Windows Exploit and Default Passwords put Critical Infrastructure at Risk

July 20, 2010 Sophos Press Release

BOSTON - July 20, 2010 - IT security and data protection firm Sophos today issued new guidance and research on a Windows Zero Day vulnerability that is already being used to target critical infrastructure systems, and for which exploit code has been made widely available. The issue has also prompted the SANS Institute to take the uncommon step of raising its industry Infocon vulnerability alert level.

Termed the "CPLINK" vulnerability by SophosLabs, researchers have found that the vulnerability is present in all Windows platforms - including Windows 2000 and Windows XP SP2, both of which Microsoft ceased official support for last week. Initially associated with removable USB storage devices, the CPLINK vulnerability requires no direct user interaction to deliver its payload, which Sophos has named the Stuxnet-B Trojan. Early versions of the malware have been programmed to seek out SCADA software (Supervisory Control And Data Acquisition) by Siemens Corporation, which is used in managing industrial infrastructures, such as power grids and manufacturing.

"It is downright simple to exploit," said Chester Wisniewski, senior security analyst for Sophos. "All a user has to do is open a device or folder - without clicking any icon - and the exploit will run. Additionally, any criminal with the most basic of skills can take advantage of this flaw and it will not be hard to adapt it beyond removable storage devices, and add in different malicious payloads. With public exploit code available, this is only going to get worse."

The issue was compounded today by the revelation that default passwords, hardcoded into the Siemens SCADA system have been widely available on the Net since 2008, and Siemens has issued guidance that operators should not change the passwords in response to close the exposure.

"Critical Infrastructure providers seem to be caught between the frying pan and the fire," continued Wisniewski. "Hackers have the passwords, yet providers are being told if they change the default settings, they could put operations at risk. Frankly, this is a huge mess and raises many more questions about the security of systems we rely on to keep us safe."

Sophos has updated its protection for customers to detect the attacks that have been seen to date. While Microsoft races to fix the issue and has proposed somewhat drastic measures for interim protections, Sophos researchers have also posted alternative methods of system protection in addition to updated anti-malware. Sophos also has more detailed description, with video demonstration, of the vulnerability and associated dangers at its blogs.

Sophos has established a resource center to track information about CPLINK and ramifications at http://www.sophos.com/cplink.