Israel appears to have thwarted a large-scale attempt at a critical-infrastructure cyber attack against its national water supply. An internal report from Israel's Water Authority indicates that the incident occurred between Friday, April 24 and Saturday, April 25.
According to a statement from Israel's National Cyber Directorate, the attempted attack targeted the command and control systems of Water Authority's wastewater treatment plants, pumping stations, and sewage infrastructure. A follow-up statement from the Water Authority and National Cyber Directorate reported the incident appeared to be coordinated, but no damage had occurred.
Organizations affected by the attempted attack were ordered to immediately reset the passwords for all of the facility's operational technology (OT) systems—especially those related to chlorine control—and ensure all control software was updated. If it's not possible to change the passwords for certain systems, personnel were advised to disconnect these systems from the internet entirely.
This attempted attack highlights that while water infrastructure often eludes the public's attention as a major source of cyber risk, it remains susceptible to both targeted and non-targeted threats. A combination of legacy systems, growing connectivity, and federated management—most water utilities are owned and operated at a local level—warrants a high prioritization of cybersecurity for the water and wastewater sectors on a global level.
As with most OT systems, our water infrastructure demands a granular level of visibility to detect not only latent threats on the network, but also anomalies that might be indicative of a threat or could subject the network to even novice hackers. Misconfigurations and known vulnerabilities effectively lower the barriers to entry for threat actors and increase the risk of exploitation. Furthermore, as information technology (IT) networks converge with OT networks, owners and operators of water infrastructure should be ever-vigilant against account compromises that might grant an attack direct access to industrial control systems. This includes employees and third-party vendors that are accessing the infrastructure remotely.
The security and reliability of critical infrastructure—such as water, power, and telecommunications—is more essential than ever amid the current global pandemic. For more insight into securing critical infrastructure in our current global environment, check out our recent, three-part blog series from Admiral (Ret.) Michael S. Rogers, Chairman of Claroty's Customer Advisory Board: (part 1), (part 2), (part 3).
CWE-121 STACK-BASED BUFFER OVERFLOW:
Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE 287: Improper Authentication
An Improper Authentication vulnerability exists in Danfoss AK-SM8xxA Series, resulting in an authentication bypass. Install the latest patch with number 4.2 to remediate this vulnerability. This flaw could enable an attacker to generate a web report that discloses sensitive information such as internal IP addresses, usernames, store names, and other sensitive information.e
CVSS v3: 8.2
CWE-798 USE OF HARD-CODED CREDENTIALS:
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
Optigo Networks recommends users implement at least one of the following additional mitigations:
CVSS v3: 9.8
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8
