https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,725 Comments
Tomi Engdahl says:
Hackers are targeting industrial systems with malware
An entire ecosystem of sketchy software is targeting potentially critical infrastructure.
https://arstechnica.com/information-technology/2022/07/malware-circulating-online-wrangles-industrial-systems-into-a-botnet/
From the what-could-possibly-go-wrong file comes this: People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported.
Lost passwords happen in many organizations. A programmable logic controller—used to automate processes inside factories, electric plants, and other industrial settings, for example, may be set up and largely forgotten over the following years. When a replacement engineer later identifies a problem affecting the PLC, they may discover the now long-gone original engineer never left the passcode behind before departing the company.
Tomi Engdahl says:
Edge Security in an Insecure World
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Tomi Engdahl says:
Password recovery tool infects industrial systems with Sality malware https://www.bleepingcomputer.com/news/security/password-recovery-tool-infects-industrial-systems-with-sality-malware/
A threat actor is infecting industrial control systems (ICS) to create a botnet through password “cracking” software for programmable logic controllers (PLCs). Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI (human-machine
interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic. [..] But behind the scenes the tool also dropped Sality, a piece of malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster (e.g. password cracking, cryptocurrency mining).
Tomi Engdahl says:
Smart thermostats inadvertently strain electric power grids https://news.cornell.edu/stories/2022/07/smart-thermostats-inadvertently-strain-electric-power-grids
The smart thermostats are saving homeowners money, but they are also initiating peak demand throughout the network at a bad time of day, according to Cornell engineers in a forthcoming paper in Applied Energy (September 2022.).
https://www.sciencedirect.com/science/article/abs/pii/S0306261922007243
Tomi Engdahl says:
Meet Mantis the tiny shrimp that launched 3, 000 DDoS attacks https://www.theregister.com/2022/07/15/mantis_botnet_ddos_attack/
The botnet behind the largest-ever HTTPS-based distributed-denial-of-service (DDoS) attack has been named after a tiny shrimp. Likewise, the Mantis botnet operates a small fleet of bots (a little over 5, 000), but uses them to cause massive damage specifically, a record-breaking attack.
Tomi Engdahl says:
Vulnerabilities in GPS tracker could have “life-threatening”
implications
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/vulnerabilities-in-gps-tracker-could-have-life-threatening-implications/
Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.
Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.
Tomi Engdahl says:
Protecting IoT Devices from Within Why IoT Devices Need A Different Security Approach?
https://blog.checkpoint.com/2022/07/25/protecting-iot-devices-from-within-why-iot-devices-need-a-different-security-approach/
IoT cyberattacks are increasing by the day, and unfortunately are becoming more sophisticated, widespread, and destructive for any business. We’ve seen a large number of examples in which hundreds of thousands of connected devices were attacked by malware that spread over the entire network; Infecting PCs, servers, and internal assets with ransomware, crypto-miners, Trojan, botnets, and more.
Tomi Engdahl says:
Security for the Atomized Network
A White Paper
https://content.netography.com/atomized-network-security-whitepaper
We are facing an entirely different model of networking and computing, where applications and data are scattered across a complex environment consisting of multi-cloud, on-premise, and legacy infrastructure, being accessed by increasingly mobile and remote workers.
We call this the Atomized Network and it is increasingly difficult to secure.
In this white paper, we closely examine the Atomized Network, why it is difficult to defend, the limitations of the most prevalent solutions, and the new paradigm needed to secure it.
Tomi Engdahl says:
Is an Infrastructure War on the Horizon?
https://www.securityweek.com/infrastructure-war-horizon
On February 24, Russia launched its full-scale assault on Ukraine. The invader’s weapons included tanks, heavy artillery… and software. On April 8, attackers armed with Industroyer2, a species of malware designed to incapacitate power stations and plunge whole cities into darkness, managed to briefly penetrate Ukrainian defenses, putting two million homes at risk. The attack was successfully repelled, but it communicated a chilling message to the world: The era of cyberwarfare has begun.
As newscaster Ted Koppel detailed in his 2016 best-seller, Lights Out, America’s infrastructure is all too vulnerable. Since then, things have only gotten worse. According to a recent IBM report, the manufacturing sector is now the number one target for ransomware, accounting for 23 percent of all attacks. The top vectors for these attacks were vulnerabilities that organizations hadn’t or couldn’t patch (47%) and, no surprise, phishing (43%).
