Microsoft warns of a sharp increase in the number of cyber attacks targeting OT devices with Internet access

Microsoft has emphasized the need to secure Internet-facing operational technology (OT) devices following a wave of cyberattacks on such environments since late 2023.

“These repeated attacks on OT devices highlight the critical need to improve the security posture of OT devices and prevent critical systems from becoming easy targets,” said the Microsoft Threat Intelligence team.

The company noted that a cyber attack on an OT system could allow malicious actors to manipulate critical parameters used in industrial processes, either programmatically via a programmable logic controller (PLC) or using human-machine interface (HMI) graphical controls. which may result in system failure and failure.

It further said that OT systems often lack adequate security mechanisms, leaving them open to exploitation by adversaries and launching attacks that are “relatively easy to execute,” which is compounded by the additional risks of directly connecting OT devices to the Internet.

This means that devices can not only be detected by attackers using Internet scanning tools, but can also be weaponized for initial access by exploiting weak login passwords or outdated software with known vulnerabilities.

Just last week, Rockwell Automation issued an advisory urging its customers to disconnect all industrial control systems (ICS) that are not designed to connect to the public Internet due to “heightened geopolitical tensions and hostile cyber activity around the world.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a bulletin with its own warning about pro-Russian hacktivists targeting sensitive industrial control systems in North America and Europe.

“In particular, pro-Russian hacktivists manipulated HMIs, causing water pumps and blowers to exceed their normal operating parameters,” the agency said. “In each case, hacktivists increased set values, changed other settings, disabled alarm mechanisms, and changed administrative passwords to block WWS operators.”

Microsoft further stated that the outbreak of the Israel-Hamas war in October 2023 led to a sharp increase in the number of cyber attacks on internet-exposed, poorly secured OT assets developed by Israeli companies, with many of them carried out by groups such as Cyber ​​Av3ngers, Soldiers of Solomon, and Abnaa Al-Saada, which has ties to Iran.

According to Redmond, the attacks targeted OT equipment deployed in various sectors of Israel, manufactured by international suppliers, as well as equipment originating in Israel but deployed in other countries.

These OT devices are “primarily internet-exposed OT systems with poor security, potentially accompanied by weak passwords and known vulnerabilities,” the tech giant added.

To mitigate the risk posed by such threats, organizations are advised to ensure security hygiene of their OT systems, in particular by reducing the attack surface and implementing zero trust practices to prevent attackers from lateral movement within the compromised network.

The development comes as OT security firm Claroty unpacked a devastating strain of malware called Fuxnet that the hacking group Blackjack, suspected of supporting Ukraine, allegedly used against Moscollector, a Russian company that maintains a large network of sensors to monitor underground water and wastewater in Moscow, emergency detection and response systems.

BlackJack, which released details of the attack early last month, described Fuxnet as “Stuxnet on steroids,” and Claroty noted that the malware was likely deployed remotely to targeted sensor gateways using protocols such as SSH or Sensor Protocol (SBK) over port 4321 .

Fuxnet allows you to irreversibly destroy your file system, disable access to your device, and physically destroy your device’s NAND memory chips by constantly writing and rewriting memory to make it inoperable.

Furthermore, it aims to rewrite the UBI volume to prevent the sensor from rebooting and ultimately corrupt the sensors themselves by sending a flood of false Meter-Bus (M-Bus) messages.

“The attackers developed and deployed malware that targeted gateways and deleted file systems, directories, disabled remote access services, and routing services for each device, and also rewrote flash memory, destroyed NAND memory chips, UBI volumes, and other activities that further disrupted the operation of these gates, Claroty noted.

According to data released earlier this week by Russian cybersecurity firm Kaspersky, in the first quarter of 2024, the main sources of threats to computers in an organization’s OT infrastructure were the Internet, email clients and removable storage devices.

“Malicious actors use scripts for a wide range of purposes: collecting information, tracking, redirecting the browser to a malicious website, and transmitting various types of malware (spyware and/or silent cryptocurrency mining tools) to the user’s system or browser,” the report says. he said. “They spread via the internet and email.”