The Claroty Blog

ICS and WannaCry

| Patrick McBride

FOLLOW THIS LINK TO PETYA ANALYSIS - FOR ANY WHO RECEIVED WRONG LINK IN TODAY'S EMAIL (6.27) - APOLOGIES...MOVING RAPIDLY


Do ICS Networks WannaCry Too?

The massive WannaCry ransomware attack wreaked havoc, encrypting files on Windows endpoints and servers and impacting individuals and organizations around the globe.

While WannaCry was not specifically targeting industrial systems, it has been widely reported and we have confirmation that manufacturing plants were impacted. In some cases, Windows systems running industrial control software were encrypted-causing failures that impacted production. In other instances, companies halted production lines to investigate or fix systems–a decision often driven by an abundance of caution for personnel safety and concerns about potential damage to expensive assets.

This blog summarizes what happened, with a focus on the impact WannaCry and potential future variants may have on ICS environments. We also provide specific recommendations for ICS Asset owners/operators. 

 

We hope you find this information helpful and welcome feedback.

 

What Happened?

In response to the WannaCry outbreak, cybersecurity researchers worldwide jumped into action and have analyzed and documented the attack and how it was conducted.

 

A summary of events to date:

  • Friday, 12 May 2017:
    • WannaCry began impacting Windows-based computers worldwide – propagating initially through a well-orchestrated and well-crafted spear phishing attack. The malware spread very rapidly, fueled not only through phishing emails, but also by a self-propagating worm feature in the malware. Infections were global and impacted hundreds of thousands of computers across many sectors.
    • Later in the day on Friday, a researcher at MalwareTech inadvertently stopped, or at least slowed, the spread of the malware by registering a domain found in a sample of the WannaCry code and sinkholing traffic. The unregistered web address apparently served as a “kill switch” – possibly implemented to halt the malware when the attackers decided to stop, or to evade the “sandboxes” which security researchers and endpoint protection tools employ. However, the kill switch did not stop propagation. It is important to note that many ICS networks are closed off from the public internet, so the “kill switch” may not trip if the malware initially launches inside a closed network.  The irony is that organizations who followed a best practice and closed ICS/OT networks may remain at risk.
    • Some organizations inadvertently fueled the spread of the virus in their networks by blacklisting the “kill switch” URL.

 

  • Saturday, 13 May 2017:
    • While the initial outbreak decelerated, reports of “WannaCry Version 2.0” began to surface on Twitter and in news reports. Some newly analyzed samples did not include the “kill switch”.  Apparently, samples without the kill switch also did not have the worm functionality. Thus, it is not clear whether a new, rapidly propagating variant, without the kill switch is active now.
    • Regardless of whether there is a new version in the wild, we expect copycat variants soon. It is trivial to create a variant. All the required code is open sourced and the Conficker worm, which went through multiple transformation and infection cycles, serves as a good reminder.

 

What Makes WannaCry Unique?

The speed at which the WannaCry virus spread sets this attack apart from previous ransomware campaigns.  As discussed, the malware leveraged multiple techniques to infect systems including:

 

  • Well-crafted phishing emails
  • A self-propagation technique-enabling the malware to spread throughout both internal networks and the public internet with no need of user interaction.
  • There are some reports - though we have not confirmed them - of watering holes being used as well

 

This self-propagation technique leveraged a vulnerability in Microsoft Windows dubbed EternalBlue (CVE-2017-0144). The WannaCry malware exploited the vulnerability present in Microsoft Server Message Block (SMB).  We have numerous reports of the WannaCry infection originating directly through the internet. A quick search of the Shodan search engine shows that many organizations had SMB ports open to the internet. Therefore, opening phishing emails was not required for the infections to spread.

 

EternalBlue was leaked by Shadow Brokers who have been leaking tools attributed to the U.S. National Security Agency since 2016.  This is very important to ICS assets owners because there were multiple exploits and vulnerabilities leaked by Shadow Brokers that impact Microsoft products common in ICS environments.  ICS security teams need to pay attention to developments. Given the difficulty many asset owners have with quickly patching windows and other systems underpinning their ICS environments, it is important to remain vigilant and up-to-date with the latest threat intelligence so that patches or other countermeasures can be implemented as necessary.

