Microsoft has stressed the importance for safeguarding internet-exposed operational technology (OT) devices after a string of cyber assaults targeting such settings since late 2023.
"These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets," the Microsoft Threat Intelligence team warned.
The company noted that a cyber attack on an OT system could allow malicious actors to tamper with critical parameters used in industrial processes, either programmatically via the programmable logic controller (PLC) or using the graphical controls of the human-machine interface (HMI), resulting in malfunctions and system outages.
It further claimed that OT systems generally lack proper security features, making them ideal for exploitation by adversaries and carry out attacks that are "relatively easy to execute," a reality amplified by the extra hazards brought by directly connecting OT equipment to the internet.
This not only makes the machines discoverable by attackers using internet scanning tools, but could be weaponized to get initial access by taking advantage of weak sign-in credentials or old software with known vulnerabilities.
Just last week, Rockwell Automation issued an advice asking its clients to disconnect any industrial control systems (ICSs) not supposed to be linked to the public-facing internet owing to "heightened geopolitical tensions and adversarial cyber activity globally."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also produced a bulletin of its own warning about pro-Russia hacktivists targeting susceptible industrial control systems in North America and Europe.
"Specifically, pro-Russia hacktivists manipulated HMIs, causing water pumps and blower equipment to exceed their normal operating parameters," the agency stated. "In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators."
Microsoft further said the onset of the Israel-Hamas war in October 2023 led to a spike in cyber attacks against internet-exposed, poorly secured OT assets developed by Israeli companies, with many of them conducted by groups like Cyber Av3ngers, Soldiers of Solomon, and Abnaa Al-Saada that are affiliated with Iran.
The assaults, according Redmond, targeted out OT equipment installed across multiple sectors in Israel that were made by foreign suppliers as well as those that were acquired from Israel but deployed in other nations.
These OT devices are "primarily internet-exposed OT systems with poor security posture, potentially accompanied by weak passwords and known vulnerabilities," the tech giant stated.
To combat the dangers presented by such attacks, it's advised that enterprises guarantee security hygiene for their OT systems, especially by limiting the attack surface and employing zero trust procedures to prevent attackers from moving laterally inside a compromised network.
The development comes as OT security firm Claroty unpacked a destructive malware strain called Fuxnet that the Blackjack hacking group, suspected to be backed by Ukraine, allegedly used against Moscollector, a Russian company that maintains a large network of sensors for monitoring Moscow's underground water and sewage systems for emergency detection and response.
BlackJack, which revealed details of the assault early last month, characterized Fuxnet as "Stuxnet on steroids," with Claroty adding that the malware was likely distributed remotely to the target sensor gateways using protocols such as SSH or the sensor protocol (SBK) on port 4321.
Fuxnet comes with the capacity to irreparably damage the filesystem, restrict access to the device, and physically destroy the NAND memory chips on the device by repeatedly writing and rewriting the memory in order to make it useless.
On top of that, it's meant to overwrite the UBI volume to prevent the sensor from rebooting, and eventually damage the sensors themselves by delivering a deluge of fake Meter-Bus (M-Bus) signals.
"The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways," Claroty noted.
According to research published by Russian cybersecurity firm Kaspersky earlier this week, the internet, email clients, and portable storage devices emerged as the major sources of dangers to computers in an organization's OT infrastructure in the first quarter of 2024.
"Malicious actors use scripts for a wide range of objectives: collecting information, tracking, redirecting the browser to a malicious site, and uploading various types of malware (spyware and/or silent crypto mining tools) to the user's system or browser," it stated. "These spread via the internet and email."
