When WORMs Attack Critical Infrastructure

On the 12th May 2017 a malicious/phishing email was received and opened by an unwitting user allowing access for a new breed of malicious worm to infect the users machine. The worm in question, WannaCry (WannaCrypt0r) Crypto Ransomware, was a wrapper around a tool originating from the NSA’s cyber arsenal released into the public domain by a hacking teaming going under the name of ShadowBrokers. The tool which WannaCry wrapped into its own functionality was Eternalblue, this had been designed to compromise a set of previously undisclosed Microsoft SMB vulnerabilities, WannaCry also made use of DOUBLEPULSAR for the ability to deploy extra applications to the compromised endpoint. Once run the worm made use EternalBlue’s ability to traverse the network and hunt down other Windows PCs – once connected to a suitable host it would start its main task of cryptographically encrypting the user’s hard disk. Once complete it would display its ransom notification asking for funds to be transferred in order to release the user’s data.

By Monday the 15th the worm is believed to have propagated to over 230,000 users in over 150 countries with its spread stunted by the accidental discovery of a ‘kill switch’ inside the worm – this kill switch relied on the host being able to reach a check URL, if the URL was found then no more search and deploy would continue from that host. Since this had been discovered variants have been started to emerge with the ‘kill switch’ functionality disabled. It is worth noting that the ability to spread so fast relied on the endpoint being ‘internet facing’ and Microsoft patching not being up to date. Within the UK alone this affected 1 in 5 NHS trusts with 70,000 devices including x-ray machinery running Windows XP becoming useable, causing the NHS to declare an emergency. Interestingly the NHS are trialling a replacement operating system which deployed would have drastically reduced their exposure to this attack.

Let’s shift this into the realms of a Nuclear processing, Electrical generation, chemical processing or any process driven critical process whose control systems are generally by design segregated and hived off from the outside world. If this worm had been introduced into this environment then any Microsoft system, be it a HMI workstation, engineering workstation or SCADA server would have been rendered useless once the encryption had taken place. Given these systems wouldn’t be able to contact the external ‘check URL acting as the kill switch’ would mean the replication would continue. How long these systems could run safely before being shutdown would depend on the type of process running and the ability to effectively deal with and mitigate such an outbreak.

Let’s assume the logic running WannaCry is searching for a machine with a specific function or role and that function isn’t matched on the compromised endpoint chances are it will start the encryption of the machines data followed by requesting a ransom, if on the other hand the logic is matched the encryption component may not be deployed – instead the abilities of the secondary wrapped tool, DOUBLEPULSAR is initiated which halts the spread of rendering the disks inoperable and instead look for a path to the its Command & Control Server in order to deploy extra functionality to allow the remote control of the process system. For these systems, this means anything from introducing sporadic inconsistencies through to placing the system into a unhealthy condition and potentially endangering life by rendering safety systems ineffective through to providing control room staff incorrect information. This could be anything from your local ATM/card payment systems, managed motorway signs, water processing plant or even through to the airplane I’m currently sat on under the control of air traffic control. All it takes is a single point of entry to go undetected.

The mitigation for this type of attack ranges from responsible disclosure to the vendor as is the case with EternalBlue from the NSA inadvertently entering the public domain, through to having a full understanding of the endpoints that exist within your CNI estate. For the latter, this information should consist of verified baselines and backups, security and backup continuity plans and policies which are regularly tested, change and patch management finally not forgetting an effect security monitoring solution to monitor and alert on anomalies detected.

For now, WannaCry is limited to utilising code to attack Windows only endpoints – that’s not to say that version 3 or 4 won’t extend its functionality to make use of the other leaked NSA code modules to create more specialise targeted attacks.

Company Overview – Our History, Values & Experience

 Founded originally as RKNeal Engineering we have amassed over 20+ years of experience with our engineers having worked with nearly every major DCS, PLC, and SCADA system on. Today our legacy lives on in the 1,000+ automation and control system projects we have completed.

We have worked closely with our clients on their most pressing network and data needs. We have helped them evolve their networks to manage the increasing amount of connectivity necessary to drive increased efficiency and reliability. We understand how these networks work, their vulnerabilities, and the unique operational characteristics that separate controls networks (operating technology or OT) from IT networks.

Almost 10 years ago, we identified the risks inherent in these older control systems as more of the networks were exposed to external sources of data – whether through the internet or the simple connection of USB sticks. What really concerned us was that cyber security within the ICS environment was fragmenting across OEM vendors and various cyber threat management software tools. Complexity was getting worse, and risks were getting higher. Managing this complexity in an operating environment requires unique expertise.

As a result, we set out to build a unified monitoring and remediation console that lets you view and manage your cyber security workflow, threats, and compliance from a single, vendor-neutral security suite – what we call the Verve Security Centre.

Our focus with Verve has been to improve and simplify reliability, security and compliance within the operational enterprise, and we designed Verve to enable the best IT software tools to work in the ICS environment. Our proprietary “ICS bus” embedded our years of ICS expertise into an integration platform that would allow these multiple systems to operate in concert with one another – and at no risk to the sometimes-fragile legacy control systems.

We combined this integration with customized data tools to seamlessly integrate today’s and tomorrow’s state-of-the-art capabilities, ensuring that customers are always protected.

Verve Industrial Protection 240 Blackfriars Road London



Email LinkedIn


http://www.verveindustrial.com EMEA@verveindustrial.com https://www.linkedin.com/company/rkneal

+44 (0) 7399 538967

Copyright Verve Industrial Protection 2017