Microsoft Warns of Surge in Cyber Attacks Targeting Internet-Exposed OT Devices

Summary:
Microsoft has highlighted the urgent need to secure internet-exposed OT devices following a series of cyber attacks targeting such environments since late 2023. The Microsoft Threat Intelligence team stressed that these attacks highlight the critical need to improve OT security and prevent critical systems from becoming easy targets. Cyber attacks on OT systems can enable malicious actors to manipulate critical industrial process parameters, either programmatically through PLCs or using the human-machine interface, potentially causing malfunctions and outages. OT systems often lack sufficient security, making them vulnerable to exploitation, especially when connected to the internet. This connectivity exposes them to discovery through internet scanning tools and attacks leveraging weak passwords or outdated software.


Recently, Rockwell Automation advised customers to disconnect industrial control systems not meant for public internet exposure due to increasing geopolitical tensions and adversarial cyber activity. Similarly, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of pro-Russia hacktivists targeting North American and European industrial control systems, manipulating HMIs to disrupt water pumps and blower equipment.


Analyst Comment:
The onset of the Israel-Hamas war in October 2023 led to increased cyber attacks against poorly secured OT assets developed by Israeli companies, often conducted by Iran-affiliated groups like Cyber Av3ngers, Soldiers of Solomon, and Abnaa Al-Saada. These attacks targeted OT equipment in various sectors, both within Israel and internationally. Additionally, OT security firm Claroty reported on a destructive malware strain called Fuxnet, used by the Blackjack hacking group, allegedly backed by Ukraine, against Moscollector, a Russian company monitoring Moscow's underground water and sewage systems. Fuxnet can destroy filesystems, block device access, and physically damage NAND memory chips, rendering the devices inoperable.

Further, according to Kaspersky, internet, email clients, and removable storage devices were the main sources of threats to OT infrastructure in the first quarter of 2024. Malicious actors use scripts for various purposes, including collecting information, redirecting browsers to malicious sites, and uploading malware via the internet and email.


Suggested Corrections:
Microsoft reccomends the following mitigations: The analysis of the attack claims in question reveals diverse target profiles. It is therefore vital for organizations of all different sectors to ensure security hygiene for their OT systems to prevent similar threats.

  • Adopt a comprehensive IoT and OT security solution to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft Defender XDR.
  • Enable vulnerability assessments to identify unpatched devices in the organizational network and set workflows for initiating appropriate patch processes
  • Reduce the attack surface by eliminating unnecessary internet connections to IoT devices and OT control systems. Verify that no OT system is directly connected to the internet, for example, through IoT routers or Cellular bridged (LTE or 3G). Close unnecessary open ports and services on their equipment, eliminating remote access entirely when possible, and restricting access behind a firewall or VPN when full elimination cannot be achieved.
  • Implement Zero Trust practices by applying network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. OT devices and networks should be isolated from IT with firewalls. Extend vulnerability and exposure control beyond the firewall with Microsoft Defender External Attack Surface Management. Turn on attack surface reduction rules in Microsoft Defender for Endpoint to prevent common attack techniques such as those used by ransomware groups.


Link(s):
https://thehackernews.com/2024/05/microsoft-warns-of-surge-in-cyber.html


https://www.microsoft.com/en-us/sec...-need-to-protect-internet-exposed-ot-devices/