Microsoft Flaws Dominate Known Exploited Vulnerabilities in the Chemical Industry
By: Meredith Wallace
This report examines the top vulnerabilities present in the United States chemical sector over the month of October. The analysis draws heavily from the LookingGlass platform, which detects all internet-facing devices, their exposures, and vulnerabilities. The findings from this report will be of most interest to the federal agency responsible for securing the chemical sector – the Cybersecurity and Infrastructure Security Agency (CISA), CIOs and CISOs in the chemical sector, threat researchers, and the broader manufacturing supply chain. This reporting is the first of several pieces that will address the cybersecurity risks to critical infrastructure sectors across the U.S.
Executive Summary
The LookingGlass platform identified several known exploited Microsoft vulnerabilities over the past month across 24 million assets we track in the U.S. chemical sector. A group of flaws we detected is known to be exploited by a likely Chinese state-backed threat group. We make this assessment with moderate confidence based on a sample of the chemical industry ingested by our system, which includes millions of IP addresses belonging to the sector. We also based this assessment on Microsoft’s account of threat activity it has observed in its products, such as Microsoft Exchange Server. The chemical industry is a strategically important critical infrastructure sector as it contributes significantly to the world economy, other vital businesses, and national security.
Background
The chemical industry is an integral component of the U.S. economy that manufactures, stores, uses, and transports potentially dangerous chemicals upon which a wide range of other critical infrastructure sectors rely. Such activities support industries like agriculture, healthcare, fuel, water, nuclear, defense, and transportation. According to the Cybersecurity and Infrastructure Security Agency (CISA), “the U.S. chemical sector is composed of several hundred thousand chemical facilities in a complex, global supply chain that converts various raw materials into more than 70,000 essential products for modern life.” A majority of these facilities are privately owned.
This critical sector is growing rapidly. Just last year, the chemical industry achieved its highest worldwide revenue in 15 years, accounting for $4.73 trillion, according to Statista. Over the next few years, it is expected to continue expanding in every subsector with a predicted 1.8% growth rate.
Due to significant revenue generated by the chemical sector, combined with international competitiveness and substantial investment in R&D, the sector is a ripe target for cyber espionage and IP theft. For actors with even more malicious intent, it is an optimal target for causing physical damage, loss of life, ransomware, or disrupting supply chains.
In 2017, Saudi Arabia experienced a string of cyber attacks against its chemical and industrial facilities. Perhaps the most well-known target was Tasnee, a privately-owned petrochemical company, with a plant that was hit by a cyberattack meant to sabotage the firm’s operations and trigger an explosion. Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical.
These events were considered an escalation, particularly because, in the case of Tasnee, the attack was designed to inflict physical damage. U.S. government officials, their allies, and cybersecurity experts worried that the attacks could be replicated in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer system that was compromised in this incident.
Then, in 2019, three large chemical manufacturing companies based in Norway and the U.S. suffered ransomware attacks. Global aluminum producer Norsk Hydro was forced to shut down its plants worldwide as a result. The company experienced locked files and passwords across several of its corporate and production control systems. Around the same time, Momentive and Hexion, two U.S.-based chemical companies, were forced to shut down IT systems to contain ransomware incidents.
Key Findings
The top ten Known Exploited Vulnerabilities in the chemical sector are all Microsoft vulnerabilities, four of which have been observed to be exploited by state-backed actors in China. The LookingGlass platform identified several software vulnerabilities in the chemical sector open to adversary exploitation over the month of October 2022.
A vast majority of the vulnerabilities we detected are listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. A KEV designation means adversaries have been observed exploiting these vulnerabilities in the wild. All the KEVs our platform detected are Microsoft vulnerabilities. We make this assessment with moderate confidence as our platform covers CIKR sectors based on preset parameters and may not include certain companies, operators, or blocks of IP addresses that could be considered part of the chemical sector under other parameters. This means additional vulnerabilities could be present.
The most common KEV detected in the chemical sector is one of the earliest KEVs CISA added to its catalog, CVE-2015-1635, and it is scored as a critical vulnerability. The LookingGlass platform observed this vulnerability open to adversary exploitation over one hundred times in the month of October. CVE-2015-1635 is a Remote Code Execution vulnerability affecting Microsoft Windows. Successful exploitation of this vulnerability allows a remote attacker to cause a buffer overflow and potentially execute arbitrary code with system privileges. Inclusion in CISA’s KEV Catalog indicates that this vulnerability has been observed exploited in the wild, though we have no reporting to indicate the type of actor or attribution to a specific adversary at this time.
The second most prevalent of the KEVs we detected is a group of four Microsoft vulnerabilities that were observed being exploited by likely Chinese state-backed actors, through chained attacks in the wild last year. The four vulnerabilities are: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The LookingGlass platform observed these flaws open to adversary exploitation more than 100 times last month. Microsoft published a blog last year attributing the exploitation of these flaws to a state-sponsored group it calls HAFNIUM.
HAFNIUM was observed using these vulnerabilities to access on-premises Exchange servers, which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft assesses that HAFNIUM is state-sponsored and operating out of China. HAFNIUM primarily targets entities in the U.S. across several industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, according to Microsoft.
The next five most common KEVs the LookingGlass platform identified in the sector are all high severity Microsoft vulnerabilities. Each of these flaws was detected fewer than 50times and none are publicly known to be exploited by a particular threat actor. However, all were publicized for their prevalence and known exploitation by various threat actors.
- CVE-2021-31206, is a known, commonly exploited vulnerability in Microsoft Exchange Server. It appeared in a CISA Threat Bulletin as a vulnerability that could potentially be exploited by IRGC threat actors as they maintain interest in attacking Microsoft Exchange Server. The bulletin did not explicitly state that Iran specifically exploits this vulnerability.
- CVE-2017-7269 is a high severity, zero day flaw in a legacy Microsoft product that is no longer supported since its end of life in 2015. Chinese researchers, however, published evidence that it has been actively exploited in the wild for years. The LookingGlass platform detected nearly 40instances of this vulnerability in the chemical sector last month alone.
- CVE-2020-0796 was widely publicized at the time of its disclosure and popularly known as “SMBghost,” “CoronaBlue,” and “EternalDarkness.” It is a fully wormable, critical Microsoft Windows 10 flaw.
- CVE-2021-34523, CVE-2021-31207 and CVE-2021-34473 affect Microsoft Exchange Server. These three, in combination, are known as “ProxyShell.” ProxyShell was included in CISA’s list of the Top Routinely Exploited Vulnerabilities of 2021.
Methodology & Terminology
To generate the above findings, the LookingGlass platform matches its Internet-wide collected assets with CVEs. They were then cross-referenced with CISA’s KEV database. The CVEs can all be found in the NIST NVD. The count represents the number of times the flaw was identified in the chemical sector over a set period of time (the month of October in this case).
The LookingGlass platform is an attack surface intelligence solution designed to quickly illuminate unknown or unmanaged assets, risky services, and exposures. In the U.S. chemical sector alone, the platform identified 24 million internet-facing assets, their primary owners, exposures, vulnerabilities, and locality, among other details.
NVD: Stands for the National Vulnerability Database. NVD is owned and operated by the National Institute of Standards and Technology (NIST). The NVD is the U.S. government repository of standards-based vulnerability management data. The NVD includes a database of security checklist references, security-related software flaws (CVEs), misconfigurations, product names, and impact metrics. The NVD supports both versions 2.0 and 3.x of CVSS.
CVE: Stands for Common Vulnerabilities and Exposures. CVEs include serial numbers assigned to publicly disclosed software vulnerabilities that could be exploited by adversaries to compromise a system or device. The CVE system was launched by MITRE in 1999 and has been widely accepted as the primary way to track software vulnerabilities, their severity, and mitigations or solutions to patch them. It should be noted that not all vulnerabilities have been discovered, or made publicly known, or assigned a CVE number and may not be actively tracked.
CVSS: Stands for Common Vulnerability Scoring System. CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities – or CVEs. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources to a threat.
KEV: Stands for Known Exploited Vulnerabilities. Through the KEV Catalog, CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. The KEV Catalog is another tool designed to help security responders prioritize their responses and resources. CISA recommends organizations prioritize patching vulnerabilities listed in the KEV Catalog to reduce the likelihood of compromise by known threat actors. There are three thresholds for KEV catalog updates:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor-provided update.
Organizations can subscribe to KEV Catalog updates here.
Strategic Importance
Last month, the White House incorporated the chemical sector as the fourth critical infrastructure sector under the Industrial Control System (ICS) Cybersecurity Initiative. The ICS Cybersecurity Initiative was originally stood up in response to the Colonial Pipelines cyber incident last year, and originally included only the water, pipelines, and electricity sectors.
The new White House policy underscores the importance of securing the chemical sector against cybersecurity threats as on par with the need to protect the other three sectors. Through the ICS Cybersecurity Initiative, the chemical industry will now enjoy the same benefits and resources available to the other sectors including access to threat detection tools, enhanced information sharing, and improved visibility of the threat surface.
Attack surface management is key for strong cybersecurity. Continuously leveraging the ability of tools designed to enumerate network infrastructures for public-facing assets will help organizations build a baseline attack surface catalog. Using this perpetually updated catalog to surface unmanaged/Shadow IT assets and reveal security exposures will assist in preparing critical infrastructure for cyber resilience in today’s riskier world.
Cybersecurity resources for chemical organizations large and small can be found on CISA’s website at: https://www.cisa.gov/chemical-sector
