Slashdot Mirror
Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack (eweek.com)
darthcamaro writes: Apparently YouTube isn't the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: "At this point, Radiflow's (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow's CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems." Radiflow doesn't know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco's Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200,000 per year.
If only there was some sort of readily available monitoring software to catch this sort of crap sooner than after 3 weeks.
CLI paste? paste.pr0.tips!
Come on. Don't run your operational systems on the internet, even if they need to be internet connected. Provide your employees with a separate system connected outside the LAN so that such issues are isolated. Another solution in non-sensitive areas is simply giving them Wi-Fi and access to their phones. All of these solutions present fewer problems than having employees on the operational system infecting the operational network.
To me, this juxtaposition is downright scary "Windows XP", "SCADA", "Internet", "browser" (although it corresponds to my overall experience, unfortunately: how many times have I seen the Siemens engineers with their SCADA "programmers", some funny semi-customized boxes running some unspecified, but invariably old version of Windows).
It's fascinating to watch how this "industry" refuses to move, even after having witnessed the train wreck that was Stuxnet and Natanz.
Waiting for something fat to happen?
hard to lockdown XP IE web apps. Hell they may need admin rights to run the day to day software.
Make that $80.000 after last check on coinmarketcap.
No patches for YEARS NOW.
According to the summary, web ads (why aren't those blocked?!) are suspect. Windows XP is mentioned, though, as it's to blame somehow. To me, XP (or any older OS) is the devil you know versus the devil you don't - you can plan for the devil you know. Don't assume XP is automatically worse because we haven't discovered everything about 10, etc. For the technically smug, look at the surprise of Meltdown and Spectre.
...From plugging in a serial cable. Desktop jockies don't understand such things.
As to why they aren't upgrading everything all the time, I work in water too, and like other such "invisible" industries, it is big and more complex than you may think. Since these sites must function, NO MATTER WHAT, screwing around with one that is working fine is discouraged since each new "project" requires much planning, thought, approval and budgeting.
In my younger days, in an instant, I brought down a medium-sized city's water supply just by plugging in a serial cable, the large pumps shutting down next to me. The controlling PLC's serial port powered pin #9 (not commonly done) as did the new radio transceiver that I just plugged in. "Did I do that?!!"
I was fortunate in that shutting pumps off ungracefully can cause severe "water hammer" on the main pipes underground - broken pipes sometimes result.
Can't we just illegalize monero?
Avantgarde Hebrew science fiction
Hurry! Fill it back up again!
You think European workers can't get fired? BWAAAAHAHAAHAHAHAHAHAHAHAHAHAHAAHA
We just *tend* not to fire people because the boss didn't get his coffee that morning and even then only when the union doesn't kick up a stink about it. What's it like living like a corporate serf where the law applies only to the mighty?
I remember hearing the SCADA and industrial hacking news as far back as early 2000's from when I got into the tech world, and even then, always the same take-away: Why are these systems even accessible outside the intranet they exist on? I'd even take it a step further and wonder why there isn't much tamer form of a secured, air gap datacenter approach to this? Anyone who's done or worked with building automation systems or even went to a tech school for SCADA operation knows this shit doesn't have to exist and be set up that way.
I actually wondered what the hit-rate of SCADA attacks was, and I had no idea there was an online database of them that goes way back into the early 90's. And exposure to the internet is harder to hide from, shoot, most don't even have to try if they are using Shodan.
I think that's the real issue and always has been. That really-old-Windows-OS-and-the-word-crypto-buzzword phrasing is just a tech journalism shock-jock plug to lighten the heat from the real problem.
It is not being literally drained of its CPU power. CPU power is not a liquid which can run out of a drain. Asshole.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Seriously, stop connecting SCADA systems to computers running Windows. It really doesn't matter what you connect it to as long as it's not running an operating system that is well known for being vulnerable to attack!
Anons need not reply. Questions end with a question mark.
The machine in question earned earned about 1 dollar in 3 weeks
I would be amazed if the CPU was able to break 20 hash per second
Seems simple to me. SCADA systems shouldn't be controllable over the internet, or by anything connected to the internet. For remote control used leased lines. Hardly anyone uses ISDN or leased 56k lines anymore, so there's an easy solution.
For monitoring, you can have an internet connected data logger wired into the SCADA system with a serial port. Even if someone manages to hack into the data logger, you can't take over the SCADA system if it's not designed to accept commands over serial.
I worked for a broadcast company that operated this way. The broadcast equipment could only be controlled by standing in front of the machine, or via a single hardwired remote terminal in the operations room that wans't connected to anything else. It spit out a bunch of system status data over a serial port to an network connected machine, but you couldn't control it that way.
My Other Computer Is A Data General Nova III.
Did they use a bucket to literally drain that power out of the cpu spigot? People who don't know the correct meaning of "literally" have no business writing anything for public consumption.
I worked in Industrial Automation for over 10 years, and mostly in water / waste water. Many of these utilities, at least in the US, are municipal. Many do not have and IT person or department, usually due to little need or no budget. These systems are not designed with security in mind. Most HMI software providers assume security is not their problem and that its the utilities job to lock down everything, which never happens because there is no IT department.
