BOSTON - July 20, 2010 - IT security and data protection firm
Sophos today issued new guidance and research on a Windows Zero Day
vulnerability that is already being used to target critical
infrastructure systems, and for which exploit code has been made
widely available. The issue has also prompted the SANS Institute to
take the uncommon step of raising its industry Infocon
vulnerability alert level.
Termed the "CPLINK" vulnerability by SophosLabs, researchers
have found that the vulnerability is present in all Windows
platforms - including Windows 2000 and Windows XP SP2, both of
which Microsoft
ceased official support for last week. Initially associated
with removable USB storage devices, the CPLINK vulnerability
requires no direct user interaction to deliver its payload, which
Sophos has named the Stuxnet-B Trojan. Early versions of the
malware have been programmed to seek out SCADA software
(Supervisory Control And Data Acquisition) by Siemens Corporation,
which is used in managing industrial infrastructures, such as power
grids and manufacturing.
"It is downright simple to exploit," said Chester Wisniewski,
senior security analyst for Sophos. "All a user has to do is open a
device or folder - without clicking any icon - and the exploit will
run. Additionally, any criminal with the most basic of skills can
take advantage of this flaw and it will not be hard to adapt it
beyond removable storage devices, and add in different malicious
payloads. With public exploit code available, this is only going to
get worse."
The issue was compounded today by the revelation that default
passwords, hardcoded into the Siemens SCADA system have been widely
available on the Net since 2008, and Siemens has issued guidance
that operators should not change the passwords in response to close
the exposure.
"Critical Infrastructure providers seem to be caught between the
frying pan and the fire," continued Wisniewski. "Hackers have the
passwords, yet providers are being told if they change the default
settings, they could put operations at risk. Frankly, this is a
huge mess and raises many more questions about the security of
systems we rely on to keep us safe."
Sophos has updated its protection for customers to detect the
attacks that have been seen to date. While Microsoft races to fix
the issue and has proposed somewhat drastic measures for interim
protections, Sophos researchers have also posted alternative
methods of system protection in addition to updated anti-malware.
Sophos also has more detailed description, with video
demonstration, of the vulnerability and associated dangers at its
blogs.
Sophos has established a resource center to track information
about CPLINK and ramifications at http://www.sophos.com/cplink.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.