Microsoft released a security advisory on May 14 for a vulnerability it says could enable a wormable malware attack similar to WannaCry. The WannaCry ransomware attack had disastrous effects and impacted businesses worldwide, including industrial control system (ICS) entities like automotive manufacturers, rail service providers, and some U.S. utilities. So, Microsoft’s warning greatly concerns ICS asset owners-operators.
The vulnerability lies in Remote Desktop Services used worldwide by many industrial environments to enable remote operators and engineers to access control system environments. Specifically, an adversary can attack a computer running this service allowing them to delete files, make changes to data, or create accounts with administrative privileges, or launch a malware attack.
ICS environments are at greater risk of attackers exploiting this vulnerability due to such environments operating older Windows systems and systems that receive less frequent updates. Engineering workstations (EWS), human machine interfaces (HMIs), data historians, and OPC servers all run Windows operating systems.
Windows 8 and 10, and Server 2012 and newer users are not affected by this vulnerability, meaning many consumers do not have to worry about patching. It is, however, a major issue for older Windows operating systems.
The flaw (CVE-2019-0708) affects Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows 2003 and Windows XP. Microsoft has issued updates for all affected systems including pushing patches for Windows 2003 and Windows XP which are no longer officially supported by Microsoft and generally do not receive new security updates.
There is a partial fix for some systems affected by the RDP vulnerability. Systems that have Network Level Authentication (NLA) enabled are protected against wormable malware that could exploit the vulnerability because NLA requires user credentials before the vulnerability can be triggered. NLA is a security mechanism for ensuring the people who want to remotely login to computers are authenticated before they can connect. However, if an attacker has stolen legitimate credentials, they can authenticate as a real user and bypass this protection.
To help better understand the scope and outcomes of the Remote Desktop Services vulnerability, Dragos created the following table. The outcome – or what an attacker can achieve by exploiting the vulnerability – is based on what version of Windows is being exploited.
Exploitation of the vulnerability has not yet been observed in the wild. However, Microsoft has a working proof of concept, and it is likely adversaries will incorporate this vulnerability into attacks soon.
In ICS, system reliability is crucial, and taking machines offline to receive patches means experiencing potential downtime and loss of production, and potentially, revenue. This balancing act often favors foregoing necessary security updates in order to keep operations up and running. But patches for some vulnerabilities such as CVE-2019-0708 or MS17-010 (patches for WannaCry) are vital to apply. Asset owners and operators should test Microsoft’s recently released patches on test devices and then patch production devices as soon as possible. This is especially important for DMZ Jump Box systems, which may have exposure to corporate networks and would be the initial ICS entry point for any future worm which uses this vulnerability.
As we explained in the Dragos 2018 year in review report, commodity malware and wormable ransomware causing ICS infections contributed to greater risk within the ICS space last year, and this is likely to continue throughout 2019.
Full reports on this vulnerability and all threats, vulnerabilities, cyber events, and adversaries related to ICS are available to Dragos WorldView Threat Intelligence customers.