ICS-CERT issues alert on offline brute-force password tool


An offline brute-force password tool with proof-of-concept exploit code is targeting Siemens S7 programmable logic controllers, according to an alert (.pdf) from the Homeland Security Department's Industrial Control Systems-Cyber Emergency Response Team.

The ICS-CERT warns that a password can be obtained by offline password brute forcing the challenge-response data extracted from TCP/IP traffic file. 

An attacker must be on an adjacent network to be able to capture this traffic, says ICS-CERT, and the possibility exists that this code may be modified to be used against other vendor products. Once the attacker is able to get into the system it is possible to capture the current credentials for the device, states the alert. 

The ICS-CERT issued the alert to provide early notice of a report that was released without coordination with either the vendor or DHS, and to identify baseline mitigations for reducing risks to these and other cyber security attacks. DHS notified Siemens of the report and has asked the company to confirm the attack vector and identify mitigations. It is currently coordinating with Siemens, the alert states. 

In the meantime, ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this attack vector. Specifically, they say users should:

  • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet. 
  • Locate control system networks and devices behind firewalls, and isolate them from the business network. 
  • If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

In addition, the ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

For more:
-download the ICS-CERT alert (.pdf)

Related Articles:
ICS-CERT issues search engine and exploit tool alert to critical infrastructure operators
DHS issues warning on widely used industrial control system software 
Cyber attacks on critical infrastructure could have been foiled with common precautions