Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack

darthcamaro writes: Apparently YouTube isn't the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: "At this point, Radiflow's (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow's CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems." Radiflow doesn't know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco's Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200,000 per year.

If only...

[fisted]

If only there was some sort of readily available monitoring software to catch this sort of crap sooner than after 3 weeks.

Need for separate browsing and operations

[ArtemaOne]

Come on. Don't run your operational systems on the internet, even if they need to be internet connected. Provide your employees with a separate system connected outside the LAN so that such issues are isolated. Another solution in non-sensitive areas is simply giving them Wi-Fi and access to their phones. All of these solutions present fewer problems than having employees on the operational system infecting the operational network.

Re:Need for separate browsing and operations

[Gravis+Zero]

All of these solutions present fewer problems than having employees on the operational system infecting the operational network.

All of these solutions costs money that employers don't want to pay.

Shortsightedness is the gift bestowed upon middle management.

Re:Need for separate browsing and operations

[ArtemaOne]

Sorry you can't read. I said "even if they need to be internet connected" so that humans above fundamental reading levels could understand that the operational systems could be on the internet, but that users would not click on ads while using them, that they would have isolated systems for browsing.

Re:Need for separate browsing and operations

[HiThere]

Simpler, and probably as effective given modern attack vectors, don't let Javascript run in your browsers. If you must accept data over the web, use http commands, like post.

Re:Need for separate browsing and operations

[Darinbob]

If a system got infected with malware that did mining, which is a relatively minor problem, it means they are susceptible to serious damaging malware. Anti malware or tracking that detects intrusions after the fact don't help much if the damage is already done.

It does feels odd that these sorts of simple and basic preventative measure (disconnecting from internet, restricted access to web sites) aren't being taken. Organizations using SCADA systems should presumably know all about security issues and know that SCADA systems are common targets.

Re:Need for separate browsing and operations

[Darinbob]

This should be basic training everywhere. I can certainly understand someone sneaking around the rules and browsing the net using their normal work computer, but it's a severe lapse of responsibility to use a critical production computer to do this browsing.

hard to lockdown XP IE web apps

[Joe_Dragon]

hard to lockdown XP IE web apps. Hell they may need admin rights to run the day to day software.

Re:I have some past in this strange SCADA world

[jonwil]

As long as the cost of replacing all that software with something new (and probably a lot of hardware too in cases where the existing hardware can't support the new software) is higher than the estimated cost (to the business, not to society at large) that would arise should the worst happen, they wont replace it.

Heck, it may well be that there is no new software that can be used and they would need to not just replace the PCs but the gear they talk to (I doubt the companies that make that kind of gear would want to spend money upgrading software for old obsolete hardware so it can run on more modern systems, not when they have more modern hardware to sell you :)

Re:WINDOWS XP on the INTERNET...????

[jfdavis668]

That's why I stayed with Windows 2000.

Not XP

[kackle]

According to the summary, web ads (why aren't those blocked?!) are suspect. Windows XP is mentioned, though, as it's to blame somehow. To me, XP (or any older OS) is the devil you know versus the devil you don't - you can plan for the devil you know. Don't assume XP is automatically worse because we haven't discovered everything about 10, etc. For the technically smug, look at the surprise of Meltdown and Spectre.

As to why they aren't upgrading everything all the time, I work in water too, and like other such "invisible" industries, it is big and more complex than you may think. Since these sites must function, NO MATTER WHAT, screwing around with one that is working fine is discouraged since each new "project" requires much planning, thought, approval and budgeting.

In my younger days, in an instant, I brought down a medium-sized city's water supply just by plugging in a serial cable, the large pumps shutting down next to me. The controlling PLC's serial port powered pin #9 (not commonly done) as did the new radio transceiver that I just plugged in. "Did I do that?!!"

I was fortunate in that shutting pumps off ungracefully can cause severe "water hammer" on the main pipes underground - broken pipes sometimes result. ...From plugging in a serial cable. Desktop jockies don't understand such things.

Re:Not XP

[TheDarkMaster]

This. As a fellow developer on the "this MUST work" industry, I also have trouble trying to explain to the newbies why they should not do certain things that they are accustomed to do when you are dealing with systems controlling millions of dollars worth of equipment.

Re:Not XP

[Opportunist]

XP is worse for one single key reason: That there ARE known security risks that will NEVER get patched. Can this be mitigated? Yes. But it also HAS to be mitigated.

I work in a "must work no matter what" environment as well. We also suffer from XP machines we don't dare to touch because ... reasons. We did manage to get them secured by shielding those parts of them that are endangered by machines we put between them and potential attackers.

