RISKS-LIST: Risks-Forum Digest Friday 12 February 2021 Volume 32 : Issue 49
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.49>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents: [Don't forget its Lincoln's birthday.]
Someone tried to poison Oldsmar's water (TampaBay News)
Water supply control system breached and adjusted to dangerous PH level
(YouTube)
Dangerous Stuff: Hackers Tried to Poison Water Supply of Florida Town
(NYTimes)
Poor Password Security Led to Recent Water Treatment Facility Hack
(The Hacker News)
Air pollution linked to irreversible sight loss: study (AFP)
Brain-altering bioweapons' to DNA surveillance: Experts already preparing
for next biological threat (StudyFinds)
NPR covid variants (NPR)
Cannon Salute at Baby Shower Ends in Death, Police Say (NYTimes)
Scientists propose lithium to cope with high-risk condition in future fusion
facilities (phys.org)
Doorbell Security Cameras Are Easily Hackable, Researchers Find (Jim Wayner) Cities Sell Data From 'Smart' Streetlights (Bloomberg)
'Matrix'-style bracelets turn humans into batteries (Reuters)
There Are Spying Eyes Everywhere -- and Now They Share a Brain
There Are Spying Eyes Everywhere -- and Now They Share a Brain
EAC Voluntary Voting System Guidelines 2.0 (WashPost)
How a Dated Cyber-Attack Brought a Stock Exchange to its Knees
AA21-042A: Compromise of U.S. Water Treatment Facility
NSA at Amazon (Matthew D Green)
Key TCP/IP Stacks Found Faulty, Vulnerable (Ars Technica)
New Chrome Browser 0-day Under Active Update Immediately (Chrome Releases)
Over a dozen Chrome extensions caught hijacking Google search results for
millions (The Hacker News)
New version of Uptane Standard clarifies protection strategies for
vulnerable vehicles (NYU Tandon School of Engineering)
A Bigger Risk Than GameStop? Beware the Ponzi Scheme Next Door (NYTimes) Section 230 reform SAFE TECH act would shut down paid Internet services
(Gizmodo and Techdirt)
The SAFE TECH Act would overhaul Section 230, but law's defenders warn of
major side effects (TechCrunch)
Where in the world is mobile data? (Andrew Yeomans)
Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices
(The Hacker News)
British police arrest man over offensive Captain Moore tweet, giving it a
vast international audience (BoingBoing)
Calling All Ham Radio Operators (Rebecca Mercuri)
You cannot be serious: electronic line judges make Grand Slam debut (AFP)
AI and the List of Dirty, Naughty, Obscene, and Otherwise Bad Words (WiReD) Data fallacies: Cherry Picking, Data Dredging... (Dan Jacobson)
Quantum computing hash function reversal (Bloomberg)
The Battery Is Ready to Power the World (WSJ)
Fairfax County vs Virginia on vaccinations (Gabe Goldberg)
Re: Terraria port to Google Stadia sunk by bad Google support (Eli Griffin)
Re: The `Dumb Money' Outfoxing Wall Street Titans (Isaac Morland)
Re: The calculus really is complex (Wol)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 8 Feb 2021 11:24:32 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Someone tried to poison Oldsmar's water (Tampa Bay News)
*Pinellas Sheriff Bob Gualtieri said the attacker tried to raise levels of sodium hydroxide, also known as lye, by a factor of more than 100.*
Local and federal authorities are investigating after an attempt Friday to poison the city of Oldsmar's water supply, Pinellas County Sheriff Bob Gualtieri said.
Someone remotely accessed a computer for the city's water treatment system
and briefly increased the amount of sodium hydroxide, also known as lye, by
a factor of more than 100, Gualtieri said at a news conference Monday. The chemical is used in small amounts to control the acidity of water but it's
also a corrosive compound commonly found in household cleaning supplies
such as liquid drain cleaners.
The city's water supply was not affected. A supervisor working remotely saw
the concentration being changed on his computer screen and immediately
reverted it, Gualtieri said. City officials on Monday emphasized that
several other safeguards are in place to prevent contaminated water from entering the water supply and said they've disabled the remote-access system used in the attack. [...]
https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/
------------------------------
Date: Mon, 8 Feb 2021 18:00:20 -0500
From: Steve Klein <
steven@klein.us>
Subject: Water supply control system breached and adjusted to dangerous PH
level (YouTube)
Here's an official press conference video:
https://www.youtube.com/watch?v=MkXDSOgLQ6M&t=315s
Someone remotely accessed a computer system that controls the chemicals used for the local water supply in Oldsmar, Florida. The intruder increased the amount of Sodium Hydroxide (NaOH) in the water from the proper amount, 100
ppm, to 11,100 ppm.
