And, as a result, Sophos says that default SCADA passwords are putting critical infrastructure energy and telecoms grids at risk.
As reported previously by Infosecurity, Supervisory Control and Data Acquisition (SCADA) systems are often used for protecting critical national infrastructure platforms such as energy and telecommunications grids.
These systems are usually based around an embedded and robust version of Windows, which makes them resilient against most malware, but this latest malware attack vector could theoretically infect a SCADA system, which is what makes the malware particularly nasty.
As a result of its research, Sophos says it has issued new guidance and research on the zero-day vulnerability that it claims has already been used to target critical infrastructure systems – and for which exploit code has been made widely available.
Since first originally reporting on the vulnerability, the IT security firm says it has now detected an additional variant of the malware payload, prompting concerns that further examples of the attack will materialize as the hackers attempt to avoid detection.
Termed the 'CPLINK' vulnerability by SophosLabs, researchers have found that the vulnerability is present in all Windows platforms – including Windows 2000 and Windows XP SP2, both of which Microsoft ceased official support for last week.
According to Sophos, while initially associated with removable USB storage devices, the CPLINK vulnerability requires no direct user interaction to deliver its payload, which Sophos has named the Stuxnet-B Trojan.
Early versions of the malware have been programmed to seek out SCADA software and, says Graham Cluley, Sophos' senior technology consultant, the threat from the exploit is high as all a user has to do is open a device or folder – without clicking any icons – and the exploit will automatically run.
"With an additional variant of the malware already on the loose, the potential for this exploit to become more widespread is growing rapidly", he explained.
The issue, says Cluley, has been compounded by the revelation that default passwords, hard-coded into the Siemens SCADA platform, have been widely available on the Net since 2008 – and Siemens has issued guidance that operators should not change passwords in response.
"Siemens is worried that if critical infrastructure customers change their SCADA password – to hinder the malware's attempt to access their system – they could at the same time throw their systems into chaos", Cluley went on to say.
"This is a horrible situation. Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn't be hard-coded to expect the password to always be the same – which results in any change to the password resulting in a right royal mess", he added.