Russian Firm Dumps SCADA Zero-Day Exploits into the Wild

A Russian security firm has released attack codes exploiting dozens of serious vulnerabilities in industrial SCADA (supervisory control and data acquisition) software into the wild, potentially exposing existing systems to attack ala Stuxnet.

Researchers released attack code exploiting dozens of vulnerabilities in software used to control hardware at nuclear plants, gas refineries and other heavy industries, raising the specter of yet another Stuxnet-style attack.

Serious vulnerabilities currently exist in programs sold by Siemens, Iconics, 7-Technologie, Datac and Control Microsystems, according to a researcher who released the exploits on a security mailing list on March 21. Attackers would be able to remotely execute code on computers connected to the Internet and running supervisory control and data acquisition software (SCADA) from these vendors.

"Ever since Stuxnet, the industry as a whole has taken security a lot more seriously," Eric Knapp, director of critical infrastructure markets at NitroSecurity, told eWEEK. Things are being done "across the board" to secure SCADA and improve security, he said.

The latest dump of attack codes exploiting SCADA vulnerabilities were done in an "interesting way," Knapp said. Gleg, a Moscow-based security firm, had collected known SCADA vulnerabilities into a single exploit pack and put it up for sale on its Website on March 15.

Knapp was reluctant to speculate on the Russian research firm's motives for releasing the exploits in this way. The release was done "in a not so friendly manner," he said, noting the "white hat, good guy way" is to contact the vendor directly with the vulnerability and give the company a chance to fix the problem before it becomes a problem. Instead, Gleg's package put them in the wild where anyone could get them, he said.

Even with the exploits in the wild, the chance of someone downloading the attack code, pinging networks and finding a SCADA system to target is "pretty low," according to Knapp. Anyone can obtain the exploit now, but not everyone has access to SCADA systems, he said.

As a general rule, computers running SCADA software are not just hooked up online, but are usually part of a secured and protected network, according to Knapp. Stuxnet, one of the most sophisticated pieces of malware ever engineered, didn't spread via the Internet, but rather by using USB devices. Getting access to the physical system was the decisive factor, Knapp said.

The Agora SCADA+ Pack contained 22 modules exploiting 11 zero-day bugs and older vulnerabilities that remained unpatched, according to Gleg's Website, which has been intermittently unavailable. The package also allegedly contains analysis of the "weak points" such as hard-coded passwords and problems with smart chips, according to the site. Pricing is unknown at this time.