View Topic

Good evening everyone!

For one, I hope it's ok to start a new random topic here? If not then sorry for the spam! For anyone interested in the Cybersecurity or Network Security space in IT, I typically like to read Ars Technica (not everything from them is on point but a good majority seem to be from my experience) and came across this article:

https://arstechnica.com/information-technology/2022/04/fbi-accesses-us-servers-to-dismantle-botnet-malware-installed-by-russian-spies/

A gist of the article, or TL;DR, several network firewall devices were compromised by a Russian botnet and the Vendor of these network firewall devices released a statement to help customers patch and remediate those devices. Seems like only 39% of customers took those steps, so in a "preventative method" (will explain the air quotes next), the FBI decided to remediate the remaining devices!

This has been done on very, very rare occasions before and is not something that is common. In one way, it's great that these devices are no longer compromised and can't cause any harm. In another way, it calls in to question what "level" of access the FBI can obtain in order to do this!

So now for the fun part! If this event occurred in your Nation, what would you do and why? Looking forward to hearing everyone's thoughts!

Sorry that I haven't had a chance to post here until now, but yes, it's perfectly fine to start a random topic here.

I happened to read this article yesterday though. I understand the slippery slope concerns, but I think thwarting the botnet was a legitimate national security concern and I believe they had to get a warrant to go through with it. It's not like they just decided among themselves to do it. And it was never going to be done otherwise in many cases...even a lot of business users aren't very technical and think to update their devices. It's why many things have gone to automatic updates.

I think it's better than the leaving it there and inviting the alternative, in any case.

Not really that interested, but since you are, I saw this article pass through a while ago :

https://thehackernews.com/2022/04/critical-bugs-in-rockwell-plc-could.html?m=1

For reference, a PLC is a kind of rugged computer which is used to control industrial machinery and processes and Rockwell is the most used brand in North America.

If you go on Shodan and look up Rockwell part numbers for Ethernet adapters and Ethernet PLCs you'll find quite a few that are accessible from the Internet. Good practice is to airgap the OT network of course but some people are negligently lazy.

Imagine someone being able to log on the PLC, inject code through the compiler fucking stuff up randomly and anyone else being unable to see how or why. It happened before with Stuxnet but that took Israeli and US intelligence services and either a spy inside the nuclear plant or a guy dumb enough to find a USB key in the parking lot and hook it onto the plant network.

Once had a guy whose plant used regular computers with a touchscreen to handle the HMI. I came by the plant for other work once when I saw the HMI had internet access. He'd cabled his OT vlan on the Internet because "he wanted to look something up on Google".

Sorry that I haven't had a chance to post here until now, but yes, it's perfectly fine to start a random topic here.

I happened to read this article yesterday though. I understand the slippery slope concerns, but I think thwarting the botnet was a legitimate national security concern and I believe they had to get a warrant to go through with it. It's not like they just decided among themselves to do it. And it was never going to be done otherwise in many cases...even a lot of business users aren't very technical and think to update their devices. It's why many things have gone to automatic updates.

I think it's better than the leaving it there and inviting the alternative, in any case.

I agree! I think it's good that the FBI worked with the vendor in the private sector so that, there was a "watcher". I imagine that if the FBI wanted to do something they still probably could have, but I'm just glad they worked with the vendor here.

I'd like to see them post a full technical review on how they gained access and how they closed the door so everyone can be confident in what they did and that they no longer have access, but not sure if we'll get that!

Not really that interested, but since you are, I saw this article pass through a while ago :

https://thehackernews.com/2022/04/critical-bugs-in-rockwell-plc-could.html?m=1

For reference, a PLC is a kind of rugged computer which is used to control industrial machinery and processes and Rockwell is the most used brand in North America.

If you go on Shodan and look up Rockwell part numbers for Ethernet adapters and Ethernet PLCs you'll find quite a few that are accessible from the Internet. Good practice is to airgap the OT network of course but some people are negligently lazy.

Imagine someone being able to log on the PLC, inject code through the compiler fucking stuff up randomly and anyone else being unable to see how or why. It happened before with Stuxnet but that took Israeli and US intelligence services and either a spy inside the nuclear plant or a guy dumb enough to find a USB key in the parking lot and hook it onto the plant network.

Once had a guy whose plant used regular computers with a touchscreen to handle the HMI. I came by the plant for other work once when I saw the HMI had internet access. He'd cabled his OT vlan on the Internet because "he wanted to look something up on Google".

I've not heard of a PLC before but I'm fairly familiar with air-gapped networks for sure. I want to say it's hard to believe someone would break the entire concept of air-gapping just to "look something up" but I've seen plenty of "stupid" before so it is unfortunately not surprising. I really feel like most hacks are "inside jobs" and not the disgruntled employee kind, just the mistake/misuse of devices by end-users and even IT people.