Recent reporting on Lemon Duck, a new malware campaign targeting global manufacturers, is among the latest reminders of an enduring facet of the industrial cyber threat landscape: attacks on Windows machines with unpatched vulnerabilities in the Server Message Block (SMB) protocol stack. SMB security flaws continue to emerge, as evidenced by Microsoft accidentally releasing an advisory for a new "wormable" vulnerability in SMBv3 (CVE-2020-0796) on March 10.
Indeed, systems using SMB protocols have long been appealing targets for threat actors due to the prevalence of SMB vulnerabilities that, if exploited, can enable malware to self-spread laterally through connected systems. This is exactly what we've seen with Lemon Duck, as well as myriad previous attacks that have impacted the operational technology (OT) networks on which industrial enterprises and critical infrastructure rely.
One of the earliest examples of such an attack was in 2008 when the now-infamous Conficker Worm spread globally, infecting millions of Windows machines by exploiting SMB vulnerability MS08-067. It's been more than a decade since the initial infection, but Conficker continues to be detected in the wild today.
Another well-known example impacting industrial targets is the LockerGoga attack, which leveraged stolen credentials or brute-forcing to gain access to Windows-based networks and subsequently spreading via SMB protocols. LockerGoga severely disrupted numerous industrial firms in early 2019, forcing several plants to shift to manual operations.
Another notable example is NotPetya, the ransomware attack that wreaked widespread havoc in 2017. Although NotPetya did not specifically target industrial environments, its self-spreading capabilities—which, similar to Conficker and Lemon_Duck PowerShell, were enabled by an SMB vulnerability—caused the ransomware to unintentionally infect and damage OT networks around the world. NotPetya has since been widely recognized as the costliest and most destructive cyber attack in history.
These three examples comprise just a portion of those in which SMB protocols proved to be a major infection vector.
Moreover, it's crucial to recognize the significant threat such attacks pose to OT networks, which typically leverage SMB protocols to support the core functionalities of OT assets such as human-machine interfaces (HMIs), engineering stations, and historians, among others. Attacks that interfere with the operations of these assets can have a tremendous impact on process integrity, hindering the ability to control and monitor critical processes.
Our team at Claroty is intimately familiar with this threat and committed to helping our customers understand and mitigate it. To that end, we've spent years developing the following detection engines that can identify and help neutralize such attacks before they impact key assets:
Signature-based behavior detects known threats based on publicly known and indigenous signatures for malicious network traffic. This capability is enhanced with Claroty threat intelligence feeds, enabling an up-to-date database of threats that can be detected automatically.
Custom rule-based detection allows users to define and set alerts for potentially malicious network traffic patterns, supporting rapid investigations and the ability to prohibit specific types of traffic, such as SMB connections.
Anomaly-based detection leverages Claroty's deep packet inspection (DPI) capabilities to automatically segment your OT network into virtual zones where communication patterns between zones are clearly defined. Pattern deviations indicating potential threats result in a real-time, fully contextualized alert.
Security behavior detects known techniques and behavior patterns that have been used by attackers and alerts the network security team for further investigation
Operational behavior identifies OT operations occurring in your network across proprietary and open-source protocols, including configuration downloads and uploads, mode changes, key state changes, and firmware updates.
Together, these detection engines can quickly identify threats present within your OT network. Once a threat has been detected, Claroty assesses the validity and urgency of the alert to facilitate rapid action before key network components are impacted.
Deep visibility, continuous monitoring, and rapid detection are essential for defending your OT network, but preventative measures are also key. Many OT cyber threats can be prevented by consistent, well-informed vulnerability management practices. Claroty supports this best practice by keeping track of vulnerabilities within OT networks, such as outdated protocols, weak passwords, and common vulnerabilities and exposures (CVEs) relevant to the specific software versions on which your systems are running.
CWE-35 Path Traversal:
011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
CWE-522 Insufficiently Protected Credentials:
011209 Intercom does not properly store or protect web server admin credentials.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'):
011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CyberData recommends users update to v22.0.1
CVSS v3: 5.3
CWE-306 Missing Authentication for Critical Function:
011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-288 Authentication Bypass Using an Alternate Path or Channel:
011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8