Sodium Hydroxide, also known as lye, is the main ingredient in liquid drain cleaners."
The intruder used some kind of remote control software, and the operator of that computer was sitting in front of it at the time, and was able to immediately change it back.
I'm neither a programmer nor a security professional, but I'm fortunate to
have a functioning brain. Some of the risks I see:
* A system which should never be used by anybody off-premises is connected
to the Internet
* A system which can make critical changes to the water shouldn't have
remote-control software installed.
* A system which controls chemical additives to the water has no sanity
checking.
My guess is that RISKS regulars can probably spot problems I overlooked.
(There are systems that monitor water PH, and set off alarms if its out-of-bands.)
------------------------------
Date: Tue, 9 Feb 2021 00:59:50 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Dangerous Stuff: Hackers Tried to Poison Water Supply of Florida
Town (NYTimes)
The authorities said the plot unfolded last Friday morning, when an employee noticed that someone was controlling his computer. He initially dismissed it because the city has software that allows supervisors to access computers remotely. But about five and a half hours later, the employee saw that different programs were opening and that the level of lye changed.
https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html
A water company control system is online and is routinely accessed remotely
by supervisors, without coordination or advance notice to on-site workers?
Can this be true?
------------------------------
Date: Thu, 11 Feb 2021 09:34:14 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Poor Password Security Led to Recent Water Treatment Facility Hack
New details have emerged about the remote computer *intrusion at a Florida water treatment* facility last Friday, highlighting a lack of adequate
security measures needed to bulletproof critical infrastructure
environments. <
https://thehackernews.com/2021/02/hacker-tried-poisoning-water-supply.html>
The breach, which occurred last Friday, involved an *unsuccessful attempt on the part of an adversary to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the
water treatment plant. The system's plant operator, who spotted the
intrusion, quickly took steps to reverse the command, leading to minimal impact.
Now, according to an *advisory* published on Wednesday by the state of Massachusetts, unidentified cyber-actors accessed the supervisory control
and data acquisition (SCADA) system via TeamViewer software installed on one
of the plant's several computers that were connected to the control system. <
https://www.mass.gov/service-details/cybersecurity-advisory-for-public-water-suppliers>
Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the same password for remote access and are said to have been exposed directly to the Internet without
any firewall protection installed.
It's worth noting that Microsoft Windows 7 reached end-of-life as of last
year, on January 14, 2020. [...]
https://thehackernews.com/2021/02/poor-password-security-lead-to-recent.html
------------------------------
Date: Mon, 8 Feb 2021 11:33:20 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Air pollution linked to irreversible sight loss: study (AFP)
Air pollution is likely to increase the risk of irreversible sight loss, according to the results of a long-term study published Tuesday.
Age-related macular degeneration (AMD) is the leading cause of blindness
among over-50s in richer nations, with roughly 300 million people predicted
to be affected by 2040.
Known risk factors include age, smoking and genetic make-up.
Now researchers have drawn a link between AMD and air pollution, which is already known to carry a host of health risks including heart and lung
disease.
Writing in the British Journal of Ophthalmology, researchers analysed data
from more than 115,000 participants who reported no eye problems at the
start of the study period in 2006. [...]
https://www.france24.com/en/live-news/20210126-air-pollution-linked-to-irreversible-sight-loss-study
------------------------------
Date: Sun, 7 Feb 2021 12:52:16 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Brain-altering bioweapons' to DNA surveillance: Experts already
preparing for next biological threat (StudyFinds)
For the more than a year now, the world's focus has been squarely on the COVID-19 pandemic. With over 100 million confirmed cases worldwide and more than two million dead from the virus, it's hard to imagine how things could
get worse. Despite this, a team of experts is already preparing for the
next global crisis; warning that some of the possibilities would be more devastating than the current pandemic.
Starting during the summer of 2019, an international team of researchers
set out to list the key questions facing the United Kingdom's biological security. With help from the Centre for Existential Risk (CSER) at the University of Cambridge and the BioRISC project at St. Catharine's College,
41 academics, industry, and government officials laid out 450 questions regarding a possible biological crisis.
