Proof-of-Concept Ransomware to Poison the Water Supply

[FrgMstr]

This is our happy feel-good story of the day to give you that warm fuzzy feeling inside during your lunch break. It seems that digital bandits are becoming much more to worry about than digital terror, hopefully. Given that we are seeing more and more stories of this nature having real world impacts, I hope all the [H]Admins are on top of their game.

Researchers at Georgia Institute of Technology painted one picture this week, presenting their exploration of how ransomware could potentially attack industrial control systems (ICS), and demonstrating how new malware threats might target core infrastructure, holding entire cities hostage.

Ransomware attacks against water treatment systems aren’t happening yet. It’s important to note that what the researchers achieved was just a simulation, not a real world exercise. But by painting a worrying picture of a potential future, they may have helped raise awareness amongst those who protect critical infrastructure to take the threat seriously.

 

[Deleted member 93354]

WTF are critical control systems attached to a network where they can be attacked?

 

[FrozenSteel]

My question is why aren't these systems on closed networks and detached from the internet? These critical systems should NEVER EVER be connected to the internet, no matter how much easier they are to manage. Hiring a crew to be onsite 24/7 controlling these systems is far cheaper than risking the chance of a malware attack and buying hundreds of thousands of dollars in Intrusion Detection/Prevention systems and AV/Firewalls.

 

[drakken]

what they are likley talking about is, when you turn on the water and expect the water tower to have water to your home and the water tower to get water from some where else. So the software that sends the water to the water tower and then to the local houses is networked by it's very nature. Too much pressure and the pipes crack. So likely they have not figured out how to do what MMO do, which is take the server off line, then swap in the new server. It is likely considered too expensive and not needed. I got to tour parts of the nuclear plant in new jersey when I was working on internship and the guy working for the department of energy needed something dropped off and I had to track down the person it had to go to instead of just living it at the office I was told to drive to. Those systems are all closed systems but the power transmission is controlled by the draw on the line. So the water filtration gets messed up the best thing to do is turn the water off like when a pipe breaks and simply swap out the hard ware in case the vector was a usb device or other device plugged into the server. Harding those systems agaisnt ransom ware acts is still a good idea.

 

[Master_shake_]

instead of using prism for creeping facebook.

why don't they use their massive surveillance powers to find these people.

 

[WetMacula]

This concept is non-sense. Chemical feed systems in drinking water plants, if designed right, have chemical storage tank(s) and day tanks as a precaution. Transfer from bulk storage (minimum 30 day supply) to a smaller day tank is done manually with a pump or motor operated valve and a manual dead man switch. Worst that can happen is a slow ass metering pump (gallons per hour) would send an entire day tank to distribution but no more. Usually when this happens, an operator left a metering pump in manual.

You don't want to be one of the first few houses near a drinking water plant distribution header for this reason. Too much hydrofluorosilicic acid, sodium hypo, or caustic will fuck you up.

 

[rgMekanic]

I have a well. Sooo... good luck to ya'll!

 

[Twisted Kidney]

There are some systems where a guy should need to phone a guy who is standing at the spot where the knobs and buttons are so things can be changed.

I don't want our species exterminated by a disgruntled teen and his loyal army of light bulbs, flower pots, refrigerators, and televisions.

 

[PaulP]

Too many of these critical control systems were designed by people with no experience in developing safety critical systems. Saved a lot of money using the in-house hacks instead of hiring experienced professionals. What could go wrong with that plan?

 

[Ducman69]

WTF are critical control systems attached to a network where they can be attacked?

Traffic sucks, I prefer to work from home. Just buy a water filter, and get off my back before I call the union.

 

[WetMacula]

Each plant is different. Some are unmanned. Some are operated by wrench turning dinosaurs and others have someone that worked as a controls integrator at a previous job. PLC's need updates. Some systems with long term maintenance packages like CHP engines require remote monitoring from the supplier. For a manned plant, it seems like the best compromise is to have a physical switch (or pull a cable) that keeps operator workstations on the internet and disconnects internet from the plant control systems. When they need internet for plant PLC's they connect the internet, make changes, then remove it. The codes and standards also vary by state.

