The hallmarks of the Feb. 5 cyberattack against the Oldsmar, Fla., water treatment facility likely paint a picture typical of industrial control system environments where under-resourced staff pressured by mandates for availability and safety, rely on legacy software and inadequate remote access solutions to run an entity responsible for a vital public utility.
Operators inside the Oldsmar facility detected two intrusions from outside the plant on that day, the second of which involved a remote attacker, connected via TeamViewer desktop-sharing software, changing levels of sodium hydroxide in residential and commercial drinking water from 100 parts-per-million to 11,100 parts-per-million. Sodium hydroxide, or lye, is caustic; it is added to water to control acidity and remove certain metals.
The operators' quick action to cut off the attacker's access, supported by safeguards innate to water-treatment systems, kept the contaminated water from ever reaching the public. But underlying their heroism are systemic problems across critical infrastructure that are going to be compounded as more companies bring operational technology (OT) under IT and connect more of these critical systems online.
On Thursday, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert about the Oldsmar compromise, calling out some of these systemic issues, starting with the facility's use of TeamViewer—and the same shared password to access the application—as well as outdated and unsupported versions of Windows 7 to remotely manage water treatment. The Water ISAC also published an advisory.
In an environment where downtime is hardly tolerated, it's not unusual to see legacy Windows 7 machines and other outdated, unsupported software running in production. This is problematic, because in the case of Windows 7, for example, Microsoft ended support for the operating system in January 2020. Systems will no longer receive security or feature updates unless they were on an expensive Extended Security Update plan, which is priced per-device and gets costlier the longer the customer subscribes.
"Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits," CISA warned in its alert. Microsoft in 2019, for example, made an emergency patch available for a critical RDP flaw that was being exploited in the wild. "Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks," CISA added.
The use of free versions of TeamViewer and other remote desktop-sharing and support applications is also not uncommon inside these environments. The COVID-19 pandemic has only heightened the risk posed by these applications as more workforces become increasingly remote and the need for access from outside facilities to key processes becomes necessary.
TeamViewer provides administrators and operators with easy, inexpensive access to facilities, but these applications must be configured with security in mind. Even then, they're not adequate for OT networks. Unlike purpose-built secure access solutions, these applications do not adequately log user activities, provide auditing capabilities, or allow for admins to monitor—and disconnect if necessary—remote sessions in real time. They often also do not enable admins to set different user-permission levels, based on roles, for example. Once an attacker has access to the application, as in the case of Oldsmar, they can gain remote control over the control system it's connected to.
Because of how TeamViewer is configured, it allows remote connections to networks that bypass Network Address Translation (NAT) and firewalls. Endpoints that sit on two different networks can still connect, and allow anyone with the right password to connect to a machine running TeamViewer. This is in contrast to Microsoft's Remote Desktop Protocol (RDP), for example, that requires both computers to be on the same network; in these cases, usability may trump security.
CISA's alert includes a lengthy list of mitigations, including a recommendation that industrial enterprises operate on current versions of Windows, use multi-factor authentication, and strong passwords to secure remote connections. Auditing of network configurations is also recommended, as is segmenting systems that cannot be updated.
CISA also cautioned that the use of TeamViewer and other similar applications can be abused not only for remote access to critical processes, but to move laterally across a network, inject malicious code such as remote access Trojans (RATs), and to obfuscate other malicious activity.
"TeamViewer's legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs," the alert said.
In addition, organizations should deploy secure access solutions that are designed for ICS environments, ones that allow only authorized users to create sessions, and administrators to monitor and disconnect those sessions in the event of malicious activity. It's also important to have network detection software in place that provides visibility into assets running on an OT network, including out-of-date OSes and software, and also any CVEs associated with those products, allowing administrators to take action.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
