Prevention is better than cure when stopping WORMs attacking Critical Infrastructure

Earlier this week, Microsoft issued a tech note[1] on a vulnerability within certain versions of their RDP service. The vulnerability is described by Microsoft as being ‘wormable’, or in layman’s terms, a means of opening the door through to your security defenses.

Because of the nature of this exploit and the breadth of Microsoft systems that are affected - ranging from Windows XP through to Windows 2008R2 and Windows 7 - this exploit could be used without end user interaction to launch a targeted attack against Critical Infrastructure. This is especially significant when checking against other vulnerabilities within perimeter devices.

Given that Critical Infrastructure tends to have a reliance on these older operating systems, the prospect of another WannaCry type incident is a real possibility. Due to the seriousness of the exploit, Microsoft has issued security fixes to both their currently supported Operating Systems and those out of support going back to Windows XP.

It is conceivable that this exploit could be ‘weaponized’ in order to gain access to these Critical Infrastructures, as was the case with the original WannaCrypt0r attack. Many of the machines affected during the original attack would still be vulnerable against this attack vector.

It is worth remembering the speed by which the original WannaCrypt0r attack spread:

'On the 12th May 2017 a malicious/phishing email was received and opened by an unwitting user allowing access for a new breed of malicious worm to infect the user’s machine. The worm in question, WannaCry (WannaCrypt0r) Crypto Ransomware, was a wrapper around a tool originating from the NSA's cyber arsenal released into the public domain by a hacking team going under the name of ShadowBrokers.
The tool which WannaCry wrapped into its own functionality was Eternalblue. This had been designed to compromise a set of previously undisclosed Microsoft SMB vulnerabilities. WannaCry also made use of DOUBLEPULSAR for the ability to deploy extra applications to the compromised endpoint.
Once run the worm made use of EternalBlue’s ability to traverse the network and hunt down other Windows PCs. Once connected to a suitable host, it would start its main task of cryptographically encrypting the user’s hard disk. Once complete, it would display its ransom notification asking for funds to be transferred in order to release the user’s data.
By 15 May, the worm is believed to have propagated to over 230,000 users in over 150 countries.’

Source: https://www.linkedin.com/pulse/when-worms-attack-critical-national-infrastructure-karl-henderson/

The sector hardest hit by the WannaCry attack was the National Health Service (NHS) which experienced mass disruption and the isolation of systems which had avoided compromise until remediation steps had been put into effect. Generalising the focus to any Critical Infrastructure, the ground rules are being set for another large scale Critical National Infrastructure attack.

Customers wanting to know their current security exposure to this and other attack entry points need to have an accurate understanding of their systems deployed both connected and isolated. Based on this information, they then need to be able to:

  • Rapidly determine current endpoint patching status
  • Have a means of determining anomalous traffic and systems behavior patterns
  • Determine that perimeter protection rules are in place to protect against any ingress and egress information originating from a compromise
  • Determine the services enabled on the endpoints through detection and reporting mechanisms

If the endpoint cannot be patched due to operational concerns, then Professional Services advice should be sought to best determine and implement an appropriate course of action.

At SolutionsPT we closely monitor and follow the ever evolving cybersecurity threat landscape across industrial environments, partnering and aligning to NIS and NCSC guidance to make sure we fully understand what the risks are so that we’re able to support and advise our customers accordingly. If you are unsure where to turn and the steps to take to help secure your Critical Infrastructure get in touch and see how we can help you.

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708