 

[sirgallium]

Most critical systems are of course not on the internet but the trouble is you can never stop some random person from sticking in an unkown infected usb stick or disc into the machine. This was how a virus spread way back decades ago into middle eastern nuclear equipment machines and I think it was a russian virus. Spread by floppy disc. I tried searching google couldn't find it I'm sure somebody knows what I'm talking about. It was one of the first most scary viruses.

The trouble is for a machine like that to be very secure you would have it have no external data inputs at all. If it ever needed updating or servicing you would have to take it apart.

 

[Gigus Fire]

Most critical systems are of course not on the internet but the trouble is you can never stop some random person from sticking in an unkown infected usb stick or disc into the machine. This was how a virus spread way back decades ago into middle eastern nuclear equipment machines and I think it was a russian virus. Spread by floppy disc. I tried searching google couldn't find it I'm sure somebody knows what I'm talking about. It was one of the first most scary viruses.

The trouble is for a machine like that to be very secure you would have it have no external data inputs at all. If it ever needed updating or servicing you would have to take it apart.

this is a joke right?
infected usbs can't just infect computers. Someone has to be stupid enough to run the executable because most, if not all systems will block the autorun.ini file.

In order to infect a system via usb you really need to understand how the system works and how to trick it.

So yeah, they'll always be hackable but in reality it's very unlikely unless you have someone who really knows what they're doing.

The problem is in reality, all these systems are tied to the internet or to other systems which are tied to the internet. That's the real problem.

 

[WetMacula]

https://en.wikipedia.org/wiki/Stuxnet

 

[sirgallium]

this is a joke right?
infected usbs can't just infect computers. Someone has to be stupid enough to run the executable because most, if not all systems will block the autorun.ini file.

In order to infect a system via usb you really need to understand how the system works and how to trick it.

So yeah, they'll always be hackable but in reality it's very unlikely unless you have someone who really knows what they're doing.

The problem is in reality, all these systems are tied to the internet or to other systems which are tied to the internet. That's the real problem.

No critical systems managed by anybody competent will be running windows I would assume. And I think that these viruses are usually built in to other code in other software and not standalone exe files as you say that you would have to be stupid to run. I'm not an expert but people find new loopholes all the time in how to trick systems into executing malicious code.

 

[Gigus Fire]

No critical systems managed by anybody competent will be running windows I would assume. And I think that these viruses are usually built in to other code in other software and not standalone exe files as you say that you would have to be stupid to run. I'm not an expert but people find new loopholes all the time in how to trick systems into executing malicious code.

Almost everything is SCADA.
Idiots put it on the internet and think it's safe. SCADA wasn't developed with security in mind so i'll leave it at that.

Here are some ridiculous real-life examples:
https://www.tripwire.com/state-of-s...-s-public-utilitys-control-system-was-hacked/
https://www.theregister.co.uk/2016/03/24/water_utility_hacked/
https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/

Also, lookie what i found on wikipedia about SCADA:
Fourth generation: "Internet of things"
Huh. I wonder why there's security issues

 

[dgz]

instead of using prism for creeping facebook.

why don't they use their massive surveillance powers to find these people.

because they're them.

seriously though, some things should not be connected

 

[Deleted member 93354]

this is a joke right?
infected usbs can't just infect computers. Someone has to be stupid enough to run the executable because most, if not all systems will block the autorun.ini file.

In order to infect a system via usb you really need to understand how the system works and how to trick it.

Nope. There's an inherent flaw in how the USB works where you can execute code from the FIRMWARE on the USB. There is no known fix as it is a hardware issue.

There's also USB's out there that will use the +5VSB and charge a cap and send a high voltage pulse through your motherboard over and over again till it's toast.

Keep up with the hacks man.

 

[Gigus Fire]

Nope. There's an inherent flaw in how the USB works where you can execute code from the FIRMWARE on the USB. There is no known fix as it is a hardware issue.

There's also USB's out there that will use the +5VSB and charge a cap and send a high voltage pulse through your motherboard over and over again till it's toast.

Keep up with the hacks man.

I've seen the defcon powerpoint. I've never heard of these things in action.

You need fairly large capacitors for this to work. It's easy enough to break apart a sub and make sure it's just a small ic.

