As more information continues to come out about the Stuxnet worm and the vulnerabilities that it exploits, it’s becoming increasingly clear that this kind of attack may be a preview of the attacks that are likely to become commonplace in the months and years ahead.
There are several interesting pieces to the Stuxnet puzzle: its use of a zero-day flaw in the Windows shell to spread; the fact that it has drivers and a separate binary signed by two separate digital certificates belonging to legitimate technology vendors; and its use of pre-owned USB drives to infect PCs. But perhaps the most troubling aspect of the Stuxnet attack is that it appears to have been designed specifically to exploit a weakness in a particular SCADA control software package.
The vulnerability itself is as elementary as it comes: a hard-code password built into the WinCC SCADA control system produced by Siemens. The problem is a design flaw that’s common in many purpose-built software packages, and Siemens officials have said that they are advising customer not to change the password, because it could affect the system’s stability and operation. Once the malware is on a WinCC system, it tries to establish a
connection to a remote server and then tries to exfiltrate sensitive
“Changing the access data would impede communication between WinCC and
the database and is therefore not recommended. Tightening up
authentication procedures is being examined,” the company said in an advisory to customers about the Stuxnet attack.
As Chris Wysopal, CTO of Veracode, points out in his analysis of the Stuxnet attack, this all being done the wrong way.
“Siemens has put their customers at risk with this egregious
vulnerability in their software. Worse, in my book however, is all the
customers who purchased the software not knowing of its risk. Software
customers that are operating SCADA systems on critical infrastructure or
their factories with the WinCC Software had a duty to their customers
and shareholders to not purchase this software without proper security
testing,” Wysopal wrote. “We should ask the question, ‘Why didn’t Siemens fix the hard coded
password vulnerability when it was first publicly disclosed?’ They
waited 2+ years and started to fix it only after a worm exploited it. We
should also ask the question, ‘Is it negligence when you don’t fix a
critical known vulnerability and wait for your customers to get
However, the most interesting aspect of all of this is the fact that the attackers behind Stuxnet clearly knew about the vulnerability in the Siemens WinCC system before the malware was written. That implies that the malware authors had some advance intelligence about the configuration of the Siemens software and knew exactly where there was a weakness.
That’s a serious problem, and it’s one that we may be seeing quite a bit more of in the near future. Targeted attacks, with some serious research and planning behind them, are now the order of the day, and as the Stuxnet attack shows, the attackers are most definitely doing their homework.