'Morto' worm tries weak passwords and default account names to spread using Remote Desktop Protcol
Most of our SCADA and Process Control clients have either already segmented their network architecture, or are in the process of segmenting their networks. Having defined networks for each functional area of the system is a great first step.
However, if you are using RDP (Remote Desktop Protocol) to jump or hop across network segments, make sure that you have changed the default account names and passwords associated with the RDP logon process because a new worm attack is live right now attempting to crawl through networks around the world, and it is taking a gamble that some have left default accounts and weak passwords in place.
Researchers working on the Morto worm say that it infects Windows workstations and Windows servers, and spreads by uploading a Windows DLL file to a targeted machine. The worm looks for weak administrator passwords in Remote Desktop on an organization's network, attempting everything from "12345" to "admin" and "password."
Like most C&C malware, once Morto compromises one system, it connects to a command and control server to download information and to update its payload. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Even if it can not load onto the local machine or pull down its C&C malware, Morto still tries to connect to targeted host systems. It tries common default account names like "admin" and "guest." Morto is also known as Trojan horse Generic24.OJQ (AVG); Trojan.DownLoader4.48720 (Dr.Web) ; Win-Trojan/Helpagent.7184 (AhnLab); Troj/Agent-TEE (Sophos); and Backdoor:Win32/Morto.A.
During our assessment process, we always find plant control systems that are still using default Windows accounts, so I can bet that there will be control systems impacted by this worm. We always recommend changing the default account names, and modifying the key service account passwords on a routine basis, but this is not always feasible in operational systems.
The best recommendation is to integrate 2-factor authentication into management and administrative services like RDP. Instead of only needing the username and password to log into remote hosts, the administrator would need a key fob with a OTP (One Time Password) AND the correct username and password to log into the remote host. This extra step for authentication not only prevents automated attacks from leveraging harvested passwords or bruteforce attempts, but also helps prevent the insider threat, since the logon process requires something you know PLUS something that you have in your possession. Implementing 2-factor authentication is the best practice for authentication to SCADA and Control System resources from the Corporate IT and other external networks.
We hope this advice is helpful for our industrial control systems clients, and please pass this link and message onto others in your workplace and at home.
Cheers,
Jonathan