 

As Claroty and others have been warning, nation-state level tools and capabilities are now widely available, enabling less skilled attackers to execute campaigns that can have a significant impact. 

Without being hyperbolic, WannaCry should serve as an important a wake-up call to ICS asset owners.  The release of these tools and capabilities into the wild lowers the bar for threat actors ranging from criminals, to less sophisticated nation-states, to hacktivists and terrorists. This reality will likely lead to other attacks that will unintentionally impact industrial systems and also provide adversaries wanting to target ICS systems with improved tools and methods to do so.

 

How Does WannaCry Work?

There are many excellent blogs explaining how the attack worked, why it propagated so rapidly, and what organizations should to do to protect themselves. We suggest the following:

Customer Guidance for WannaCrypt attacks (Microsoft)

WannaCrypt ransomware worm targets out-of-date systems(Microsoft)

Player 3 Has Entered the Game: Say Hello to 'WannaCry' (Talos/CISCO)

How to Accidentally Stop a Global Cyber Attacks (MalwareTech)

 

Impact on Industrial Systems

The confluence of inherent weaknesses in ICS networks and the distinctive propagation features in WannaCry made industrial environments particularly susceptible to WannaCry and future variants of the malware.

Key weaknesses include:

  • Industrial networks are often not well segmented between IT/OT, so an infection in the former can easily spread to the later
  • SMB is present within ICS environments which rely on Windows machines supporting HMIs, Engineering Workstations, Historians and DCS systems and more
  • Many Windows machines inside ICS environments are not fully patched and often either outdated/unsupported. This happens for a variety of reasons including:
    • Asset owners/operators must apply certified patches or risk invalidating warranties
    • IT/Security teams must wait for maintenance window to install patches-when downtime of the process is allowed
    • Some systems come as OS/Software packages from ICS vendors and asset owners/operators sometimes do not have the privileges required to upgrade operating systems.
    • ICS Vendors provide upgrade instructions for moving from an unsupported OS to a supported one, but the procedures are complex and time consuming – typically requiring the coordinated update of several components

 

Into the Future – The Changing Threat Landscape

WannaCry clearly demonstrates an uptick in the level of cyber risk faced by industrial asset owners and operators. It demonstrates a perfectly reasonable scenario in which an ICS network is heavily damaged, not by a targeted attack, but as unintended collateral damage.  Prominent ICS attacks such as Stuxnet and BlackEnergy directly targeted specific organizations, leading many ICS stakeholders to ask ‘who would want to attack our network?’ The answer often played a prominent role in the risk calculus–bringing into question the likelihood of an attack and prompting too many organizations to downplay the importance of ICS network security.

 

WannaCry turns the tables and compels us to embrace the notion that material harm can be inflicted on any ICS network, even without specific targeting or apparent motive, by “overspray” from an attack targeted elsewhere.  Further, the availability of “weapons grade” malware on the open market is changing the pool of threat actors that can launch targeted attacks and impact industrial systems.  Threat actors can easily manipulate readily available exploit code and add a payload designed to damage ICS systems.  Both the “who” and “how” part of the risk equation have changed.

 

Key Steps Industrial Systems Asset Owners/Operators Should Take As Soon As Possible (today)

  1. Apply the Windows SMB Patch as soon as possible. Note an emergency patch for unsupported versions of windows including: Windows XP, Vista, Server 2003 or 2008 is available for older systems as well (See Microsoft Security Bulletin MS17-010 – Critical)
  2. Block SMB ports (139 and 445) between IT/OT networks
  3. On systems that don’t require use of SMB, disable it altogether (Microsoft instructions can be found here) or block it using the endpoint firewalls
  4. On systems that may require SMB for services that are less important, consider disabling SMB 1 until patches can be applied
  5. Quickly review disaster recovery plans and determine which windows-based ICS systems have current backups. Image or backup those systems as soon as possible to aid in rapid recovery if these systems become infected
  6. Additionally, ICS security teams need to remain vigilant for new variants of the WannaCry which may use new replication techniques.

 

Subscribe to the Blog