Recent reporting on Lemon Duck, a new malware campaign targeting global manufacturers, is among the latest reminders of an enduring facet of the industrial cyber threat landscape: attacks on Windows machines with unpatched vulnerabilities in the Server Message Block (SMB) protocol stack. SMB security flaws continue to emerge, as evidenced by Microsoft accidentally releasing an advisory for a new "wormable" vulnerability in SMBv3 (CVE-2020-0796) on March 10.
Indeed, systems using SMB protocols have long been appealing targets for threat actors due to the prevalence of SMB vulnerabilities that, if exploited, can enable malware to self-spread laterally through connected systems. This is exactly what we've seen with Lemon Duck, as well as myriad previous attacks that have impacted the operational technology (OT) networks on which industrial enterprises and critical infrastructure rely.
One of the earliest examples of such an attack was in 2008 when the now-infamous Conficker Worm spread globally, infecting millions of Windows machines by exploiting SMB vulnerability MS08-067. It's been more than a decade since the initial infection, but Conficker continues to be detected in the wild today.
Another well-known example impacting industrial targets is the LockerGoga attack, which leveraged stolen credentials or brute-forcing to gain access to Windows-based networks and subsequently spreading via SMB protocols. LockerGoga severely disrupted numerous industrial firms in early 2019, forcing several plants to shift to manual operations.
Another notable example is NotPetya, the ransomware attack that wreaked widespread havoc in 2017. Although NotPetya did not specifically target industrial environments, its self-spreading capabilities—which, similar to Conficker and Lemon_Duck PowerShell, were enabled by an SMB vulnerability—caused the ransomware to unintentionally infect and damage OT networks around the world. NotPetya has since been widely recognized as the costliest and most destructive cyber attack in history.
These three examples comprise just a portion of those in which SMB protocols proved to be a major infection vector.
Moreover, it's crucial to recognize the significant threat such attacks pose to OT networks, which typically leverage SMB protocols to support the core functionalities of OT assets such as human-machine interfaces (HMIs), engineering stations, and historians, among others. Attacks that interfere with the operations of these assets can have a tremendous impact on process integrity, hindering the ability to control and monitor critical processes.
Our team at Claroty is intimately familiar with this threat and committed to helping our customers understand and mitigate it. To that end, we've spent years developing the following detection engines that can identify and help neutralize such attacks before they impact key assets:
Signature-based behavior detects known threats based on publicly known and indigenous signatures for malicious network traffic. This capability is enhanced with Claroty threat intelligence feeds, enabling an up-to-date database of threats that can be detected automatically.
Custom rule-based detection allows users to define and set alerts for potentially malicious network traffic patterns, supporting rapid investigations and the ability to prohibit specific types of traffic, such as SMB connections.
Anomaly-based detection leverages Claroty's deep packet inspection (DPI) capabilities to automatically segment your OT network into virtual zones where communication patterns between zones are clearly defined. Pattern deviations indicating potential threats result in a real-time, fully contextualized alert.
Security behavior detects known techniques and behavior patterns that have been used by attackers and alerts the network security team for further investigation
Operational behavior identifies OT operations occurring in your network across proprietary and open-source protocols, including configuration downloads and uploads, mode changes, key state changes, and firmware updates.
Together, these detection engines can quickly identify threats present within your OT network. Once a threat has been detected, Claroty assesses the validity and urgency of the alert to facilitate rapid action before key network components are impacted.
Deep visibility, continuous monitoring, and rapid detection are essential for defending your OT network, but preventative measures are also key. Many OT cyber threats can be prevented by consistent, well-informed vulnerability management practices. Claroty supports this best practice by keeping track of vulnerabilities within OT networks, such as outdated protocols, weak passwords, and common vulnerabilities and exposures (CVEs) relevant to the specific software versions on which your systems are running.
CWE-121 STACK-BASED BUFFER OVERFLOW:
Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE 287: Improper Authentication
An Improper Authentication vulnerability exists in Danfoss AK-SM8xxA Series, resulting in an authentication bypass. Install the latest patch with number 4.2 to remediate this vulnerability. This flaw could enable an attacker to generate a web report that discloses sensitive information such as internal IP addresses, usernames, store names, and other sensitive information.e
CVSS v3: 8.2
CWE-798 USE OF HARD-CODED CREDENTIALS:
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
Optigo Networks recommends users implement at least one of the following additional mitigations:
CVSS v3: 9.8
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8
