Windows Exploit and Default Passwords put Critical Infrastructure at Risk

Sophos Press Release

Sophos finds CPLINK Vulnerability "Trivial to Exploit" And Easy to Adapt for Other Malicious Payloads

BOSTON - July 20, 2010 - IT security and data protection firm Sophos today issued new guidance and research on a Windows Zero Day vulnerability that is already being used to target critical infrastructure systems, and for which exploit code has been made widely available. The issue has also prompted the SANS Institute to take the uncommon step of raising its industry Infocon vulnerability alert level.

Termed the "CPLINK" vulnerability by SophosLabs, researchers have found that the vulnerability is present in all Windows platforms - including Windows 2000 and Windows XP SP2, both of which Microsoft ceased official support for last week. Initially associated with removable USB storage devices, the CPLINK vulnerability requires no direct user interaction to deliver its payload, which Sophos has named the Stuxnet-B Trojan. Early versions of the malware have been programmed to seek out SCADA software (Supervisory Control And Data Acquisition) by Siemens Corporation, which is used in managing industrial infrastructures, such as power grids and manufacturing.

"It is downright simple to exploit," said Chester Wisniewski, senior security analyst for Sophos. "All a user has to do is open a device or folder - without clicking any icon - and the exploit will run. Additionally, any criminal with the most basic of skills can take advantage of this flaw and it will not be hard to adapt it beyond removable storage devices, and add in different malicious payloads. With public exploit code available, this is only going to get worse."

The issue was compounded today by the revelation that default passwords, hardcoded into the Siemens SCADA system have been widely available on the Net since 2008, and Siemens has issued guidance that operators should not change the passwords in response to close the exposure.

"Critical Infrastructure providers seem to be caught between the frying pan and the fire," continued Wisniewski. "Hackers have the passwords, yet providers are being told if they change the default settings, they could put operations at risk. Frankly, this is a huge mess and raises many more questions about the security of systems we rely on to keep us safe."

Sophos has updated its protection for customers to detect the attacks that have been seen to date. While Microsoft races to fix the issue and has proposed somewhat drastic measures for interim protections, Sophos researchers have also posted alternative methods of system protection in addition to updated anti-malware. Sophos also has more detailed description, with video demonstration, of the vulnerability and associated dangers at its blogs.

Sophos has established a resource center to track information about CPLINK and ramifications at http://www.sophos.com/cplink.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.