[BreachExchange] Florida Water Plant Hack: Leaked Credentials Found in Breach Database

[Destry Winant]

https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/

Researchers discovered credentials for the Oldsmar water treatment
facility in the massive compilation of data from breaches posted just
days before the attack.

Researchers say they found several stolen and leaked credentials for a
Florida water-treatment plant, which was hacked last week.

Researchers at CyberNews said they found 11 credential pairs linked to
the Oldsmar water plant, in a 2017 compilation of stolen breach
credentials. Meanwhile, they also found 13 credential pairs in the
more recent “compilation of many breaches”– COMB for short — that
occurred just days before the attack.

This collection was leaked on the RaidForums English-language
cybercrime community on Feb. 2 and contains a staggering 3.27 billion
unique combinations of cleartext email addresses and passwords in an
aggregate database.

Of note, officials have not publicly drawn any connection between the
credentials discovered in the leaked credential breach databases and
the attack last week.

The Florida Water Plant Hack

The attack on the Oldsmar water-treatment facility in Florida occurred
last Friday, when an attacker used remote access to the system to
change the level of sodium hydroxide, more commonly known as lye, in
the water from 100 parts per million to 11,100 parts per million.

The change was immediately detected by a plant operator, who changed
the levels back before the attack had any impact on the system.

According to a Massachusetts security advisory published Wednesday,
the attackers accessed the water treatment plant’s SCADA controls via
TeamViewer, which is remote access software. TeamViewer was installed
on computers by the water treatment plant, used by personnel to
conduct system status checks and to respond to alarms or other issues
that cropped up during the water treatment process.

“All computers used by water plant personnel were connected to the
SCADA system and used the 32-bit version of the Windows 7 operating
system,” according to the recent advisory. “Further, all computers
shared the same password for remote access and appeared to be
connected directly to the Internet without any type of firewall
protection installed.”

The Leaked Data-Breach Credentials

Researchers with CyberNews recently delved into a breach compilation
leaked online by hackers in 2017 and the more recent COMB data trove
“to search for credentials from the domain ci.oldsmar.fl.us,”
according to a blog post published Thursday by Bernard Meyer with
CyberNews, and found several matches.

Researchers claim the attackers may have used the credentials acquired
from either the 2017 breach compilation or COMB in the hack. However,
given the close date of the COMB leak to the attack, it’s more likely
that it was in this database that attackers found the credentials used
in the system breach, Meyer noted.

What’s not clear is how old the credentials are, and whether they are
specific to TeamViewer or otherwise.

“Regarding the credentials for the Florida water supply system, we
could not confirm whether they were admin or Teamviewer for legal and
ethical reasons,” Mantas Sasnauskas, senior information security
researcher at CyberNews, told Threatpost. “We just pointed to the fact
that there were some type of [plant] credentials in the leaked
[database].”

The Oldsmar Water Plant Hack: Credentials Used?

CyberNews researchers said that the attack was likely rolled out in
multiple stages. “The first part of the cyber kill chain would be
espionage and reconnaissance — looking at the ICS system, who controls
it, what domain they use for emails, and whether they can be accepted
as login usernames,” Meyer wrote.

The second phase may have involved a credential-stuffing attack that
would have provided attackers remote access to the system, he said. In
this type of attack, hackers build automated scripts that
systematically try stolen IDs and passwords against various accounts
until a match is found.

As part of this, he said, the attacker may have checked various
compilations for leaked credentials on those domains for credential
pairs, which is where the COMB cache may have come in handy, he said.

“The second stage of the cyber kill chain would be the actual
intrusions–in this case, the credential stuffing,” he wrote.

It’s unclear if the COMB credentials were in fact used, but the fact
that some of the plant’s logins were found in the database is a
notable coincidence, researchers said.

Authorities from Pinellas County Sheriff’s Office, the FBI and the
U.S. Secret Service are still working together to investigate exactly
what happened in the attack, although they do not believe it was
state-sponsored.

While authorities said they have leads in the attack, they still don’t
know who exactly was behind it, where the attackers are located and
what the motive might be. The incident once again is a reminder of the
potential catastrophic effect an attack on critical infrastructure can
have on public safety, making the security of these systems a top
concern, security experts said.