After voting and ranking all of these concerns, a list of 80 of the most
urgent questions emerged. Despite compiling this list months before COVID-19 <
https://www.studyfinds.org/category/coronavirus/>, lead researcher Dr.
Luke Kemp says this list included major concerns revolving around disease threats. Some of the concerns focused on what role the climate will play <
https://www.studyfinds.org/weather-impact-covid-19-spread/> on a possible pandemic, while others questioned the use of social media <
https://www.studyfinds.org/category/society-culture/social-media/> to
track emerging viruses.
Is a biological threat worse than coronavirus coming?
Some of the 80 concerns look at an even more sinister possibility on the horizon. As DNA testing <
https://www.studyfinds.org/tag/dna/> becomes a
more fashionable tool for both governments and everyday people, researchers warn that threats from ``human-engineered agents'' pose a huge threat to the entire world.
``We could encounter not just microbes, but anything from brain-altering bioweapons, to mass surveillance through DNA databases to low-carbon
clothes produced by microorganisms,'' Dr. Kemp says in a university release <
https://www.cam.ac.uk/stories/beyond-the-pandemic-biosecurity>.
``While many of these may seem to lie in the realm of science fiction, such advanced capabilities could prove to be even more impactful, for better or
for worse than the current pandemic.'' <
https://www.studyfinds.org/study-it-takes-just-10-hours-for-virus-dna-to-spread-across-a-hospital/>
Weaponized DNA. [...]
https://www.studyfinds.org/worse-than-covid-next-threat/
------------------------------
Date: Sun, 7 Feb 2021 21:12:33 -0800
From: Peter Neumann <
neumann@CSL.SRI.COM>
Subject: NPR covid variants (NPR)
https://www.npr.org/sections/goatsandsoda/2021/02/05/964447070/where-did-the-coronavirus-variants-come-from?fbclid=3DIwAR14WvR5ktJXXwWGfUjuiWu9ItSmwDc0h80ftp2iv1KqnfeuvGjZ9NuVHuM
------------------------------
Date: Mon, 8 Feb 2021 15:01:31 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Cannon Salute at Baby Shower Ends in Death, Police Say (NYTimes)
https://www.nytimes.com/2021/02/07/us/baby-shower-cannon-explosion-Michigan.html
Not exactly Darwin quality, and low-tech risk, but still -- amateurs
firing artillery, what could go wrong?
------------------------------
Date: Tue, 9 Feb 2021 17:48:38 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Scientists propose lithium to cope with high-risk condition in
future fusion facilities (phys.org)
https://phys.org/news/2021-02-scientists-lithium-cope-high-risk-condition.html
'"The idea is to inject light impurities such as lithium, boron, or
beryllium into the divertor region so as to radiate away much of the
energy," Ono explained. "The trick will be to go in quickly enough to
protect the divertor with very little radiation affecting the plasma
core. You don't want to inject too much impurity material -- just enough to
do the job."'
Prevent a fusion reactor divertor meltdown by injecting (spraying) metal
atoms into a plasma (operating at a cool 1-2 billion kelvin degrees),
without quenching the fusion core reaction, will be a delicate
operation. The 10 msec window to complete this action seems achievable with their electromagnetic atomic injector.
Beryllium, if inhaled, can cause berylliosis. If they become commercially viable, fusion generators might not operate as environmentally clean as advertised.
------------------------------
Date: Wed, 10 Feb 2021 12:04:35 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Doorbell Security Cameras Are Easily Hackable, Researchers Find
(Jim Wayner)
Jim Waymer, *Florida Today*, 8 Feb 2021
via ACM TechNews, Wednesday, February 10, 2021
Florida Institute of Technology (FIT) researchers demonstrated that smart
home security systems, including doorbells connected to a wireless camera,
can be hacked easily. FIT's Terrence O'Connor and Daniel Campos identified flaws in seven models of smart cameras and doorbells made by smart home
device vendor Geeni and parent company Merkury Innovations, by reverse-engineering the firmware using cybersecurity firm ReFirm Labs'
Binwalk Enterprise Internet of Things devices security tool. The FIT researchers found that hackers only need to figure out the default password
the device shipped with in order to gain access. Merkury's Sol Hedaya said updated firmware will be issued this month.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-29608x22843bx069341&
------------------------------
Date: Thu, 11 Feb 2021 09:56:59 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Cities Sell Data From 'Smart' Streetlights (Bloomberg)
*The future of "smart" cities is in street lights*
Cities are rushing to replace their legacy street lights with "smart" LED fixtures that could one day be able to find you a parking space, monitor air quality, and announce an oncoming thunderstorm.