 

[wizdum]

I have some equipment mounted on our local water towers, all their chlorine pumps are connected to their main office using Verizon jetpacks. I always hoped that they're using some kind of VPN.

 

[Merc1138]

Regardless of USB vulnerabilities, there is no reason for a lot of infrastructure related equipment to simply be connected to the internet. Sure, even without a wide open internet connection there are going to be a number of other vulnerabilities, but when one massive vulnerability only exists due to people being incredibly lazy, it's absurd.

 

[Gweenz]

I have some equipment mounted on our local water towers, all their chlorine pumps are connected to their main office using Verizon jetpacks. I always hoped that they're using some kind of VPN.

No way are they VPN'd.

 

[Gweenz]

I have a well. Sooo... good luck to ya'll!

You mean your electrically powered well? I hope it's solar.

 

[sirgallium]

Almost everything is SCADA.
Idiots put it on the internet and think it's safe. SCADA wasn't developed with security in mind so i'll leave it at that.

Here are some ridiculous real-life examples:
https://www.tripwire.com/state-of-s...-s-public-utilitys-control-system-was-hacked/
https://www.theregister.co.uk/2016/03/24/water_utility_hacked/
https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/

Also, lookie what i found on wikipedia about SCADA:
Fourth generation: "Internet of things"
Huh. I wonder why there's security issues

Hahahahahahahaha.

Seriously though this world is not ready for the security vulnerabilities implicit with connecting everything in the world to the internet. My uncle keeps telling me to go into computer security, that it's insanely lucrative and that people with computer skills like us who are comfortable with hardware and software and know the ins and outs are shoe ins for the positions just need to study some basic tests and get some certificates. He said people like us on these forums would probably already know half the answers before they even studied for the test. I have a 1 foot thick CISSP cert book next to me I'm supposed to be reading in my free time haha.

 

[kinjo]

Ransomware attacking something like a water treatment plant should be treated as a terrorist act. If the culprits disseminating the malware are domestic (likely not the case) they should face 25+ years in prison and forfeiture of all assets to the us government their spouse if they have one should be charged with conspiracy to perpetrate a terrorist act and their children should be seized and placed in foster care. If the attackers are non us Citizen they should be treated as enemy combatants and killed.

Attacking public infrastructure like our water supply with a piece of software is just as serious as attacking with a bomb or a biological agent.

 

[timberwolf]

I have a well. Sooo... good luck to ya'll!

Ditto! And stay away from my hose

 

[Kongar]

Ok so let's learn a bit from an actual controls engineer.

Most control systems - DCS or PLCs have crap for security. Today, all of them run on windows server (they used to be unix based about 20 years ago). The trend is to connect everything for data collection, analytics, and remote control. Far more emergencies have been avoided due to being able to remotely control the plant than problems caused by it being connected to the outside world. We generally install them with pretty tight security around the systems. You generally have to break through corporate security first, then know where where you're going (because you usually have to hit an obscure jump box first), then you've got to break into another private domain of the control system which is oftentimes administered by different folks than IT. Anyone with a brain protects them fairly well because they are easy to hack once you have physical or remote access.

These systems are FAR more vulnerable to idiot plant workers and controls engineers breaking them unintentionally. If something bad is going to happen - it's almost certainly not an outside job.

For that very reason - critical systems usually have two or sometimes even three distinct control systems performing and verifying tasks. These controls systems are unique with different languages, separate domains, separate power and hardware. This way you can't repeat a programming bug because you had to code the critical functionality multiple times in dramatically different languages. In the case of a confirmation to do something - all systems have to agree before the thing happens. In the case of an "oh crap" if any one of them sees a problem the plant goes into a safe state.

Be it inside incompetence (likely) or an outside attack (unlikely), taking a single system down or rendering it hostage would be completely ineffective in causing damage to the facility or people. The other system would know something's wrong and go to a safe state. The worst someone could do would be to cause a day or so of plant downtime while systems get restored from critical backups. (Remember they don't change too much so you restore some pretty old backups and have plant functionality)

Most places I've seen do a pretty good job of setting things up like this. Anyone doing otherwise deserves what they get. If I wanted to cause damage, I wouldn't try for it remotely. I'd be much more successful getting physical access or targeting a worker with social engineering.