The U.S. government’s cybersecurity department is pleading with sensitive infrastructure defenders on the back of last week’s lye-poisoning threat on a small water plant in Florida to rip-and-replace Windows 7 from their networks as a matter of urgency.
The new government request, released by a joint Cybersecurity and Infrastructure Protection Agency (CISA) alert, arrives in the wake of news that the remote breach of the water plant near Tampa Bay was blamed on bad password hygiene and assaults on computers running the out-of-service Windows 7 operating system from Microsoft. All of the machines used the same remote control password in addition to running Windows 7 on computers at the factory.
More than a year ago, Microsoft ended support for Windows 7, but as cybersecurity analysts warn on a non-stop basis, the plants and factories that operate sensitive infrastructure are transitioning to newer operating systems quite slowly.
This ensures the security fixes for remote, code-execution bugs will stay unpatched until companies buy an Extended Security Upgrade (ESU) plan from Microsoft. For Windows 7 Advanced and Business versions, the ESU is a per-device package, with an elevated price the longer a consumer chooses to use it.
More ominously, until January 2023, Microsoft will only sell the ESU plan, ensuring that any delayed enterprise lagging behind OS migration plans will sit down for hazardous hacker attacks.
The continued use of Windows 7 raises the possibility of the manipulation of a computer system by cyber actors. The organization cautioned that cyber criminals continue to find entry points into legacy Windows operating systems and leverage vulnerabilities of Remote Desktop Protocol (RDP). “With the development of a working commercial exploit for the vulnerability, malicious RDP activity has increased since the end of July 2019. In order to execute cyberattacks, cyber actors also use misconfigured or poorly protected RDP access controls.
The department all but accepted news claims in its newsletter that the TeamViewer program was used to obtain inappropriate access to the device. By leveraging cybersecurity vulnerabilities, including inadequate login protection, and an obsolete operating system, cyber attackers likely accessed the system,” the agency said, repeating urgent warnings that they present a perfect playbook and roadmap into sensitive networks.”
As previously reported, on February 5, the hack was discovered — and neutralized — in real time by workers at the plant that provides water to Oldsmar, a small town near Tampa, Florida.
Local law enforcement authorities said an unnamed competitor secretly hacked into the plant and sought to increase sodium hydroxide levels by a factor of more than 100.
Sodium hydroxide, also known as lye, regulates the acidity of drinking water, however the public can be physically affected by increased amounts maliciously applied to the water system.
Clear mitigation guidelines for hardening ICS/SCADA networks around the country are given in the joint advisory. They include:
- Updating to the most current iteration of the operating system (e.g. Windows 10).
- Using authentication multiple-factor.
- To secure Remote Desktop Protocol (RDP) credentials, use solid passwords.
- Ensure the anti-virus, spam filters and firewalls are up-to-date, installed and protected properly.
- Audit network parameters and isolate operating devices that are unable to upgrade.
- Audit the network for RDP-enabled systems, close unused RDP ports, add multi-factor authentication where possible, and log RDP login attempts.
- Audit logs on all protocols for remote connections.
- Train users to spot and report social engineering attempts.
- Identify and suspend user access that exhibits unusual activity.
In addition to ditching Windows 7, the department advised network supporters to shut down desktop-sharing applications from TeamViewer to ensure good hygiene of keys and the use of rules.