Stuxnet malware and default SCADA passwords put critical infrastructure at risk

Sophos has issued new guidance and research on a Windows zero-day vulnerability that is already being used to target critical infrastructure systems, and for which exploit code has been made widely available.

Since first reporting on the vulnerability earlier this week, Sophos has now detected an additional variant of the malware payload, prompting concerns that further examples of the attack will materialize as the hackers attempt to avoid detection.

Termed the “CPLINK” vulnerability by SophosLabs, researchers have found that the vulnerability is present in all Windows platforms – including Windows 2000 and Windows XP SP2, both of which Microsoft ceased official support for last week.

Initially associated with removable USB storage devices, the CPLINK vulnerability requires no direct user interaction to deliver its payload, which Sophos has named the Stuxnet-B Trojan.

Early versions of the malware have been programmed to seek out SCADA software (Supervisory Control And Data Acquisition) by Siemens Corporation, which is used in managing industrial infrastructures, such as power grids and manufacturing plants.

The issue has been compounded by the revelation that default passwords, hardcoded into the Siemens SCADA system, have been widely available on the Net since 2008 – and Siemens has issued guidance that operators should not now change passwords in response.