Intruders hack industrial heating system using backdoor posted online

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/

Hackers illegally accessed the Internet-connected controls of a New
Jersey-based company's internal heating and air-conditioning system by
exploiting a backdoor in a widely used piece of software, according to
a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX
Framework, which is used to remotely control boiler, heating, fire
detection, and surveillance systems for the Pentagon, the FBI, the US
Attorney's Office, and the Internal Revenue Service, among many
others. The exploit gave hackers using multiple unauthorized US and
international IP addresses access to a "Graphical User Interface
(GUI), which provided a floor plan layout of the office, with control
fields and feedback for each office and shop area," according to the
memo, which was issued in July. "All areas of the office were clearly
labeled with employee names or area names."

An IT contractor for the unnamed business told FBI agents the "Niagara
control box was directly connected to the Internet with no interposing
firewall," according to the memo, which was published Saturday by
Public Intelligence. The website has an established track record of
posting authentic government documents. Barbara Woodruff, a
spokeswoman in the Newark, New Jersey division of the FBI, where the
memo originated, said the document appeared to be authentic.

The unauthorized access began in February, a few weeks after someone
using the Twitter handle@ntisec posted comments indicating hackers
were targeting SCADA—or supervisory control and data
acquisition—systems. One tweet included a list of Internet addresses,
including one that was assigned to the heating system belonging to the
New Jersey business. The hack came five months before security
researchers Billy Rios and Terry McCorkle blew the whistle on serious
vulnerabilities in the Niagara system, which is marketed by Tridium, a
company with US offices located in Richmond, Virginia.

Only getting worse

The revelation that Niagara vulnerabilities have been actively
exploited in the wild is significant because the system is widely used
to control critical equipment used around the world. Further, the
number of Internet-facing Niagara systems appears to be growing. A
search using the Shodan computer search engine late last year found
about 16,000 systems, with more than 12,000 of those based in the US,
according to Billy Rios, one of the security researchers who
documented the vulnerabilities in the industrial control system. This
year, the same search returned more than 20,000 systems, with about
16,000 of them in the US. While patches released earlier this year
apply only to versions 3.5 and 3.6 of Niagara, Shodan continues to
show "tons" of systems running earlier versions, including 1.1, Rios
said.

"These things keep popping up," he told Ars. "It's not going away.
It's getting worse."

Perhaps the only other documented case of an industrial control system
being breached in the US came in 2009, when a security guard abused
his physical access to breach computers that controlled
air-conditioning systems at a Texas hospital. The intrusion came to
light after he posted a screenshots and other evidence showing he had
control of the systems that cool operating rooms and other critical
areas of the Texas facility, where temperatures regularly hit the
triple digits. He has spent most of his time since in federal prison.

The FBI's "Situational Information Report" referred to the hacked
company as US Business 1 and described it as a New Jersey air
conditioning company. The report said the system the hackers intruded
on controlled the company's internal heating, ventilation and air
conditioning units.

"The main control box for the HVAC system of US Business 1 was a
Tridium brand, Niagara model controller," the memo stated. "US
Business 1 actively used this system in-house, but also installed the
control system for customers, which included banking institutions and
other commercial entities. An IT contractor of US Business 1 confirmed
the Niagara control box was directly connected to the Internet with no
interposing firewall."

The memo continued: "US Business 1 had a controller for the system
that was password protected, but was set up for remote/Internet
access. By using the link posted by the hacktivist, the published
backdoor URL provided the same level of access to the company's
control system as the password-protected administrator login. The
backdoor required no password and allowed direct access to the control
system."

The incident underscores the prevalence of industrial control systems
that are connected to the Internet. Security consultants have long
considered the practice to be unsafe. Sadly, they say, the convenience
of IT employees get from being able to administer those systems from
home or other remote locations often trumps security concerns. There
are about 300,000 instances of the Niagara framework installed
worldwide, according to Tridium's website.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.