ICS/SCADA, Endpoint/Device Security, Ransomware, Identity

LockBit breaches fence company’s weakest link: a Windows 7 PC

Warning notification is displayed on a laptop running Windows 7 operating system in Poland, on 25 February, 2020. After 10 years, support for Windows 7 ended on January 14, 2020. Microsoft will no longer provide software updates and support, including security updates. (Photo by Beata Zawrzel/NurPhoto via Getty Images)

The LockBit ransomware gang stole 10GB of data from a security fencing company by compromising a “rogue” Windows 7 PC connected to an otherwise secure network.

Security experts said the theft was a reminder of the prevalence of outdated, unsupported and vulnerable devices linked to industrial networks, and the risks they posed to entire supply chains.

LockBit exfiltrated the data from UK-based perimeter fencing manufacturer Zaun in early August, added the company to its leak site a week later, and demanded a ramson be paid by Aug. 29.

The data theft was “possibly limited to the vulnerable PC but with a risk that some data on the server was accessed,” Zaun said in a post.

“In an otherwise up-to-date network, the breach occurred through a rogue Windows 7 PC that was running software for one of our manufacturing machines. The machine has been removed and the vulnerability closed.”

It appeared the company, whose customers include the UK military, did not pay the ransom and The Mirror newspaper reported on Sept. 2 that LockBit had published “thousands of pages” of the company’s stolen data on its leak site.

The reliance on the Windows 7 operating system is notable: Microsoft ended all Windows 7 support, including security updates, in January this year, and the operating system was initially launched in 2009.

Lee Neely, an information assurance associate program leader at Lawrence Livermore National Laboratory, said organizations using dated operational technology (OT) and industrial control system (ICS) solutions needed to rely on effective physical and network security measures, and ensure their machines were well monitored.

“For many OT/ICS systems it is a real possibility that you have legitimate Windows 7 devices which are, effectively, toasters, where patching and updating is achieved via expensive forklift replacement,” he said.

Zaun said LockBit may have accessed some historic emails, orders, drawings, and project files but the company does not believe any classified documents were stored on the system, or had been compromised.

Although it provides security fencing to highly sensitive UK military facilities including a submarine base, a chemical weapons lab and a signals intelligence post, the company downplayed any supply chain implications of the hack and said it was not a government approved security contractor.

“As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.”

Manufacturers’ security challenges

According to researchers at SOCRadar, manufacturing organizations were the most popular target for ransomware attacks in July, accounting for 16.6% of the 486 victims ransomware gangs claimed to have attacked over the month.

In a Sept. 5 post addressing the Zaun incident, SOCRadar said the prevalence of unpatched devices used in manufacturing environments made the sector an attractive target for threat actors.

“The rationales behind this phenomenon include the fact that certain computers or IoT devices serve specialized functions and remain operational as long as they are functional, limitations in resources prevent the adoption of newer versions, and there are embedded systems that are challenging to update.”

Curtis Dukes, executive vice president and general manager at the Center for Internet Security, said while upgrading end-of-life software was the obvious solution, “it isn’t always that simple for organizations. In that case the organization needs to perform a risk assessment and develop other mitigations to protect the enterprise.”

SOCRadar said any system that was beyond patching should not be directly exposed to external networks.

“Even if it needs to be connected to an intranet, it should be placed within a separate subnet, isolated from the rest of the network. Additionally, such systems mustn’t store critical data and should undergo rigorous monitoring, with any unusual activities scrutinized closely.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.