Why it matters: Despite a bumpy and controversial start to some smart street light programs, cities are saving tons of money on energy by banishing traditional bulbs -- and may soon be able to turn a profit by monetizing
data from smart LED sensors or leasing space on light poles. <
https://www.bloomberg.com/news/articles/2020-08-06/a-surveillance-standoff-over-smart-streetlights>
The big picture: There's been lots of hype about "smart cities," where connected technology helps governments serve us better -- but also lots of money wasted on expensive projects that fizzled or caused public outcry over police use of camera surveillance.
Today, hopes have coalesced around the potential for "smart" street lights, which bear sensors that can do everything from analyzing traffic patterns
to assisting 911 operators.
- "Streetlights are becoming the backbone of larger smart city
initiatives," per a report
<
http://www.northeast-group.com/reports/Brochure-Global%20Smart%20Street%20Lighting%20&%20Smart%20Cities-Market%20Forecast%202020-2029%20-%20Northeast%20Group.pdf>by
the Northeast Group, a smart cities market intelligence firm.
- Cities will invest $8.2 billion in them in the next 10 years, the
report said.
- It will take time: "Overall, over 90% of streetlights will be LED by
2029 and 35% will be connected," Northeast Group said.
Cities large and small -- including Chicago, Atlanta, Los Angeles,
Philadelphia and Cleveland -- have been replacing traditional streetlights
with LEDs, which consume less energy and can be programmed to dim or or brighten as needed.
- "Street lighting can be up to 40% of a city's energy bills, so you see
huge cost savings across the board," Benjamin Gardner, president of the
Northeast Group, tells Axios.
- Sensors placed on streetlights have manifold applications and will
have more in the future.
- An Intel white paper
<
https://www.intel.ca/content/dam/www/public/us/en/documents/solution-briefs/smart-street-lights-for-brighter-savings-solutionbrief.pdf>
envisions
a day when street lights do everything from traffic and parking control to
guiding people out of danger during an emergency (by flashing in the
direction of evacuation).
"The vision here is to augment the existing infrastructure via the cloud to allow data and additional functionality to flow through what was a dumb
asset," Martin Stephenson, head of North America systems & services for Signify, a major connected lighting vendor, tells Axios.
But, but, but: There's been pushback on various fronts.
- Surveillance: San Diego got scolded
<
https://www.techwire.net/news/city-pulls-plug-on-streetlight-cameras-pending-surveillance-ordinance.html#:~:text=3DMayor%20Kevin%20Faulconer%20on%20Wednesday,ordinance%20to%20govern%20surveillance%20technology.&text=3DThe%20city%20hit%20the%20brakes,
was%20announced%20%E2%80%94%20also%20a%20surprise.>
by
community activists after its police started using video from its $30
million "Smart Streetlights" program.
- Aesthetics: Light poles gunked up with sensors, cameras and
advertisements can look hideous.
- Health: "Cities and towns throughout Northern California are issuing
ordinances that would exclude new 5G cell sites from residential areas,
citing supposed health concerns," per the WSJ. <
https://www.wsj.com/articles/cities-are-saying-no-to-5g-citing-health-aestheticsand-fcc-bullying-11566619391https://www.wsj.com/articles/cities-are-saying-no-to-5g-citing-health-aestheticsand-fcc-bullying-11566619391>
Smart street light experts say the industry has taken heed from the San
Diego debacle and pulled back on intrusive applications.
What's next: [...]
https://www.axios.com/smart-cities-street-lights-859992a6-6931-48e5-81ba-7f0a0b8058d9.html
------------------------------
Date: Thu, 11 Feb 2021 10:02:09 -1000
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: 'Matrix'-style bracelets turn humans into batteries (Reuters)
In a move that will give chills to fans of the dystopian movie The Matrix, scientists have developed a wearable device that could use the human body to replace batteries.
Echoing world-domineering robots' use of enslaved humans in the 1999
cyberpunk movie, U.S. researchers at the University of Colorado Boulder have created an environmentally-friendly gadget that harvests body heat and
converts it into energy.
Tech-lovers could power their own watches or fitness trackers by wearing a stretchy ring or bracelet containing thermoelectric chips that convert heat into electrical energy, according to research published in the journal
Science Advances.