The typical targets of attack within a manufacturing organization are the Industrial Control Systems (ICS), which control the operation of everything from turbines and values to robotic welding stations. Because an ICS manages physical machinery, successful exploits by bad actors can have extremely serious consequences, including enormous economic damage and even loss of human life. And because the same types of systems manage municipal water supplies and regional power generation, the potential for a real catastrophe exists. The problem of defending critical infrastructure has both technical and governmental aspects.
Tomi Engdahl says:
https://www.securityweek.com/cyber-physical-security-benchmarking-advance-your-journey
https://www.securityweek.com/hundreds-ics-vulnerabilities-disclosed-first-half-2022
Tomi Engdahl says:
Securing Smart Cities from the Ground Up
https://www.securityweek.com/securing-smart-cities-ground
Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them
Smart technology continues to change how people live and interact with the cities around them. While the full value of a connected city evolves – one that leverages innovations powered by artificial intelligence and machine learning – cybersecurity stands as one of its greatest challenges.
The Smart City Conundrum
While the promise of Smart Cities provides municipalities and inhabitants with the efficiency and value of “smart” services, it also creates a cybersecurity challenge. Each connected component – from devices to the network infrastructure – offers a potential entry point for hackers to steal data, damage systems, and gain access to information they shouldn’t have.
Smart City ecosystems could be filled with tens of thousands of Internet of Things (IoT) devices communicating over public network infrastructure. In order for the Smart City to succeed, each IoT device must be low power, exhibit excellent performance, be able to withstand interference, and be reliable. They’ll operate with the free flow of data between devices and the network infrastructure that connects them. How do Smart Cities ensure that each part of the Smart City ecosystem – the devices and network infrastructure — remains secure?’
Tomi Engdahl says:
Securing Smart Cities from the Ground Up
https://www.securityweek.com/securing-smart-cities-ground
Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them
Smart technology continues to change how people live and interact with the cities around them. While the full value of a connected city evolves – one that leverages innovations powered by artificial intelligence and machine learning – cybersecurity stands as one of its greatest challenges.
The Smart City Conundrum
While the promise of Smart Cities provides municipalities and inhabitants with the efficiency and value of “smart” services, it also creates a cybersecurity challenge. Each connected component – from devices to the network infrastructure – offers a potential entry point for hackers to steal data, damage systems, and gain access to information they shouldn’t have.
Smart City ecosystems could be filled with tens of thousands of Internet of Things (IoT) devices communicating over public network infrastructure. In order for the Smart City to succeed, each IoT device must be low power, exhibit excellent performance, be able to withstand interference, and be reliable. They’ll operate with the free flow of data between devices and the network infrastructure that connects them. How do Smart Cities ensure that each part of the Smart City ecosystem – the devices and network infrastructure — remains secure?’
Security testing of components and devices should not be an afterthought, but a proactive part of the design and manufacturing process. Best practices may include:
• Communication protocol testing – For example, Bluetooth vulnerabilities like Sweyntooth and Braktooth in communication chipsets, could open the door to hackers. Braktooth vulnerabilities recently impacted billions of devices from the system-on-a-chip (SOC) in more than a thousand chipsets used in laptops, smartphones, IoT and industrial devices. Protocol level vulnerabilities like these are difficult to detect. While the security community established best practices for discovering application-level vulnerabilities, protocol-level vulnerabilities are much harder to pinpoint. The only way to test for these kind of vulnerabilities is using protocol fuzzing which detects vulnerabilities during the communications handshake or hand-off process.
• Cybersecurity firmware, software and password update capabilities – Cybersecurity threats and vulnerabilities change over time. Many headline-making IoT security incidents have been caused by poor passwords and out-of-date firmware. Device manufacturers can take simple steps to enable Smart City device owners to strengthen authentication and provide methods to update firmware and software as the cybersecurity landscape evolves over the lifetime of their devices.
Smart City owners should follow cybersecurity best practices to improve their overall network security posture. Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them. A proactive approach includes utilizing breach and attack simulation tools to continuously probe for potential vulnerabilities. Adopting these tools can:
• Prevent attackers from moving laterally across the network
• Avoid “configuration drift” where system updates and tool patches cause unintended misconfiguration and leave the door open to attackers
• Reduce dwell time by training your security information and event management system to recognize indicators-of-compromise for emergency or common attacks.
Tomi Engdahl says:
Mirai-koodiin perustuva haitta murtaa voimalla Linux-palvelimia
https://etn.fi/index.php/13-news/13835-mirai-koodiin-perustuva-haitta-murtaa-voimalla-linux-palvelimia
Tietoturvayritys Fortinet löysi kesäkuun puolivälissä uuden haittaohjelman, joka perustuu lähdekoodiltaan pääosin Mirai-bottiin. RapperBot-nimen saanut koodi yrittää murtaa Linux-palvelimien SSH-salausta ja päästä käsiksi palvelimien käyttäjätietoihin.
