HMI Machine Infected with WannaCry

As my colleague Ben Seri, VP of Research at Armis, pointed out in a June 2019 blog, WannaCry is expected to have a “long tail” of presence into the future. Ben’s research team estimated that as many as 60% of manufacturing organizations had experienced at least one WannaCry attack in the first six months of 2019, almost two years after the attacks began.

As an example, Armis found a Human Machine Interface (HMI) in a manufacturing environment that was infected with WannaCry. Our threat detection engine saw that some traffic coming from the HMI machine was SMB version 1 traffic. When compared to the baseline of “known good” behavior stored in Armis’ Device Knowledgebase, it was clear that this traffic was abnormal. Further automated analysis of the traffic pattern clearly indicated that the HMI device was infected with WannaCry.All of this analysis was part of the automated threat detection engine that is part of the Armis agentless device security platform. Once Armis detected the threat, the Armis console flashed the alert. The alert included our conclusion (that the device was infected with WannaCry), the evidence that this conclusion was based on, and our recommended mitigation actions.Even though WannaCry is a “dormant” attack, devices containing WannaCry infections are of significant concern because:

• The dormant threat could re-activate at any time in the future
• The same vulnerabilities that WannaCry used to infect this HMI machine could be used by other threats. These threats may be immediately dangerous (like WannaCry was), or they may be Advanced Persistent Threats like the ones that Microsoft disclosed in August, 2019.

Prior to the installation of Armis at this customer’s manufacturing facility, our customer was not aware that the HMI machine was infected because they had not deployed network IPS or other forms of behavior monitoring in this part of their OT environment.The ingredients that made up this scenario are actually quite common in OT environments. OT devices often contain software vulnerabilities because software update processes are very complex. Software updates and patches must go through a vendor qualification process which can take several months to complete.Also, updates for critical OT devices can only be applied during a process shutdown, which does not occur frequently. And finally, OT environments are often connected to the enterprise network, and this gives Internet-borne malware a way into the OT environment. Because of all these reasons, devices in OT environments can be infected by WannaCry and other threats.Our recommendations for all OT environments are the following:

• Monitor the behaviour of all OT devices in your environment, and look for behaviours that are unexpected for each type of device based on their role.
• Devise a plan to address situations where OT devices have shown signs of anomalous network behaviour.

WannaCry impacts devices running old versions of the Windows operating system. Other operating systems, such as VxWorks, are commonly used by OT devices, and they are vulnerable to other types of attacks. If you haven’t yet heard about URGENT/11, a set of vulnerabilities impacting seven different Real Time Operating Systems (RTOS), read our disclosure here.