In the aftermath of the Oldsmar incident, where an unidentified attacker gained access to a water treatment plant’s network and modified chemical dosages to dangerous levels, the FBI has sent out an alert on Tuesday, raising attention to three security issues that have been seen on the plant’s network following last week’s hack.
The alert, called a Private Industry Notification, or FBI PIN, warns about the use of out-of-date Windows 7 systems, poor passwords, and desktop sharing software TeamViewer, urging private companies and federal and government organizations to review internal networks and access policies accordingly.
TeamViewer considered the point of entry
The FBI PIN specifically names TeamViewer as a desktop sharing software to watch out for after the app was confirmed as the attacker’s entry point into the Oldsmar water treatment plant’s network.
According to a Reuters report, officials said the intruder connected to a computer on the Oldsmar water treatment plant’s network via TeamViewer on two occasions last Friday.
In the second one, the attacker actively took control of the operator’s mouse, moved it on screen, and made changes to sodium hydroxide (lye) levels that were being added to drinking water.
While the operator reversed the changes the hacker made almost immediately, the incident became an instant point of contention and discussion among security professionals.
Among the most common point brought up in online discussions was the use of the TeamViewer app to access resources on US critical infrastructure.
In a Motherboard report published on Tuesday, several well-known security experts criticized companies and workers who often use the software for remote work, calling it insecure and inadequate for managing sensitive resources.
While the FBI PIN alert doesn’t take a critical tone or stance against TeamViewer, the FBI would like federal and private sector organizations to take note of the app.
“Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs),” the FBI said.
“TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to typical RATs.
The FBI alert doesn’t specifically tell organizations to uninstall TeamViewer or any other type of desktop sharing software but warns that TeamViewer and other similar software can be abused if attackers gain access to employee account credentials or if remote access accounts (such as those used for Windows RDP access) are secured with weak passwords.
FBI warns about Windows 7 use… again
In addition, the FBI alert also warns about the continued use of Windows 7, an operating system that has reached end-of-life last year, on January 14, 2020, an issue the FBI also warned US companies about last year.
This part of the warning was included because the Oldsmar water treatment plant was still using Windows 7 systems on its network.
While there is no evidence to suggest the attackers abused Windows 7-specific bugs, the FBI says that continuing to use the old operating system is dangerous as the OS is unsupported and does not receive security updates, which currently leaves many systems exposed to attacks via newly discovered vulnerabilities.
However, a Cyberscoop report published today highlights the fact that the Oldsmar plant, along with many other US water treatment facilities are often underfunded and understaffed.
While the FBI warns against the use of Windows 7 for good reasons, many companies and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT infrastructure from upper management, something that’s not expected anytime soon in many locations.
In these cases, the FBI recommends a series of basic security best practices as an intermediary way to mitigate threats, such as:
- Use multi-factor authentication;
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials;
- Ensureanti-virus, spam filters, and firewalls are up to date, properly configured, and secure;
- Audit network configurations and isolate computer systems that cannot be updated;
- Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts;
- Audit logs for all remote connection protocols;
- Train users to identify and report attempts at social engineering;
- Identify and suspend access of users exhibiting unusual activity;
- Keep software updated.