Fortinetin mukaan uudemmat versiot viittaavat siihen, että bottiin on lisätty sen pysyvyyttä parantavia osia. RapperBot siis vastustaa suojausyrityksiä paremmin kuin Telnet-yhteyksiin murtautunut Mirai.
Lisäanalyysin jälkeen Fortinetin tutkijat havaitsivat, että RapperBot-haittaohjelmaperhe on suunniteltu toimimaan ensisijaisesti SSH:n brute force -tyyppisessä murtamisessa rajoitetuilla DDoS-ominaisuuksilla. Kuten useimmille IoT-haittaohjelmille on tyypillistä, se kohdistuu Arm-, MIPS-, SPARC- ja x86-arkkitehtuureihin.
So RapperBot, What Ya Bruting For?
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as “RapperBot” since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.
In addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done in other Mirai variants. This provides threat actors with continued access to infected devices via SSH even after the device is rebooted or the malware has been removed.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.
Once RapperBot successfully brute forces an SSH server, the valid credentials are reported to the C2 server on a separate port (currently 48109) without executing further commands on the remote victim.
Tomi Engdahl says:
A Long-Awaited IoT Reverse Engineering Tool Is Finally Here
Ten years after it was first unveiled, the powerful firmware analysis platform Ofrak is now available to anyone.
https://www.wired.com/story/ofrak-iot-reverse-engineering-tool/
AT THE 2012 DefCon security conference in Las Vegas, Ang Cui, an embedded device security researcher, previewed a tool for analyzing firmware, the foundational software that underpins any computer and coordinates between hardware and software. The tool was specifically designed to elucidate internet-of-things (IoT) device firmware and the compiled “binaries” running on anything from a home printer to an industrial door controller. Dubbed FRAK, the Firmware Reverse Analysis Console aimed to reduce overhead so security researchers could make progress assessing the vast and ever-growing population of buggy and vulnerable embedded devices rather than getting bogged down in tedious reverse engineering prep work. Cui promised that the tool would soon be open source and available for anyone to use.
He was nothing if not thorough. A decade later, Cui and his company, Red Balloon Security, are launching Ofrak, or OpenFRAK, at DefCon in Las Vegas this week.
“Embedded security is a space that we absolutely need to have more good eyes and brains on. We needed it 10 years ago, and we finally found a way to give this capability out. So here it is.”
Though it hadn’t yet fulfilled its destiny as a publicly available tool, FRAK hasn’t been languishing all these years either. Red Balloon Security continued refining and expanding the platform for internal use in its work with both IoT device makers and customers who need a high level of security from the embedded devices they buy and deploy.
“What makes it unique is it’s designed to provide a common interface for other tools, so the benefit is that you can use all different tools depending on what you have at your disposal or what works best for a certain project,” Strieb says.
The platform is also unusual for offering advanced, automated repacking mechanisms for firmware binaries. Most reverse engineering tools aid in unpacking but lack extensive repacking capabilities, because even small modifications you make to firmware can incidentally break functionality or change how the program behaves. Repacking was always a core part of how Cui conceived FRAK, though, and Red Balloon has continued to improve it over the years for the company’s own work.
“Oftentimes, it’s cost prohibitive for organizations to hire reverse engineers with specialized skills to patch embedded devices,” says Sergey Bratus, a DARPA program manager. “A key goal of the AMP program is to make this capability readily available through automation. Automating the application of a fix turns out to be a hard computer science problem with fundamental research challenges. These challenges must be supported with new classes of modular, community-building, research-enabling tools such as Ofrak.”
In other words, Ofrak is not only useful for independent researchers who want to penetrate the black box of embedded devices. It can also help manufacturers assess their own products and play a role in patch development and distribution, a longtime challenge and frequent debacle in IoT.
Red Balloon’s Strieb says the company hopes Ofrak will be widely adopted and that people will develop add-on modules for community use. Red Balloon plans to maintain the tool long-term
https://github.com/redballoonsecurity/ofrak
Tomi Engdahl says:
Weaponized PLCs Can Hack Engineering Workstations in Attacks on Industrial Orgs
https://www.securityweek.com/weaponized-plcs-can-hack-engineering-workstations-attacks-industrial-orgs
Researchers have shown how hackers could weaponize programmable logic controllers (PLCs) and use them to exploit engineering workstations running software from several major industrial automation companies.
