An worker for town of Oldsmar, Florida, visited a malicious web site concentrating on water utilities simply hours earlier than somebody broke into the pc system for town’s water remedy plant and tried to poison drinking water, safety agency Dragos stated Tuesday. Ultimately, the location doubtless performed no position within the intrusion, however the incident stays unsettling, the safety agency stated.
The web site, which belonged to a Florida water utility contractor, had been compromised in late December by hackers who then hosted malicious code that appeared to focus on water utilities, significantly these in Florida, Dragos researcher Kent Backman wrote in a blog post. More than 1,000 end-user computer systems visited the location throughout the 58-day window that the location was contaminated.
One of these visits got here on February 5 at 9:49 am ET from a pc on a community belonging to the City of Oldsmar. In the night of the identical day, an unknown actor gained unauthorized entry to the pc interface used to regulate the chemical compounds that deal with ingesting water for the roughly 15,000 residents of the small metropolis about 16 miles northwest of Tampa.
The intruder modified the extent of lye to 11,100 elements per million, a doubtlessly deadly improve from the traditional quantity of 100 ppm. The change was rapidly detected and rolled again.
So-called watering-hole assaults have develop into frequent in laptop hacking crimes that focus on particular industries or teams of customers. Just as predators in nature lie in wait close to watering holes utilized by their prey, hackers usually compromise a number of web sites frequented by the goal group and plant malicious code tailor-made to those that go to them. Dragos stated the location it discovered appeared to focus on water utilities, particularly these in Florida.
“Those who interacted with the malicious code included computers from municipal water utility customers, state and local government agencies, various water industry-related private companies, and normal internet bot and website crawler traffic,” Backman wrote. “Over 1,000 end-user computers were profiled by the malicious code during that time, mostly from within the United States and the State of Florida.”
Here’s a map displaying the places of these computer systems:
Dragos
Detailed data collected
The malicious code gathered greater than 100 items of detailed details about guests, together with their working system and CPU sort, browser and supported languages, time zone, geolocation companies, video codecs, display dimensions, browser plugins, contact factors, enter strategies, and whether or not cameras, accelerometers, or microphones had been current.
The malicious code additionally directed guests to 2 separate websites that collected cryptographic hashes that uniquely recognized every connecting gadget and uploaded the fingerprints to a database hosted at bdatac.herokuapp[.]com. The fingerprinting script used code from 4 completely different code initiatives: core-js, UAParser, regeneratorRuntime, and a data-collection script noticed on solely two different web sites, each of that are related to a website registration, internet hosting, and net growth firm.
Dragos
Dragos stated it discovered just one different web site serving the complicated and complicated code to guests. The web site, DarkTeam[.]retailer, purports to be an underground market that provides hundreds of shoppers with reward playing cards and accounts. A portion of the location, firm researchers discovered, may be a check-in location for methods contaminated with a current variant of botnet malware often called Tofsee.
Dragos additionally uncovered proof that the identical actor hacked the DarkTeam web site and the water-infrastructure building firm web site on the identical day, December 20, 2020. Dragos noticed 12,735 IP addresses it suspects are Tofsee-infected methods connecting to a nonpublic web page, that means it required authentication. The browser then offered a person agent string with a peculiar “Tesseract/1.0” artifact in it.
Dragos
Not your typical watering gap
“With the forensic information we collected so far, Dragos’ best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity,” Backman wrote. “The botnet’s use of at least ten different cipher handshakes or JA3 hashes, some of which mimic legitimate browsers, compared to the widely published hash of a single handshake of a previous Tofsee bot iteration, is evidence of botnet improvement.”
Dragos, which helps safe industrial management methods utilized by governments and personal corporations, stated it initially frightened that the location posed a big risk due to its:
- Focus on Florida
- Temporal correlation to the Oldsmar intrusion
- Highly encoded and complicated JavaScript
- Few code places on the Internet
- Similarity to watering-hole assaults by different ICS-targeting exercise teams akin to DYMALLOY, ALLANITE, and RASPITE.
Ultimately, Dragos doesn’t consider the watering-hole web site served malware delivered any exploits or tried to realize unauthorized entry to visiting computer systems. Plant workers, government officials later disclosed, used TeamViewer on an unsupported Windows 7 PC to remotely entry SCADA methods that managed the water remedy course of. What’s extra, the TeamViewer password was shared amongst workers.
Backman, nevertheless, went on to say that the invention ought to nonetheless be a wake-up name. Olsdmar officers did not instantly reply to a request for remark.
“This is not a typical watering hole,” he wrote. “We have medium confidence it did not directly compromise any organization. But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments.”
