Cybersecurity Week in Review: 2/8/21
This week we highlight a major news story related to the hacking of a Florida water treatment facility, the release of 3.2 billion user credentials on a criminal forum and a popular Android app that the app developers themselves appear to have recently turned into malware.
Hacker Injects Caustic Lye to Poison Florida Water Supply
Last week the world learned that a cybercriminal gained remote access to a Florida water treatment facility located near Tampa in Oldsmar, Florida and raised the level of sodium hydroxide (also known as lye) to 100 times normal. Fortunately, an operator at the facility observed the cursor moving on his computer screen and executing commands, which were later discovered to be the malicious chemical changes. Upon learning of the chemical alterations, facility operators immediately restored proper chemical levels.
In a press briefing, local officials and law enforcement from Oldsmar and Pinellas County, Florida, indicated that “The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase.” However, the officials further stated that the water supply was ultimately not affected, and delivered no tainted water to residents.
In the last few days, Federal law enforcement officials have also become involved in the investigation. The FBI reports that the threat actors likely gained access to the system using a desktop sharing software known as TeamViewer and by exploiting poor password security and weaknesses in an outdated Windows 7 operating system. In another interesting twist, researchers at the site Cybernews reported that credentials for the Oldsmar, Florida water treatment facility were included in the February 2 release of largest compilation of usernames and passwords ever, known as Compilation of Many Breaches or “COMB” (discussed in our next story below).
While the incident resembles a recent nation-state attack perpetrated by Iran against an Israeli water facility, security experts say that the Oldsmar attacks look more like the work of an amateur since it appeared to lack complexity and planning.
Because of this crime’s potential impact and seriousness, there has been extensive coverage in the news. You can find additional details in these articles:
- Breached water plant employees used the same TeamViewer password and no firewall
- Hacker modified drinking water chemical levels in a US city
- Hackers tried poisoning town after breaching its water facility
- The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again
- Florida Water Utility Hack Highlights Risks to Critical Infrastructure
- Following Oldsmar attack, FBI warns about using TeamViewer and Windows 7
Cybercriminals Leak Over 3.2 BILLION Credentials—Largest Ever
Cybersecurity professionals are calling it “the mother of all data leaks”—the February 2 release of 3.27 billion credentials, including unique email and password combinations, merged from more than 250 previous data breaches.
Named the Compilation of Many Breaches (COMB) by a hacker known as Singularity0x01, would-be file downloaders are charged a mere $2 (in the form of 8RaidForums credits) for the .ZIP file.
Researchers have found that the COMB database contains scripts named ‘query.sh’ for querying emails and ‘sorter.sh’ for sorting the data in the query. However, users are also claiming that the downloaded file contains corruptions and missing or low-quality data, which, interestingly, appears to be having a negative effect on Singularity0x01’s reputation on criminal forums.
Although the leaked data is older and appears to span five years, it isn’t uncommon for users to fail to update passwords or to recycle old passwords on multiple accounts, making it highly likely that cybercriminals will be able to leverage these credentials in future brute-force or credential-stuffing attacks. As proof of the unfortunate and dangerous longevity of unchanged or recycled usernames and passwords, security sleuths discovered that the Oldsmar water treatment facility’s credentials were included in the COMB release and potentially used to perpetrate the attack.Individuals are being urged to use a password management tool, multi-factor authentication and update passwords frequently. Additional details on the COMB data leak are available here and here.
Minor Update Turns Popular Android App Malicious
Researchers announced last week that a popular Android app called ‘Lavabird Ltd’s Barcode Scanner’ installed over 10 million times and found on the Google Play store for years had transformed into malware, with the ability to hijack any Android device on which it was installed.
The malware was discovered when Android users started reporting that something was opening their default browsers and displaying ads as well as recommending upgrades to existing apps already installed on their Android devices. In many cases, the users reported that they had not installed any new apps recently. (New apps are often the source of sudden malicious programming code). This led security researchers to discover that a recent minor update to the Lavabird barcode scanner appeared to be the source of the malware. While aggressive advertising practices are not uncommon on ‘free apps’, researchers have said that the new malicious code recently found in the Lavabird update was heavily concealed to avoid detection.
Researchers also confirmed that the digital certificate used in the recent malicious Lavabird update was the same one used in previous clean versions.
This isn’t the first time malicious programming has been discovered in Android apps, since transforming clean software development kits (SDKs) into packages that deliver malware is a trick often used by cybercriminals to further monetize the app and bypass protections on the Google Play store.
Google has since removed the Lavabird Ltd’s Barcode Scanner from its store.More on this story is available here and here.
Final Words
The attack on the Florida water treatment plant garnered big news coverage. Yet, this attack comes as no surprise to a large majority of cybersecurity professionals since they have been warning about the potential for attacks on critical public infrastructure for years. As investigative reporter and cybersecurity journalist Brian Krebs pointed out, “Spend a few minutes searching Twitter, Reddit or any number of other social media sites and you’ll find countless examples of researchers posting proof of being able to access so-called “human-machine interfaces” — basically web pages designed to interact remotely with various complex systems, such as those that monitor and/or control things like power, water, sewage and manufacturing plants.”
As the days go on, the story with the Oldsmar water treatment plant gets worse, with news reports now suggesting noticeably substandard security controls existed, including the fact that all computers at the facility were running Windows 7 (no longer even supported by Microsoft), that every computer shared the same password for remote access, and that all facility computers were connected to the internet without any sort of firewall protection.
Given the low-quality security controls in place, the Oldsmar incident could mistakenly be considered ‘low hanging fruit’ by those in the cybersecurity world. However, the unfortunate truth is that state and local governments have struggled for years to secure our nation’s critical infrastructure appropriately. As the Krebs article pointed out, there are over 50,000 drinking water systems in the United States and virtually all of them rely on some type of remote access system to monitor and manage operations. The vast majority of these systems serve fewer than 50,000 residents and many are “unattended, underfunded, and do not have someone watching IT operations 24/7.”
Unfortunately, this means that the security situation at the Oldsmar facility is probably more the rule than the exception.But there does seem to be a small silver lining to the Oldsmar attack. The breach at this water treatment facility, combined with the impact of the ongoing SolarWinds attack, is generating much-needed discussions around the importance of investment in cybersecurity to protect our nation’s critical infrastructure.
GuidePoint Security