The idea will sound familiar to lovers of the iconic film, starring Keanu Reeves, where humans are trapped in the Matrix, a simulated reality, while hooked up to machines to provide electrical power for robots that have
taken over the world...
[...]
https://www.reuters.com/article/idUSKBN2AA2KV
------------------------------
Date: Sun, 7 Feb 2021 12:50:07 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: There Are Spying Eyes Everywhere -- and Now They Share a Brain
(WiReD)
Security cameras. License plate readers. Smartphone trackers. Drones. We're being watched 24/7. What happens when all those data streams fuse into one?
One afternoon in the fall of 2019, in a grand old office building near the
Arc de Triomphe, I was buzzed through an unmarked door into a showroom for
the future of surveillance. The space on the other side was dark and sleek, with a look somewhere between an Apple Store and a doomsday bunker. Along
one wall, a grid of electronic devices glinted in the moody downlighting -- automated license plate readers, Wi-Fi-enabled locks, boxy data processing units. I was here to meet Giovanni Gaccione, who runs the public safety division of a security technology company called Genetec. Headquartered in Montreal, the firm operates four of these ``Experience Centers'' around the world, where it peddles intelligence products to government
officials. Genetec's main sell here was software, and Gaccione had agreed to show me how it worked.
He led me first to a large monitor running a demo version of Citigraf, his division's flagship product. The screen displayed a map of the East Side of Chicago. Around the edges were thumbnail-size video streams from
neighborhood CCTV cameras. In one feed, a woman appeared to be unloading luggage from a car to the sidewalk. An alert popped up above her head: ``ILLEGAL PARKING.'' The map itself was scattered with color-coded icons --
a house on fire, a gun, a pair of wrestling stick figures -- each of which, Gaccione explained, corresponded to an unfolding emergency. He selected the stick figures, which denoted an assault, and a readout appeared onscreen
with a few scant details drawn from the 911 dispatch center. At the bottom
was a button marked ``INVESTIGATE,'' just begging to be clicked.
To get a clear picture of an emergency in progress, officers often had to bushwhack through dozens of byzantine databases and feeds from far-flung sensors, including gunshot detectors, license plate readers, and public and private security cameras. This process of braiding together strands of information -- ``multi-intelligence fusion'' is the technical term -- was becoming too difficult. As one Chicago official put it, echoing a well-worn aphorism in surveillance circles, the city was ``data-rich but information-poor.'' What investigators needed was a tool that could cut a
clean line through the labyrinth. What they needed was automated fusion.
Gaccione now demonstrated the concept in practice. He clicked
``INVESTIGATE,'' and Citigraf got to work on the reported assault. The
software runs on what Genetec calls a ``correlation engine,'' a suite of algorithms that trawl through a city's historical police records and live sensor feeds, looking for patterns and connections. Seconds later, a long
list of possible leads appeared onscreen, including a lineup of individuals previously arrested in the neighborhood for violent crimes, the home
addresses of parolees living nearby, a catalog of similar recent 911 calls, photographs and license plate numbers of vehicles that had been detected speeding away from the scene, and video feeds from any cameras that might
have picked up evidence of the crime itself, including those mounted on
passing buses and trains. More than enough information, in other words, for
an officer to respond to that original 911 call with a nearly telepathic
sense of what has just unfolded. [...]
https://www.wired.com/story/there-are-spying-eyes-everywhere-and-now-they-share-a-brain/
------------------------------
Date: Fri, 5 Feb 2021 19:59:30 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: There Are Spying Eyes Everywhere -- and Now They Share a Brain
(WiReD)
Eventually, the Department of Defense hopes to link every plane, satellite, ship, tank, and soldier into a huge, mostly automated Internet of Wartime Things. Cloud-connected sensors and weapons will correlate among themselves while commanders direct the action on a rich, continuously updated digital chessboard that senior leaders hope will look like Waze. As part of the
effort, the Air Force and the Army have earmarked billions of dollars for fusion networks from dozens of defense and technology companies, including Amazon, BAE, and Anduril.
https://www.wired.com/story/there-are-spying-eyes-everywhere-and-now-they-share-a-brain/
What could go wrong? Look like WAZE? Waze has no moving parts; houses stay
still and data isn't updated in real time.
