Other issues in this category (10)
Coffee, fish and carelessness
By coincidence, two similar news items appeared almost simultaneously.
A casino in North America came under a cyberattack because of a smart fish tank. An Internet-connected device was automatically dispensing food for the fish and controlling the tank’s internal environment.
“Hackers used the fish tank to get into the casino’s network. As soon as they got inside the tank, they did a system scan, found other vulnerabilities, and moved laterally to other network locations", explained Justin Fier, Darktrace’s Director for Cyber Intelligence and Analysis, to a CNN reporter.
A European petrochemical factory’s computers were infected with encryption ransomware because a coffee machine was connected to one of the factory’s local control points.
Virtually everyone knows how to use a coffee machine, and there’s nothing unusual about fish tanks either. Why don’t similar incidents occur in Russia?
Outsourcing. Many companies don’t want to solve certain problems on their own so they give them to third parties to handle. In this case, the companies servicing the coffee machine and the fish tank weren't exactly security-conscious. And no wonder—no one would expect fish to rob a casino.
These incidents have a lot in common, but let's take a closer look at the second one.
All of a sudden, a report came in that all the computers were infected and displaying an error message. According to the operator, it looked like a ransomware attack. So I tell the operator to unplug the computers powering the monitoring system and then power them back on, and then to press the key combination to initiate a reinstallation from a network image.
I’m about to close this case when one by one, they start getting infected again. So at this point, the operator mentions that he could really use some coffee. And I tell him it's OK for him to get some coffee while I try to figure out why these computers keep getting re-infected. Only then he tells me he wasn't able to get coffee because all the coffee machines were showing the same ransomware attack message.
To make a long story short, the coffee machines are supposed to be connected to their own isolated Wi-Fi network; however, the person installing the coffee machine connected the machine to the internal control room network, and then, when he didn't get Internet access, he also connected it to the isolated Wi-Fi network.
The external company responsible for managing our coffee machine got an angrily worded letter for getting all those machines infected, and all of their customers were without working coffee machines for a couple of days.
There is no obvious similarity to the NotPetya/Medoc outbreak. However, these occurrences have much in common. An application (or a device running an application) is operating within a corporate network and an outsider (or another company) has access to it. One day an infection occurs, and malware (a worm or a Trojan) easily spreads over the affected network.
The conclusion is simple: If a third party can access your network (which happens often), separate services or isolate them from each other.