovered a worm now commonly known as the Stuxnet. It exploited a previously unknown vulnerability in the Windows Shell affecting all Windows versions. An malware analyst named Frank Boldewin soon released results of his initial decrypting/unpacking of the code and showed that at the nth attack stage Stuxnet sample with MD5 hash 016169ebebf1cec2aad6c7f0d0ee9026 utilized the hard coded database admin credentials of the Simatic WinCC SCADA Systems to run SQL on the databases. His "original advisory" is still cached by Google here.
In my opinion it is "the next Operation Aurora". The next incident in the long lineage of targeted attacks or Advanced Persistent Threats (APT) as the latest term goes. Siemens initially reported that only one customer had been attacked and later studies show that notable majority of the USB key distributed malware are detected in the Middle East. Now with the automated attack in the form of a worm is out in wild, there will be undoubtedly more attacks to follow.
For further reading enjoy the KrebsOnSecurity.com article about the discovery of the malware and the Windows Shell vulnerability. It remains unpatched, but Microsoft has released the Security Advisory KB2286198 to address the issue and there is the CVE-2010-2568 assigned for the vulnerability.
There is also an interesting Microsoft Threat Research & Response blog post about Stuxnet and Wired.com has a good Threat Level blog post about the Simatic WinCC hard coded credentials issue.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment