FBI Issues Private Industry Notification in Light of Florida Water Plant Hack

The US Federal Bureau of Investigation has issued a private industry notification after a cyberattack that targeted a water plant in the state of Florida.

As reported earlier this week, the Oldsmar water treatment systems were remotely accessed by an unknown threat actor via TeamViewer, the popular software tool designed for remote control, desktop sharing, online meetings, and file transfer between computers. The attacker tried to poison the water supply by increasing the sodium hydroxide content from 100 to 11,100 parts per million.

The FBI alert, obtained by ZDNet, draws attention to out-of-date Windows 7 systems, poor passwords, and desktop sharing software TeamViewer.

“Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs),” the FBI said.

“TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to typical RATs.”

The TeamViewer app itself was suffering no vulnerabilities, but it helped the attacker following an initial intrusion, likely through compromised account credentials or remote access accounts with weak passwords.

The notice further warns about the use of Windows 7, which Microsoft stopped supporting in January of last year. Knowing it might take a while before Windows 7 is phased out completely, the Bureau offers a list of interim steps for mitigation:

• Use multi-factor authentication
• Use strong passwords to protect Remote Desktop Protocol (RDP) credentials
• Ensure anti-virus, spam filters, and firewalls are up to date, properly configured and secure
• Audit network configurations and isolate computer systems that cannot be updated
• Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts
• Audit logs for all remote connection protocols
• Train users to identify and report attempts at social engineering
• Identify and suspend access of users exhibiting unusual activity
• Keep software updated