PLCs can be a tempting target for threat actors as they can be abused to cause damage and disruption, and to make changes to the processes they control. This is why they are often seen as the ultimate goal of an attacker.
However, researchers at industrial cybersecurity firm Claroty wanted to show that PLCs can also be used as a point of entry into an organization, being leveraged to target the engineering workstations connected to them and from there the rest of the internal network.
In such an attack, named ‘Evil PLC Attack’, the hacker first compromises the PLC, which can often be exposed to the internet and unprotected, and then tricks an engineer into connecting to the PLC from the engineering workstation. This could be achieved by causing a fault on the PLC, which an engineer would likely want to investigate.
During this research, vulnerabilities have been discovered in engineering workstation software from ABB (B&R Automation Studio), Emerson (PAC Machine Edition), GE (ToolBoxST), Ovarro (TwinSoft), Rockwell Automation (Connected Components Workbench), Schneider Electric (EcoStruxure Control Expert) and Xinje (XD PLC Program Tool).
Nearly a dozen CVE identifiers have been assigned to the vulnerabilities. Over the past year and a half, impacted vendors have been releasing advisories to inform their customers about the flaws and associated patches and mitigations.
The researchers have described three different theoretical Evil PLC attack scenarios.
Researchers and defenders can also leverage the Evil PLC method against threat actors. They can set up a honeypot where an internet-facing PLC they have weaponized acts as a lure. When a malicious actor connects to the PLC from their own computer and attempts to obtain the currently loaded project from the controller, their device will get compromised.
“This method can be used to detect attacks in the early stage of enumeration and might also deter attackers from targeting internet-facing PLCs since they will need to secure themselves against the target they planned to attack,” Claroty researchers said.
The cybersecurity firm has shared technical details and mitigations for these types of attacks.
Evil PLC Attack: Using a Controller as Predator Rather than Prey
https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey
Team82 has developed a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks. We’re calling this the Evil PLC Attack.
The attack targets engineers working every day on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive, among others.
The Evil PLC Attack research resulted in working proof-of-concept exploits against seven market-leading automation companies, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.
https://claroty.com/team82/research/white-papers/evil-plc-attack-weaponizing-plcs
Tomi Engdahl says:
Oh Deere: this tractor is Doomed!
At DEF CON 30 on Saturday, an Australian who goes by the handle Sick Codes showed off a way to fully take control of some John Deere farming machine electronics to run first-person shooter Doom.
“The main bug is that nothing’s encrypted or checksummed properly or anything like that,”
Oh Deere: Farm hardware jailbroken to run Doom
Corn-y demo heralded as right-to-repair win
https://www.theregister.com/2022/08/16/john_deere_doom/
Tomi Engdahl says:
Oh Deere: Farm hardware jailbroken to run Doom
Corn-y demo heralded as right-to-repair win
https://www.theregister.com/2022/08/16/john_deere_doom/
Tomi Engdahl says:
How Do I Crack Satellite and Cable Pay TV? (33c3)
https://amara.org/en/videos/slQC9vKj4zWZ/en/1787034/
Tomi Engdahl says:
Tietoturva on traktoreissa uskomattoman heikolla tasolla, eikä ongelma ratkea “purkkavirityksillä”
https://www.kauppalehti.fi/uutiset/tietoturva-on-traktoreissa-uskomattoman-heikolla-tasolla-eika-ongelma-ratkea-purkkavirityksilla/42e33edf-b82a-4587-afa7-fe46baa36f89
Nimimerkkiä Sick Codes käyttävä australialainen valkohattuhakkeri toi Def Con -tietoturvakonferenssissa esille John Deere -traktoreiden ja
- -maatalouskoneiden heikon tietoturvan. Esimerkkinä traktoreiden korkattavuudesta hän esitteli, kuinka farmilaitteet pyörittävät legendaarista Doom-peliä. Kyseessä oli vieläpä maataloushengessä modattu versio Doomista, joten tarjolla oli traktorilla ajoa Doomissa, traktorin näytöllä. The Register kertoo, että Doomia ajettiin John Deere 4240 -traktorin kosketusnäytöllä, jonka ohjaimena käytetään arm-yhteensopivaa NXP I.MX 6 -järjestelmäpiiriä Wind Linux 8
- -käyttöjärjestelmällä. Useiden traktoreiden laitteisiin tutustuneen Sick Codesin mukaan käytössä on paljon myös Windows CE -pohjaisia laitteita. Hakkerin mukaan ongelmana laitteissa on, ettei niissä käytetä asianmukaisia salauksia tai tarkistussummia. Ongelma on laitetasolla, eli purkkavirityksillä ei tilannetta auta lähteä korjaamaan. Ainoa oikea ratkaisu hänen mukaansa olisi tehdä uudet järjestelmät alusta asti turvallisuus mielessä. Sick Codesin hakkeroinnissa kyse on ikään kuin jailbreak-tyyppisestä murrosta, jolla voidaan ohittaa valmistajan omia suojauksia ja estoj
Tomi Engdahl says:
Software developer cracks Hyundai car security with Google search https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples. Luck held out, in a way.