Many of these systems are installed as part of a single contract. The installers install the system and then leave without any obligation to maintain anything (sometimes there is a limited support contract as well). The installers will end up opening the windows firewall and defaulting the operators PC (usually also the main server computer) to auto login as admin. All this has been the normal for years, and for a long time, this wasn't an issue because the industrial communication standards were either not over Ethernet or just in a closed system with no outside access. I later years, the utility wanted the newer technology which is all Ethernet based and ended up opening their system to the general internet. Unfortunately, there still is no IT department and the installers are still up to the same tricks. In the end this same operator is now logged into the same server PC, as admin, but now also surfing the web.
This my experience with smaller utilities. Larger ones are more on top of security and do have audits.
OK, fine, you're lazy and stupid, and the interface to your SCADA system is an ancient turd which has been terribly insecure forever.
Whatever.
But holy fuck, people, keep the ancient insecure turd connected ONLY to your SCADA system and nothing else, and make damned sure your people aren't using that machine to connect to the internet and click goddamned ads.
This is really a self inflicted bit of stupid. Everywhere I've ever been which has SCADA has that on a separate locked down network, and the machines which access it are locked down and not connected to anything else. It's a hard-line connection with absolutely NO other connectivity, and it's treated like one of the most secure systems you have -- because it better be.
This is beyond stupid, and beyond inexcusable .. especially after StuxNet.
Any organization which gets impacted by something like this deserves what they get, because they're pretty much incompetent to run that kind of infrastructure. Mining cryptocurrency is stupid, but you could have FAR more reaching problems from this kind of breach.
Fucking morons.
If you don't have an air gap between your critical infrastructure equipment and the internet, then you're an idiot. Why was it possible to open a browser on these machines in the first place?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
You also need to wait several years to amortize the cost of each GPU...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
factoid for you, rarbg and limetorrents routinely insert cryptomining code into your pages!
i run htop and you can always tell when they are doing it! quad cores all hit 100% almost instantly when they are!
and it's not just porn anymore!
Perhaps because staffing the graveyard shift with full time experienced SCADA technicians is expensive (or impossible, if your facilities are in a remote or rural area), so you either cut back staff, hire and train alert, competent people who also happen to be willing to sit around in the plant watching gauges until 5am for 99% of their working career, or else make the system partially manageable over the internet (hopefully with some minimal security like a VPN), so the actual people you can realistically hire for this kind of specialized work only need to be woken up if something is going sideways one day out of a hundred, or a thousand.
Obviously basic infrastructure like water and power demands having hands on site at all times, but the vast bulk of SCADA systems are running bubble wrap packing machines or stamping silverware or filling catfood tins. It's an entrenched structural tradeoff problem.
For piracy and to prevent used SCADA sales. They must be on the internet all day to re-activate themselves.
They also on purpose refuse to support anything after XP on purpose to force repurchases of perfectly good working systems with 7 support. So CFOs buckle and keep XP on instead as a firm of giving them the finger.
THen the I.T. guy gets blamed when they get hacked because the CFO doesn't want to pay the extortion to throw out a good SCADA controller because the vendor wants more money and you can't be used just to ensure the PC attached gets security updates. Ridiculous.
There are should be laws as this is part of infrastructure and something both China and RUssia know too well if they want to hurt another country.
http://saveie6.com/
Apk did a job on lying trolls yesterday who tried hiding he cleaned their clocks with their abused downmods https://yro.slashdot.org/comments.pl?sid=11715333&cid=56091145/
So they had their SCADA (supervisory control and data acquisition) system directly connected to the Internet? Really - that is the problem. One should never, never do that!
There is guidance and standards on how to do design SCADA and industrial control architecture. IEC/ISA-624443, ISA-99, NIST cyber security framework, AWWA-GW430, etc.
The fact they were using Windows XP in their SCADA control system is a red herring. There are still many, many industrial control systems (and water/electricity/gas utility control systems) that still use Windows XP-based computers - but the organizations that run them on isolated networks that are completely disconnected from the internet and subject to physical access controls. Upgrading systems that control critical infrastructure and have hundreds of years of programming effort/testing in them is not a simple manner. The lifecycles of these systems are very long, and any upgrades must be done very carefully.
No retard Alexander Peter Kowalski, you didn't.
I looked at that thread and you were never able to refute the original statements because they are true.
Instead you went and wandered off in the woods on one of your usual rants trying to deflect real valid criticism of your ineffective, unoriginal, slow, bloated, and overly complex work.
Then after that you start whining that others down mod you for acting like the retard you are, maybe that AC actually had an account and wasted their mod points but given how often that happens to you I doubt it.
If I had an account I wouldn't waste mod points down modding you as I want everyone to see how much of a retard you are.
If everyone had used your software the attack would have still happened.
It wasn't until someone else did the real work of identifying the threat that it could even have been stopped by you BS little toy.
As always you offer too little too late.
Yet no script would have prevented this attack because it actually stops an entire category of threats unlike your work.
Don't worry APK I'm sure someday your parents will stop regretting not aborting your but today isn't that day, and the rest of the century isn't looking so good either.
I might have to get in on that whole thread and point out all the places were you provide further evidence that you are a total retard.