Hackers exploit ‘guest user’ account of software that allows remote operation
Hackers took over computers running equipment at a New Jersey company earlier this year, exploiting gaps in popular software used worldwide to remotely operate elevators, medical equipment, access checkpoints and operations, an FBI document shows.
In February and March, intruders took advantage of a misconfiguration of “guest user” accounts to enter the system known as the Niagara Framework on multiple occasions, according to a confidential FBI alert that surfaced last week.
The hackers were political activists who wanted to draw attention to the weakness of industrial control systems, the alert said. To find their targets, the hackers searched the Web using a system known as Shodan, the FBI alert said.
FBI officials said that the hackers did not damage or steal anything during the attack.
Produced by the Richmond-based Tridium, Niagara’s 4 million lines of software code enable employees to control devices and systems from afar, using a mouse and the Web. At least 11 million devices and machines in 52 countries are controlled by Niagara, company officials said.
The air conditioning firm that was targeted, which was not identified in the FBI alert, used Niagara in its own operations. It also installed the software for customers, including banks. It configured its Niagara system to have a “guest user” account with little security. The hackers took advantage of that account, using it as a “back door” into the system, according to the alert.
The intrusions underscore the growing threat to the Internet-connected computer systems that run the world’s critical infrastructure, including power grids, water systems, manufacturing, transportation and other operations.
In October, Defense Secretary Leon E. Panetta said other recent attacks “mark a significant escalation of the cyberthreat and they have renewed concerns about still more destructive scenarios that could unfold.”
The FBI alert about Tridium was issued two weeks after a Washington Post investigation found that the Niagara system had vulnerabilities that made it susceptible to “trivial and reliable” attacks,” according to a security researcher who found them.
One day after the Post story, the Department of Homeland Security issued a cyber-alert that said Niagara users should immediately prohibit guest users, bolster passwords, cut off direct access to the Internet and take other steps to prevent hackers from exploiting configuration and software flaws.
Tridium issued two alerts, along with software fixes that make the system more secure. They also warned customers about the need to configure guest user accounts properly.