“Greenluigi1″ found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like “RSA Encryption & Decryption Example with OpenSSL in C.”. That tutorial and other projects implementing OpenSSL include within their source code that public key and the corresponding RSA private key. This means Hyundai used a public-private key pair from a tutorial, and placed the public key in its code, allowing “greenluigi1″ to track down the private key. Thus he was able to sign Hyundai’s files and have them accepted by the updater.
Tomi Engdahl says:
Ring Camera Recordings Exposed Due to Vulnerability in Android App
https://www.securityweek.com/ring-camera-recordings-exposed-due-vulnerability-android-app
A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.
Checkmarx researchers discovered earlier this year that the official Ring Android app, which has been installed more than 10 million times from Google Play, was affected by several issues that could be chained to obtain information such as name, email address, phone number, physical address, geolocation data, and camera recordings.
The attack relies on a malicious application installed on the same Android device as the Ring camera app. Exploitation involves loading content from a malicious web page, exfiltrating an authorization token to the attacker’s server, and using the token to obtain a cookie needed to call Ring APIs. These APIs could then be abused to obtain sensitive user data and recordings.
Checkmarx made the technical details of the attack public on Thursday, along with a video describing its potential impact.
https://checkmarx.com/blog/amazon-quickly-fixed-a-vulnerability-in-ring-android-app-that-could-expose-users-camera-recordings/
Tomi Engdahl says:
Experts warn of widespread exploitation involving Hikvision cameras https://therecord.media/experts-warn-of-widespread-exploitation-involving-hikvision-cameras/
Both government and criminal hacking groups are still targeting Hikvision cameras with a vulnerability from 2021, according to reports from several security researchers. Cybersecurity firm CYFIRMA released a report this week saying Russian cybercriminal forums are awash with hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability CVE-2021-36260. “Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale, ” the company’s researchers said.
“These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment.”. CYFIRMA reported they found that more than 80, 000 Hikvision cameras are still vulnerable to the critical command injection flaw, which carries a CVSS score of 9.8 out of 10.. Of the more than 80, 000 vulnerable cameras, more than 100 nations and 2, 300 organizations are impacted.
Tomi Engdahl says:
Over 80,000 Unpatched Hikvision Cameras Exposed to Takeover
https://www.securityweek.com/over-80000-unpatched-hikvision-cameras-exposed-takeover‘
Cybersecurity firm Cyfirma has identified more than 80,000 Hikvision cameras that haven’t been patched against a critical code execution vulnerability exploited in the wild.
Tracked as CVE-2021-36260, the vulnerability leads to root access and allows an attacker to take full control of a device and potentially compromise the entire network. More than 70 Hikvision device models are impacted.
The security bug has a CVSS rating of 9.8, given that exploitation only requires access to the HTTP(S) server port (typically 80/443), without authentication.
Tomi Engdahl says:
Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity
https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-targeted-ot-scanning-activity
Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). SecurityWeek has talked to several experts to find out what this data means and determine the threat posed by these security holes.
Last week, IBM Security’s X-Force research and intelligence unit published a report describing the OT threat landscape in the first half of 2022. The findings from the report are not surprising: manufacturing continues to be the most targeted industry, phishing remains the main initial infection vector, and spam, RATs and ransomware are the most commonly seen attack types.
IBM has also looked at vulnerability scanning activity and found that the top two methods, accounting for more than 80% of scanning, are port scanning and Shodan scanning.
Much of the scanning appeared to be indiscriminate and did not seem to be specifically aimed at organizations with OT environments. However, an analysis of the attack alerts from OT-related industries showed that the most commonly targeted vulnerability was CVE-2016-4510, a flaw in the WAP interface of the Trihedral VTScada SCADA software that allows remote attackers to bypass authentication and read arbitrary files.