It is possible. It's pretty ugly and of course not the best solution from a security perspective, but it can be done in a way that lets your CISO sleep at night.

Re:Not XP

[TheDarkMaster]

I know that. To be more clear, I am just stressing the point for a lot of "new guys" who think they can just drop on any powerplant and change everything to their shiny new (javascript) framework fad without end up killing someone (literally!) in the process.

Some things need to be updated? No doubt. The problem is that this "new guys" does not stop to think first about what they can upgrade without causing problems later, they are too arrogant to first analyze why the process they intend to upgrade is done in the current way (see what is happening with the GUI development these days).

Re:Not XP

[kackle]

You kind of made my point: If everybody knows XP shouldn't be directly connected to the Internet (the largest risk these days), then do some sort of blocking to mitigate the known issue(s). Whereas with a newer OS, everyone will assume it's fine connected the way it is and only the determined nation states know certain flaws. In fact, one could argue that the hackers are more focused on the newer stuff.

I also agree with the above poster that much thought should be given before such systems are needlessly connected to the Internet.

Re:Not XP

[Bert64]

Well for any system of importance, you should be doing *all of the above*...

You shouldn't be connecting it to the internet, irrespective of how up to date it is.
You shouldn't be running software which isn't receiving security fixes.
You shouldn't be using general purpose software for a single purpose device.
You shouldn't be running software which receives anything other than security fixes (ie you should only fix the bugs, not introduce any other changes).

Re:Not XP

[Billly+Gates]

Sorry you're an idiot if you run XP unpatched in an internet enabled device for a mission critical infrastructure.

Why people make excuses for running 17 year old software saying well uh 10 is not great either look! ... alot of advances in security from Microsoft has come in since 2001. Since 2004 when Bill Gates wrote the security memo MS now requires a security buddy to approve each product release.

The result is both 7/10 are vastly more secure by default and more importantly ARE REGULARLY UPDATED. The spectre you mentioned is a classic example why running supported hardware/software is essential so when something DOES occur the vendors are quick at work to release a fix.

Just because you took something done 20 years ago with a serial cable does not mean keeping XP is a good idea for such a critical function.

Someone should be fired. Both the IT manager and the super cheap CFO for not keeping up with the times assuming the SCADA required internet access. If it does you need a supported PC attached even if it costs $$$$.

Can't we just illegalize monero?

[lucasnate1]

Can't we just illegalize monero?

Re:Can't we just illegalize monero?

[Opportunist]

Great idea!

While we're at it, maybe we can outlaw malware as well?

Re:Can't we just illegalize monero?

[darth+dickinson]

Well the major exchanges could blacklist the coin and refuse to accept it. That will pretty effectively kill it I would imagine, if people can't easily trade it for fiat.

Re:Can't we just illegalize monero?

[Opportunist]

Sure you can. And instantly somewhere in Generistan an exchange will open that takes a huge cut but accepts it.

Why is any SCADA system still Internet-accessible?

[adosch]

I remember hearing the SCADA and industrial hacking news as far back as early 2000's from when I got into the tech world, and even then, always the same take-away: Why are these systems even accessible outside the intranet they exist on? I'd even take it a step further and wonder why there isn't much tamer form of a secured, air gap datacenter approach to this? Anyone who's done or worked with building automation systems or even went to a tech school for SCADA operation knows this shit doesn't have to exist and be set up that way.

I actually wondered what the hit-rate of SCADA attacks was, and I had no idea there was an online database of them that goes way back into the early 90's. And exposure to the internet is harder to hide from, shoot, most don't even have to try if they are using Shodan.

I think that's the real issue and always has been. That really-old-Windows-OS-and-the-word-crypto-buzzword phrasing is just a tech journalism shock-jock plug to lighten the heat from the real problem.

Stop connecting SCADA stuff to Windows!

[Gravis+Zero]

Seriously, stop connecting SCADA systems to computers running Windows. It really doesn't matter what you connect it to as long as it's not running an operating system that is well known for being vulnerable to attack!

Re:Stop connecting SCADA stuff to Windows!

[ghoul]

Windows is no more insecure than other systems. It just makes the news more as it is the preferred OS of morons. If the morons of the world were using Linux, the hackers would be targetting Linux and we would hear of new Linux hacks every day. Most hacks are due to something stupid a Windows user did which a Linux user would not.

Re:Stop connecting SCADA stuff to Windows!

[Locke2005]

Users can't be trusted. The security plan should be: admins make it impossible for users to do stupid things. If that includes physically disabling every USB port, then so be it. You definitely don't connect important equipment to the internet, as least without an up-to-date firewall.

