Exploit

Ransomware effects spilling over into the real world.

A press release from Colonial Pipeline:  “On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware…  In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems”

NSA issued Advisory:   Guidance to Stop Malicious Cyber Activity Against Connected Operational Technology

“While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems”

In essence, recommendation are as follows:

1.  Manage, encrypt and authenticate all remote access connections
2. Add sensors and actively monitor all remote connections.  Disconnect remote access until this is in place!
3. Create an OT map, validate unknown assets  and create baseline configurations
4. Create a known OT communication baseline 
5. Create short, medium and long term improvement plans
6. Maintain offline “gold copy” baselines for OT networks and devices to enable recovery from a known good source.

PDF available here.

OpENer is an EtherNet/IP stack for I/O adapter devices, frequently embedded into control systems.

Various Denial of Service and Remote Code Execution vulnerabilities have been disclosed for this ENIP implementation.

Patches are available which can be incorporated into internally developed systems, however vendors may take some time to cover components relying on this stack.

US CISA recommends the following mitigations:

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Splice provides all above mitigations as well as vulnerability shielding and behavioural profiling.

US CISA released an advisory for easy to exploit, remote authentication bypass (with a CVSS score of 10) for multiple Rockwell Logix controllers. No patches seem to be forthcoming. Rockwell recommends mitigations in the form of configuration hardening and isolation. 

Posted on 13 February, 2021 by Editor
Two major Brazilian utility providers operations were affected by ransomware attack.

Weak identities, vulnerable code and insecure remote connection  allowed hackers to take control of the facility.

Ultrasound and imaging systems with   hardcoded passwords

First targeted in April  , authorities raised alert   following latest attacks.

Ripple20, a series of vulnerbilities in the widely deployed   Treck TCP/IP stack  will have far reaching implications.

Ransomware attack causes shut down of some of Honda’s production lines. Could this be collateral damage  collateral damage  or a targeted attack?