Positive Technologies: "73 percent of industrial organizations’ networks are vulnerable to hackers" • Daily CyberSecurity

After the security company Positive Technologies analyzed the data of more than a dozen companies in the global oil and gas, metallurgy and energy industries, a research report released on May 3, 2018, pointed out that hackers may penetrate the corporate network and Use this as a springboard to access the industrial environment.

Positive Technologies researchers have successfully infiltrated up to 73% of industrial organizations. In 82% of successful penetration cases, researchers can use this as a springboard to further access the extensive industrial network of Industrial Control System (ICS) equipment.

The proportion of ICS vulnerable to malicious hacking is really worrying. ICS is a technical term that covers a wide range of systems including SCADA for use in controlling manufacturing, power, power and wastewater treatment, the oil and gas industry, and many other industrial automation sectors.

Although most of the previous ICS systems were physically isolated from non-safety networks such as the public Internet, this practice has now been phased out. At present, many ICSs have begun to use traditional and modern technologies to introduce super-connection capabilities, including dial-up networking, Bluetooth, and physical serial connections. He said, “Even mobile applications have even emerged to help manage and monitor ICS devices.”

The analysis and testing companies of the company are exposed by SSH, Telnet, RDP, and other management interfaces:

91% of companies are still providing password dictionaries for privileged users.

In 82% of cases, other types of security flaws at the network boundary expose the DBMS interface;

In 64% of cases, use vulnerable software;

In 64% of cases, use of insecure protocols;

45% of cases have any file upload vulnerability;

In 36% of cases, there were remote command execution vulnerabilities and excessive software and user privilege authorization.

In about 80% of cases, the degree of difficulty of using these loopholes is “low” or “very low.”

Researchers have discovered a large number of vulnerabilities in the corporate network that allow malicious attackers to raise power and move laterally. The most common problems are weak passwords, vulnerable software and operating systems, and loopholes in network segmentation and traffic filtering.

In about two-thirds of companies, hackers may have used special control channels that bypass the demilitarized zone (DMZ) to access industrial networks.

In 45% of the cases, the researchers found that the traffic filtering between the networks was poor, while some companies did not have a quarantine zone (18%) or no network segmentation (18%) between the networks.

Positive Technologies pointed out in the report that these loopholes are very serious, and once the attack is successful, critical servers will be threatened. The risk of remotely controlling the gateway server through a dedicated channel seems to be less because the attacker needs to access a specific workstation in the enterprise information system. In most cases, this method of infiltrating industrial networks proved to be successful. Security vulnerabilities that have already been fixed on common systems have long existed in industrial control systems. This is because companies are afraid to perform any adjustments and operations that may lead to business downtime. More importantly, the method used to protect ICS in the industrial sector – for example, isolating the device from the Internet connection system – often fails to prevent attacks.

Research shows that even if a network segment is properly deployed, attackers can still access industrial systems. Access includes access to the firewall through administrator privileges and reconfiguration allows connections from malicious or infected devices.

Researchers said that the most successful attack vectors currently originate from the use of security vulnerabilities in Web applications, including SQL injection, arbitrary file upload, and remote command execution. The report stated that “almost every enterprise is using a dictionary password to protect the Web server management system or to protect the remote access mechanism through a management protocol, which means that in as many as one-third of the attack cases, malicious people need only one successful intrusion. You can gain access to the LAN.”

The U.S. Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security (DHS) issued a joint warning last month alleging that the Russian state supports hacking organizations to take the process mentioned by Positive Technologies to launch an attack on U.S. grid infrastructure – that is, first in the site. Get a foothold and move to a critical system.

The warning states that “DHS and the FBI categorized this as a multi-stage intrusion campaign initiated by cyber attackers supported by the Russian government. This activity is aimed at small commercial facility networks where they run the malicious software and implement spear networks. A phishing attack and access to remote access to the energy sector network. After gaining access, the Russian government supports cyber attackers to further perform network reconnaissance, lateral movement, and collect information related to the Industrial Control System (ICS).”

On May 3, 2018, Tenable, a network security vendor from Maryland, released security flaws that existed in two applications widely used by manufacturers and power plants. The company said that this may allow hackers to further increase their access to the ICS device network.

Researchers have found that in many cases, due to weak or inadequate protection, attackers can easily obtain the necessary credentials. An attacker can obtain credentials of the enterprise IT system (usually stored in clear text) by attacking the firewall directly or by obtaining an encrypted password.

Source: ptsecurity