Recent reporting on Lemon Duck, a new malware campaign targeting global manufacturers, is among the latest reminders of an enduring facet of the industrial cyber threat landscape: attacks on Windows machines with unpatched vulnerabilities in the Server Message Block (SMB) protocol stack. SMB security flaws continue to emerge, as evidenced by Microsoft accidentally releasing an advisory for a new "wormable" vulnerability in SMBv3 (CVE-2020-0796) on March 10.
Indeed, systems using SMB protocols have long been appealing targets for threat actors due to the prevalence of SMB vulnerabilities that, if exploited, can enable malware to self-spread laterally through connected systems. This is exactly what we've seen with Lemon Duck, as well as myriad previous attacks that have impacted the operational technology (OT) networks on which industrial enterprises and critical infrastructure rely.
One of the earliest examples of such an attack was in 2008 when the now-infamous Conficker Worm spread globally, infecting millions of Windows machines by exploiting SMB vulnerability MS08-067. It's been more than a decade since the initial infection, but Conficker continues to be detected in the wild today.
Another well-known example impacting industrial targets is the LockerGoga attack, which leveraged stolen credentials or brute-forcing to gain access to Windows-based networks and subsequently spreading via SMB protocols. LockerGoga severely disrupted numerous industrial firms in early 2019, forcing several plants to shift to manual operations.
Another notable example is NotPetya, the ransomware attack that wreaked widespread havoc in 2017. Although NotPetya did not specifically target industrial environments, its self-spreading capabilities—which, similar to Conficker and Lemon_Duck PowerShell, were enabled by an SMB vulnerability—caused the ransomware to unintentionally infect and damage OT networks around the world. NotPetya has since been widely recognized as the costliest and most destructive cyber attack in history.
These three examples comprise just a portion of those in which SMB protocols proved to be a major infection vector.
Moreover, it's crucial to recognize the significant threat such attacks pose to OT networks, which typically leverage SMB protocols to support the core functionalities of OT assets such as human-machine interfaces (HMIs), engineering stations, and historians, among others. Attacks that interfere with the operations of these assets can have a tremendous impact on process integrity, hindering the ability to control and monitor critical processes.
Our team at Claroty is intimately familiar with this threat and committed to helping our customers understand and mitigate it. To that end, we've spent years developing the following detection engines that can identify and help neutralize such attacks before they impact key assets:
Signature-based behavior detects known threats based on publicly known and indigenous signatures for malicious network traffic. This capability is enhanced with Claroty threat intelligence feeds, enabling an up-to-date database of threats that can be detected automatically.
Custom rule-based detection allows users to define and set alerts for potentially malicious network traffic patterns, supporting rapid investigations and the ability to prohibit specific types of traffic, such as SMB connections.
Anomaly-based detection leverages Claroty's deep packet inspection (DPI) capabilities to automatically segment your OT network into virtual zones where communication patterns between zones are clearly defined. Pattern deviations indicating potential threats result in a real-time, fully contextualized alert.
Security behavior detects known techniques and behavior patterns that have been used by attackers and alerts the network security team for further investigation
Operational behavior identifies OT operations occurring in your network across proprietary and open-source protocols, including configuration downloads and uploads, mode changes, key state changes, and firmware updates.
Together, these detection engines can quickly identify threats present within your OT network. Once a threat has been detected, Claroty assesses the validity and urgency of the alert to facilitate rapid action before key network components are impacted.
Deep visibility, continuous monitoring, and rapid detection are essential for defending your OT network, but preventative measures are also key. Many OT cyber threats can be prevented by consistent, well-informed vulnerability management practices. Claroty supports this best practice by keeping track of vulnerabilities within OT networks, such as outdated protocols, weak passwords, and common vulnerabilities and exposures (CVEs) relevant to the specific software versions on which your systems are running.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
