Image: ZDNet
In the aftermath of the Oldsmar incident, where an unidentified attacker gained access to a water treatment plant’s network and modified chemical dosages to dangerous levels, the FBI sent an alert on Tuesday, calling attention to three security issues that were seen on the plant’s network after last week’s hack.
The alert, called the Private Industry Notification, or FBI PIN, warns of using outdated Windows 7 systems, bad passwords and TeamViewer desktop sharing software, urging private companies and federal and government organizations to review internal networks and political access in accordance.
TeamViewer considered the entry point
The FBI PIN specifically names TeamViewer as desktop sharing software to be observed after the application has been confirmed as the attacker’s entry point into the Oldsmar water treatment plant’s network.
According to a Reuters report, officials said the intruder connected to a computer on the network at the Oldsmar water treatment plant via TeamViewer on two occasions last Friday.
In the second, the attacker actively took control of the operator’s mouse, moved it around the screen, and made changes to the levels of sodium hydroxide (caustic soda) that were being added to drinking water.
While the operator reversed the changes the hacker made almost immediately, the incident became an instant point of contention and discussion among security professionals.
One of the most common points raised in online discussions was the use of the TeamViewer application to access resources in the critical US infrastructure.
In a Motherboard report published on Tuesday, several well-known security experts criticized companies and employees who often use the software for remote work, calling it insecure and inappropriate to manage confidential resources.
While the FBI PIN alert does not have a critical tone or stance against TeamViewer, the FBI would like federal and private sector organizations to watch the application.
“In addition to its legitimate uses, TeamViewer allows cyber attackers to remotely control computer systems and play files on victims’ computers, making it functionally similar to remote access Trojans (RATs),” said the FBI.
“The legitimate use of TeamViewer, however, makes anomalous activity less suspicious for end users and system administrators compared to typical RATs.
The FBI alert does not specifically tell organizations to uninstall TeamViewer or any other type of desktop sharing software, but warns that TeamViewer and similar software can be abused if attackers gain access to the account’s credentials. employee or if remote access accounts (such as those used for Windows RDP Access) are protected with weak passwords.
FBI warns of using Windows 7 … again
In addition, the FBI alert also warns of continued use of Windows 7, an operating system that reached its end of life last year, on January 14, 2020, an issue that the FBI has also alerted American companies to in the last year.
This part of the warning was included because the Oldsmar water treatment plant was still using Windows 7 systems on its network.
While there is no evidence to suggest that attackers abused specific Windows 7 bugs, the FBI says that continuing to use the old operating system is dangerous because the operating system is not compatible and does not receive security updates, which currently leaves many systems exposed to attacks via newly discovered vulnerabilities.
However, a Cyberscoop report published today highlights the fact that the Oldsmar plant, along with many other water treatment facilities in the United States, often does not have enough funds or personnel.
Although the FBI warns against using Windows 7 for good reason, many US federal and state companies and agencies may not be able to do anything about it, preventing a serious financial investment in modernizing top management IT infrastructure, something that it is not expected anytime soon in many locations.
In such cases, the FBI recommends a series of basic security best practices as an intermediate way to mitigate threats, such as:
- Use multi-factor authentication;
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials;
- Assureanti-viruses, spam filters and firewalls are up to date, properly configured and secure;
- Audit network settings and isolate computer systems that cannot be updated;
- Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication whenever possible and recording RDP login attempts;
- Audit logs for all remote connection protocols;
- Train users to identify and report attempts at social engineering;
- Identify and suspend user access by displaying unusual activity;
- Keep the software up to date.