------------------------------
Date: Thu, 11 Feb 2021 11:01:12 -0500
From: Peter G Neumann <
Neumann@CSL.SRI.COM>
Subject: EAC Voluntary Voting System Guidelines 2.0 (WashPost)
https://www.washingtonpost.com/politics/2021/02/11/cybersecurity-202-new-voting-machine-security-standards-are-already-drawing-controversy/
[Voluntary, Schmoluntary. Is it a step forward, or a tooth for the
toothless?
------------------------------
Date: Fri, 5 Feb 2021 21:11:09 +0900
From: Dave Farber <
farber@gmail.com>
Subject: How a Dated Cyber-Attack Brought a Stock Exchange to its Knees
(Bloomberg)
Jamie Tarabay
How a Dated Cyber-Attack Brought a Stock Exchange to its Knees
DDoS attacks, the cyber equivalent of being mugged, grow in size and sophistication</p>
https://www.bloomberg.com/news/articles/2021-02-04/how-a-dated-cyber-attack-brought-a-stock-exchange-to-its-knees
------------------------------
Date: Thu, 11 Feb 2021 23:20:49 +0000
From: US-CERT <
US-CERT@ncas.us-cert.gov>
Subject: AA21-042A: Compromise of U.S. Water Treatment Facility
Cybersecurity and Infrastructure Security Agency (CISA) --
Defend Today, Secure Tomorrow
AA21-042A: Compromise of U.S. Water Treatment Facility, 11 Feb 2021
https://us-cert.cisa.gov/ncas/alerts/aa21-042a
Summary
On February 5, 2021, unidentified cyber-actors obtained unauthorized access
to the supervisory control and data acquisition (SCADA) system at a
U.S. drinking water treatment plant. The unidentified actors used the SCADA systems software to increase the amount of sodium hydroxide, also known as
lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts
and corrected the issue before the SCADA systems software detected the manipulation and alarmed due to the unauthorized change. As a result, the
water treatment process remained unaffected and continued to operate as
normal. The cyber-actors likely accessed the system by exploiting
cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain
unauthorized access to the system. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI).
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information
Sharing and Analysis Center (MS-ISAC)have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running
operating systems with end of life status to gain unauthorized access to systems. Desktop sharing software, which has multiple legitimate uses such
as enabling telework, remote technical support, and file transfers can also
be exploited through malicious actors use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to
exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly
recommend upgrading computer systems to an actively supported operating
system. Continuing to use any operating system within an enterprise beyond
the end of life status may provide cyber criminals access into computer systems.
Click here [
https://us-cert.cisa.gov/sites/default/files/publications/AA21-042A_Joint%20Cybersecurity%20Advisory_Compromise%20of%20U.S.%20Water%20Treatment%20Facility.pdf
]for a PDF version of this report.
Technical Details
Desktop Sharing Software
The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside cyber-actors using desktop sharing software to victimize targets in a range
of organizations, including those in the critical infrastructure sectors. In addition to adjusting system operations, cyber-actors also use the following techniques:
* Use access granted by desktop sharing software to perform fraudulent
wire transfers.
* Inject malicious code that allows the cyber-actors to
* Hide desktop sharing software windows,
* Protect malicious files from being detected, and
* Control desktop sharing software startup parameters to obfuscate their
activity.
* Move laterally across a network to increase the scope of activity.
TeamViewer, a desktop sharing software, is a legitimate popular tool that
has been exploited by cyber-actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Desktop sharing software can also be used by employees with vindictive and/or
larcenous motivations against employers.
Beyond its legitimate uses, TeamViewer allows cyber-actors to exercise
remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewers legitimate use, however, makes anomalous activity less suspicious to end
users and system administrators compared to RATs.
Windows 7 End of Life
On January 14, 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues
use. Microsoft will only offer the ESU plan until January 2023. Continued
use of Windows 7 increases the risk of cyber actor exploitation of a
computer system.
Cyber-actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft
released an emergency patch for its older operating systems, including
Windows 7, after an information security researcher discovered an RDP vulnerability in May 2019. Since the end of July 2019, malicious RDP
activity has increased with the development of a working commercial exploit
for the vulnerability. Cyber-actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.
Mitigations
General Recommendations
The following cyber hygiene measures may help protect against the aforementioned scheme:
* Update to the latest version of the operating system (e.g., Windows 10).
* Use multiple-factor authentication.
* Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
* Ensure anti-virus, spam filters, and firewalls are up to date, properly
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)