Why wormable ransomware will remain a major threat to ICS

Industrial asset owners and operators today have to be concerned with industrial specific activity groups but also must be prepared for more common and less sophisticated risks such as: traditional malware worms that weaponize vulnerabilities Microsoft already patched in March 2017 with Security Bulletin MS17-010, made famous by malware known as WannaCry.

As I explained in the 2018 year in review report I coauthored for Dragos, commodity malware and wormable ransomware causing ICS infections contributed to greater risk within the ICS space last year. And some of that malware utilizes those Microsoft vulnerabilities.

The critical updates patched a number of vulnerabilities in Windows Server Message Block (SMB) v1, the protocol commonly used for file sharing in enterprise environments. If exploited, an attacker could remotely execute code on a target machine.

So what makes ICS environments – like manufacturing, electric, or oil and gas – so vulnerable?

In many ICS environments, some protocols like SMB serve numerous functions and cannot be easily disabled or updated. Engineering workstations (EWS), human machine interfaces (HMIs), data historians, and OPC servers all run Windows operating systems. And while many ICS vulnerabilities do not introduce risk – as noted in the 2018 Dragos Year in Review vulnerability report – patches for some vulnerabilities such as MS17-010 are vital to apply, and infrequent or misaligned patching priorities can cause them to remain unaddressed. In ICS, system reliability is crucial, and taking machines offline to receive patches means experiencing potential downtime and loss of production, and potentially, revenue. This balancing act often favors foregoing necessary security updates in order to keep operations up and running.

Some ICS-targeting adversaries Dragos tracks have leveraged SMB functionality and lateral movement capabilities across industrial components such as EWS and HMIs, sometimes as a mechanism for malware-less follow-on activity within the environment.

The MS17-010 vulnerabilities became detrimentally dangerous in April 2017 when an anonymous group known as the Shadow Brokers dumped a suite of hacking tools containing exploits known as the ETERNAL series which specifically target these Windows flaws.
 
Adversaries were quick to take advantage of the data dump.

WannaCry was the first malware to target the Microsoft SMBv1 flaws on a large scale and wormed its way through computers using the ETERNALBLUE exploit. It began infecting organizations on May 12, 2017, beginning with entities in Europe before spreading to more than 400,000 computers across the globe. At the time, a reported one million machines had port 445 exposed to the internet; of those, 800,000 ran windows and a “large chunk” ran vulnerable versions. The ransomware asked for around $300 worth of bitcoin to unlock machines.
 
In June 2017, the NotPetya malware attack – which also leveraged ETERNAL exploits as part of its wormable capabilities – initially infected computers in Ukraine, but ultimately became a worldwide outbreak. NotPetya infected various ICS entities including the US pharmaceutical company Merck and Danish shipping company Maersk, costing each of them hundreds of millions in losses.
 
Although Microsoft released patches for the flaws in 2017, the SMBv1 vulnerabilities are still an issue today. For instance, in 2018, Taiwan Semiconductor Manufacturing Company experienced a WannaCry outbreak that impacted its computer systems and fabrication tools and stymied production. The virus cost the firm up to $250 million. Dragos is also aware of numerous undisclosed incidents at companies that experienced more than $200 million in damages each.
 
WannaCry and NotPetya, along with other IT-focused worms including OlympicDestroyer (and the recent LockerGoga ransomware which spreads via Active Directory), are some of the most frequent risks to ICS due to their ability to cross the IT/OT boundary by infecting vulnerable services within the OT environment that are exposed to enterprise IT machines. Infection events may be targeted, incidental based on connections to vulnerable third-party services, or untargeted incidents of adversaries using spray-and-pray tactics to maliciously make money.
 
Even if companies cannot patch, there are straightforward ways to protect themselves. For instance, SMB should be disabled entirely on devices that don’t require its use, or if needed, companies should deprecate SMBv1 usage in favor of SMBv2 or greater. ICS environments should have limited connections to the business IT network to prevent the spread of malware from enterprise to ICS. And all employees and contractors should be required to use multi-factor authentication for remote access, preferably using something other than SMS-based authentication.
 
The ICS threat landscape is constantly evolving, and while ICS-focused activity groups leveraging increasingly unique attack methodologies is concerning, ICS owners and operators should not forget about the risk from the seemingly unsophisticated -- but severely damaging -- malware worms.