Sophos: New variant of Stuxnet malware and default SCADA passwords put critical infrastructure at risk
July 2010 by Sophos
IT security and data protection firm Sophos has issued new guidance and research on a Windows zero-day vulnerability that is already being used to target critical infrastructure systems, and for which exploit code has been made widely available.
Since first reporting on the vulnerability earlier this week, Sophos has now detected an additional variant of the malware payload, prompting concerns that further examples of the attack will materialise as the hackers attempt to avoid detection.
Termed the "CPLINK" vulnerability by SophosLabs, researchers have found that the vulnerability is present in all Windows platforms - including Windows 2000 and Windows XP SP2, both of which Microsoft ceased official support for last week. Initially associated with removable USB storage devices, the CPLINK vulnerability requires no direct user interaction to deliver its payload, which Sophos has named the Stuxnet-B Trojan. Early versions of the malware have been programmed to seek out SCADA software (Supervisory Control And Data Acquisition) by Siemens Corporation, which is used in managing industrial infrastructures, such as power grids and manufacturing plants.
"The threat from the exploit is high as all a user has to do is open a device or folder – without clicking any icons – and the exploit will automatically run,” said Graham Cluley, senior technology consultant at Sophos. “With an additional variant of the malware already on the loose, the potential for this exploit to become more widespread is growing rapidly."
The issue has been compounded by the revelation that default passwords, hardcoded into the Siemens SCADA system, have been widely available on the Net since 2008 – and Siemens has issued guidance that operators should not now change passwords in response.
“Siemens is worried that if critical infrastructure customers change their SCADA password – to hinder the malware’s attempt to access their system – they could at the same time throw their systems into chaos," continued Cluley. “This is a horrible situation. Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn’t be hard-coded to expect the password to always be the same – which results in any change to the password resulting in a right royal mess.”
Sophos has updated its protection for customers, detecting the attacks that have already been seen and issuing proactive defences against future threats based upon the exploit. Microsoft, meanwhile, is believed to be working on an emergency patch to fix the vulnerability in their software.