Microsoft has stressed the importance of securing internet-exposed operational technology (OT) devices in light of recent cyber attacks targeting such environments since late 2023.
“The repeated attacks on OT devices underline the critical necessity to enhance the security of OT devices and prevent essential systems from being vulnerable,” said the Microsoft Threat Intelligence team mentioned.
The company pointed out that a cyber attack on an OT system could enable malicious actors to manipulate critical parameters used in industrial processes, either through the programmable logic controller (PLC) programmatically or via the graphical controls of the human-machine interface (HMI), leading to malfunctions and system downtime.
It also highlighted that OT systems often lack sufficient security measures, making them an easy target for exploitation by adversaries to carry out attacks that are “fairly simple to execute,” a situation exacerbated by the additional risks introduced by directly connecting OT devices to the internet.
This not only exposes the devices to attackers through internet scanning tools but also enables them to be used to gain initial access by exploiting weak login passwords or outdated software with known vulnerabilities.
Just last week, Rockwell Automation issued an advisory advising its customers to disconnect all industrial control systems (ICSs) not intended to be connected to the public internet due to “increased geopolitical tensions and adversarial cyber activities worldwide.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued its bulletin warning about pro-Russia hacktivists targeting vulnerable industrial control systems in North America and Europe.
“Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters,” the agency stated. “In each instance, the hacktivists maximized set points, altered other settings, disabled alarm mechanisms, and changed administrative passwords to lock out the WWS operators.”
Microsoft also noted that the start of the Israel-Hamas conflict in October 2023 led to a surge in cyber attacks against internet-exposed, inadequately secured OT assets produced by Israeli companies, with many of these attacks conducted by groups like Cyber Av3ngers, Soldiers of Solomon, and Abnaa Al-Saada affiliated with Iran.
The attacks, according to Redmond, targeted OT equipment in various sectors in Israel manufactured by international vendors as well as those sourced from Israel but deployed in other countries.
These OT devices are primarily internet-exposed systems with weak security measures, potentially accompanied by weak passwords and known vulnerabilities,” the tech company added.
To mitigate the risks posed by such threats, organizations are advised to ensure security protocols for their OT systems, particularly by minimizing the attack surface and implementing zero trust practices to prevent lateral movement of attackers within a compromised network.
The incident coincided with OT security firm Claroty revealing a destructive malware strain called Fuxnet allegedly utilized by the Blackjack hacking group, suspected to be supported by Ukraine, against Moscollector, a Russian company that manages a large network of sensors for monitoring Moscow’s underground water and sewage systems for emergency detection and response.
BlackJack, which shared information about the attack early last month, described Fuxnet as “Stuxnet on steroids,” with Claroty indicating that the malware was likely deployed remotely to the target sensor gateways using protocols such as SSH or the sensor protocol (SBK) over port 4321.
Fuxnet has the capability to irreversibly destroy the filesystem, block device access, and physically damage the NAND memory chips on the device by continuously writing and rewriting the memory to render it inoperable.
Additionally, it is designed to rewrite the UBI volume to prevent the sensor from rebooting and ultimately corrupt the sensors themselves by sending a flood of bogus Meter-Bus (M-Bus) messages.
“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways,” clarified Claroty.
According to data shared by Russian cybersecurity company Kaspersky earlier this week, the internet, email clients, and removable storage devices emerged as the primary sources of threats to computers in an organization’s OT infrastructure in the first quarter of 2024.
“Malicious actors use scripts for a wide range of objectives: collecting information, tracking, redirecting the browser to a malicious site, and uploading various types of malware (spyware and/or silent crypto mining tools) to the user’s system or browser,” it stated. “These spread via the internet and email.”