Re:No, not it is not

[Gravis+Zero]

CPU power is not a liquid which can run out of a drain.

But hopefully with some advances in microfluidics it can be! ;)

Re:I have some past in this strange SCADA world

[pr0fessor]

One of my brothers manages the local water facility, he bitched and complained about a system with win xp which was already eol until they finally replaced it with of course windows 7 a little over a year ago. They now have a little less than two years before win 7 extended support ends.

Re:No, not it is not

[tsqr]

It is not being literally drained of its CPU power. CPU power is not a liquid which can run out of a drain. Asshole.

metaphor (noun): a figure of speech in which a term or phrase is applied to something to which it is not literally applicable in order to suggest a resemblance, as in “A mighty fortress is our God.”.

Or maybe your problem is not drained, but the use of literally.
literally (adverb): in effect; in substance; very nearly; virtually, as in "I literally died when she walked out on stage in that costume."

Dumb Firewall

[JBMcB]

Seems simple to me. SCADA systems shouldn't be controllable over the internet, or by anything connected to the internet. For remote control used leased lines. Hardly anyone uses ISDN or leased 56k lines anymore, so there's an easy solution.

For monitoring, you can have an internet connected data logger wired into the SCADA system with a serial port. Even if someone manages to hack into the data logger, you can't take over the SCADA system if it's not designed to accept commands over serial.

I worked for a broadcast company that operated this way. The broadcast equipment could only be controlled by standing in front of the machine, or via a single hardwired remote terminal in the operations room that wans't connected to anything else. It spit out a bunch of system status data over a serial port to an network connected machine, but you couldn't control it that way.

Re:No, not it is not

[tigersha]

Several APIs involving Queues and pipelining have a "drain" function call which clears it.

Re:I have some past in this strange SCADA world

[skids]

...and this situation will just continue until either 1) operators realize they need in-house coders and are willing to pay them or 2) Some equipment supplier starts offering contractual guarantees to support future OSes and PHBs start to view that as a product feature and demand it for future purchases or 3) Some sort of OpenSource SCADA movement starts. Personally I don't see #3 as likely, don't think #2 has even entered the minds of the involved parties, and #1 would require a really smart PHB willing to compete in a tight labor market... which is kinda oxymoronic.

Re:Get rich quick

[Bert64]

Which is fine if the machines aren't yours and you don't have to pay for the power they use.
A single machine may generate a trivial amount, but there are many thousands of insecure machines out there. Add them all up and you've got a lucrative earner.
You don't even have to spend your own time collecting the machines, you can use automated scripts to scan for and infect machines.

Re:I have some past in this strange SCADA world

[nitehawk214]

The modus operandi of privately owned utility companies: Socialize losses, privatize profit.

Re:No, not it is not

[HiThere]

It can actually be an appropriate metaphor, though it's not clear that it is being used in that way in this case.

One can say that a system can only provide so many computations, so if some application is consuming them to the detriment of other applications also trying to be computed, then it is appropriate to say the first application drained the system of it's power.

Or one can be talking about electrical power usage and figure that each computation consumes a certain amount of electrical power, so the application was draining the system of it's power (in this case the computer system is acting as a combination transformer and conduit).

So the headline could be appropriate. The summary, however, didn't seem to justify that particular use, and that jarred on me, also. But perhaps the original story *did* justify the use, so a harsh judgment is probably rather unwarranted.

Stupid is as stupid does

[Locke2005]

If you don't have an air gap between your critical infrastructure equipment and the internet, then you're an idiot. Why was it possible to open a browser on these machines in the first place?

Re:DIY Cryptocurrency Mining...

[Locke2005]

You also need to wait several years to amortize the cost of each GPU...

Re:Why is any SCADA system still Internet-accessib

[Billly+Gates]

For piracy and to prevent used SCADA sales. They must be on the internet all day to re-activate themselves.

They also on purpose refuse to support anything after XP on purpose to force repurchases of perfectly good working systems with 7 support. So CFOs buckle and keep XP on instead as a firm of giving them the finger.

THen the I.T. guy gets blamed when they get hacked because the CFO doesn't want to pay the extortion to throw out a good SCADA controller because the vendor wants more money and you can't be used just to ensure the PC attached gets security updates. Ridiculous.

There are should be laws as this is part of infrastructure and something both China and RUssia know too well if they want to hurt another country.

Re:I have some past in this strange SCADA world

[Darinbob]

The issue with Windows XP, or 7, or 10, is to disconnect these critical infrastructure maachines from the internet. If they are on the internet, then train users to not use a web browser on this critical machines. Upgrading the OS does not magically fix a poor security set up.