A Russian security firm has released attack codes exploiting dozens of serious vulnerabilities in industrial SCADA (supervisory control and data acquisition) software into the wild, potentially exposing existing systems to attack ala Stuxnet.
Researchers released attack code exploiting dozens of vulnerabilities in
software used to control hardware at nuclear plants, gas refineries and other
heavy industries, raising the specter of yet another Stuxnet-style attack.
Serious vulnerabilities currently exist in programs sold by Siemens,
Iconics, 7-Technologie, Datac and Control Microsystems, according to a
researcher who released the exploits on a security mailing list on March 21.
Attackers would be able to remotely execute code on computers connected to the
Internet and running supervisory control and data acquisition software (SCADA)
from these vendors.
"Ever since Stuxnet, the industry as a whole has taken security a lot
more seriously," Eric Knapp, director of critical infrastructure markets
at NitroSecurity, told eWEEK. Things are being done "across the board"
to secure SCADA and improve security, he said.
The latest dump of attack codes exploiting SCADA vulnerabilities were done
in an "interesting way," Knapp said. Gleg, a Moscow-based security
firm, had collected known SCADA vulnerabilities into a single exploit pack and
put it up for sale on its Website on March 15.
Knapp was reluctant to speculate on the Russian research firm's motives for
releasing the exploits in this way. The release was done "in a not so
friendly manner," he said, noting the "white hat, good guy way" is
to contact the vendor directly with the vulnerability and give the company a
chance to fix the problem before it becomes a problem. Instead, Gleg's package
put them in the wild where anyone could get them, he said.
Even with the exploits in the wild, the chance of someone downloading the
attack code, pinging networks and finding a SCADA
system to target is "pretty low," according to Knapp. Anyone can
obtain the exploit now, but not everyone has access to SCADA systems, he said.
As a general rule, computers running SCADA software are not just hooked up
online, but are usually part of a secured and protected network, according to
one of the most sophisticated pieces of malware ever engineered, didn't spread
via the Internet, but rather by using USB
devices. Getting access to the physical system was the decisive factor,
The Agora SCADA+ Pack contained 22 modules exploiting 11 zero-day bugs and
older vulnerabilities that remained unpatched, according to Gleg's Website,
which has been intermittently unavailable. The package also allegedly contains
analysis of the "weak points" such as hard-coded passwords and
problems with smart chips, according to the site. Pricing is unknown at this