WootCloud Blog

Back to Basics: Identifying and Remediating Device and Infrastructure Security Gaps – The Oldsmar Water Treatment Plant Ransomware Attack Examined

Haddock Water Treatment Plant in Oldsmar Florida

This is part 2 in our “Back to Basics” series for preventing cyber and ransomware attacks. We write these in the context of recent attacks. Check out part 1 covering how access control basics could have helped T-Mobile security.

While we understand for most security professionals this is very elementary, we see time and again, simple and easy maintenance, patching, updating etc being skipped or forgotten. Overlooking the basics is the cause or key contributor to what often become catastrophic organizational events.

Just two days before one of the largest annual sporting events in the world—the National Football League’s Super Bowl on February 7—a cyberattacker exploited TeamViewer, a remote-access program, at a water treatment plant in Oldsmar, Florida, in an attempt to poison the town’s water supply. This was done using credentials shared by employees. Fortunately an attentive employee noticed his cursor moving on its own, (narrowly) averting crisis.

While one can joke that nothing is more frustrating than losing cell service, as in the recent T-Mobile breach, what happened in Tampa in early February is no laughing matter. A remote takeover of a mid-size city water station computer is worrisome, the attempted poisoning of the water makes this a serious crime and security threat. The fact that the NFL Superbowl was a few days later makes this – in my view – a national security incident.

This is not the first attempt to gain control over industrial control systems (ICS) at a water treatment facility. In April 2020, Israel’s National Cyber Directorate announced, “Reports have been received by the National Cyber Directorate about attempted attacks on command and control systems of wastewater treatment plants, pumping stations, and sewage.”

Back to Basics – How Could This Attack Have Been Avoided?

From what we know,  this cyber attack could have been delayed or prevented with a few basic measures in place. 

We outlined them in basic order of occurrence as we understand it, and for WootCloud customers, added easy tactics you can implement in minutes to help prevent several of the steps:

  • Website visits to a site with malicious code on it 
  • Outdated Windows OS and WordPress Plugins allowed for access and lateral movement
  • More securely configured remote engineering access. 
    • This facility was allowing remote access into their ICS systems with a software package called TeamViewer, which was not securely configured.
    • And credentials were shared – and leaked.
  • OT – 
    • Many cars have chips built in governing top speed – for safety. Why could this system allow dangerous levels of a potentially lethal substance to be added to drinking water? 

Oldsmar city computer reportedly visited a website hosting malicious code  

This was an industry trade site, so likely more trusted by the Oldsmar team. Unfortunately an  Angler exploit kit , which distributes malware, was waiting for them there one day. 

While Crowdstrike / SentinelOne may prevent this, we know these are significant investments for smaller municipalities and organizations. 

WootCloud sits in the network and sees web traffic, but doesn’t parse to the level that we see which site they go to. As this was a trade rag, we would not have Blacklisted it to begin with.

Whitelisting/Blacklisting can prevent execution of applications that are not authorized. Because WootCloud is not agent based, we cannot see which applications are installed on a device nor prevent installation of software. We can determine which applications (or types) are being run on the device based on looking at the device’s network behaviors and who/what it communicates with. By design we have built integrations with many EPP providers with agents, ie Crowdstrike, to manage this functionality.

Code was inserted through vulnerable WordPress plugins 

A good Firewall with Endpoint protection would have prevented this. Cost again.

We can see what happens when bad traffic hits one of our machines, though this could have happened many years ago, and the bad guys were simply gathering intel (when the tech to detect bad traffic did not exist yet). Sony had several years of persistence.

WootCloud can also see the way bad guys are communicating from within your system, one of our key features in ransomware detection. 

Criminals who accessed the Oldsmar site did so due to lax security and shared passwords

The team shared passwords among the team to make system access easier.

WootCloud is built to work with a variety of SSO and AC solutions, so can trigger password updates on a regular basis with a simple saved search. Depending on the integration with the SSO / AC – we can query for last password change to enforce timely changes etc. While the device / users are in question – they can be quarantined or isolated to sections of the network to get updated, only to the internet, or completely dropped.

Cyber actors likely accessed the system by exploiting an outdated Windows 7 operating system

WootCloud scans for OS and can do regular checks for OS easily, prompt updates, and alert teams.

We can detect desktop sharing software TeamViewer which gained unauthorized access, though at regular business hours we may not trigger more than alerting.

Our AI-engine would detect anomalous behavior if at odd hours and/or from odd locations (access from Europe etc) and alert and remediate automatically.

In WootCloud you can set up saved searches to help automate alerting and remediation against several of these. 

Our agentless, AI/ML-driven platform identifies, analyzes, and manages device and infrastructure assets automatically to help you close security gaps like those in Oldsmar – all in real time – all critical with today’s IoT, 5G, and work-from-anywhere megatrends in full swing.

Leading organizations deploy us, global tech leaders partner with us, and top investors back our vision.

Request a 20-minute demo, specific to your environment today. 

Share this post with your network.

Share on linkedin
Share on twitter
Share on facebook
Contributing Authors:

Andreas Stenzel

Share this post with your network.

Share on linkedin
Share on twitter
Share on facebook

This website uses cookies to ensure you get the best experience on our website.