Other vulnerabilities that attackers commonly scan for include CVE-2021-21801, CVE-2021-21802, and CVE-2021-21803, which are cross-site scripting (XSS) issues affecting Advantech’s R-SeeNet router monitoring software, as well as CVE-2018-12634, a credential disclosure flaw affecting Circontrol’s CirCarLife SCADA software for electric vehicle charging stations.
Tomi Engdahl says:
ECF22: Mikään laite ei ole täysin turvallinen
https://etn.fi/index.php/72-ecf/13915-ecf22-mikaeaen-laite-ei-ole-taeysin-turvallinen
Meillä useimmilla on kotona erilaisia vimpaimia, jotka on liitetty kodin wifi-verkkoon ja sen kautta julkiseen internetiin. Ja jos olemme kuten suurin osa ihmisistä, laitteiden tietoturva-asetuksiin ei ole koskettu. Nämä muodostavat potentiaalisesti suuren riskin. Näin ei kuitenkaan tarvitse olla.
Tämä on yksi syyskuun 6. päivänä järjestettävän Embedded Conference Finlandin teemoista. IoT-laitteet ovat olleet tietoturvastandardoinnin kannalta melkoinen viidakko. Nyt asiaan on tulossa korjausta. Prosessi on hidas, mutta Etteplanin myyntijohtaja Antti Tolvanen kertoo ECF22-avainpuheessaan, missä standardoinnissa mennään tällä hetkellä.
Standardointi tuo ajan myötä hyvän perustan laitteiden tietoturvalle, mutta tietenkään se ei riitä. Sen lisäksi tarvitaan räätälöityjä ratkaisuja sekä laite- että ohjelmistopuolelle, jotta laite on turvallinen eikä mahdollista sisääntuloa suojattuun verkkoon.
Tomi Engdahl says:
XIoT Vendors Show Progress on Discovering, Fixing Firmware Vulnerabilities
https://www.securityweek.com/xiot-vendors-show-progress-discovering-fixing-firmware-vulnerabilities
Self-disclosures by XIoT vendors have surpassed independent research outfits as the second most prolific vulnerability reporters
A major impact of the pandemic has been the acceleration of digital transformation, which has expanded from advanced digitization into increasingly unmanaged automation. This automation is largely controlled by unmanaged cyber/physical devices. It started with the first generation of largely consumer oriented IoT devices but has grown into what some now call Industry 5.0.
The key aspect is no longer simply whether the device has internet connectivity, but whether it performs its functions automatically in an unmanaged fashion. This has become so much wider and more complex than the original concept of IoT or even IIoT. It now includes automatically functioning medical devices, building controls, smart city management, many aspects of OT and industrial control systems, and much more.
Tomi Engdahl says:
Lähde:
“Around 22,000 households in Colorado lost the ability to control their thermostats after the power company seized control of them during a heatwave.
After temperatures soared past 90 F degrees (+32 C), residents were left confused when they tried to adjust their air conditioning and found locked controls displaying a message that said “energy emergency.””
https://summit.news/2022/09/01/power-company-seizes-control-of-thermostats-in-colorado/
Tomi Engdahl says:
Rapid7 Flags Multiple Flaws in Sigma Spectrum Infusion Pumps
https://www.securityweek.com/rapid7-flags-multiple-flaws-sigma-spectrum-infusion-pumps
Security researchers at Rapid7 are warning about multiple secuirty vulnerabilities impacting Baxter’s Sigma Spectrum infusion pumps, including issues that could lead to the leakage of credential.
In an advisory published Thursday, Rapid7 called attention to five vulnerabilities found in Sigma Spectrum infusion pumps and the Sigma WiFi batteries.
The Sigma Spectrum infusion pumps have been designed so that, when powered up after a WiFi battery is connected, unencrypted data is sent to the battery via universal asynchronous receiver-transmitter (UART).
Because of that, the transmitted data is potentially at risk of compromise by attackers with access to the infusion pumps, who could either place a communication shim between the units to capture the data, or could use their own battery to exfiltrate data.
The first block of transmitted data contains the WiFi configuration information, which is then stored on the battery’s non-volatile memory. An attacker able to attach their own battery to a pump could then extract from the unit credentials that allows them to access an organization’s WiFi network.
Tomi Engdahl says:
Common Attacks on SSL/TLS – and How to Protect Your System
https://www.freecodecamp.org/news/attacks-on-ssl-tls-and-how-to-protect-your-system/
Tomi Engdahl says:
FBI Warns of Unpatched and Outdated Medical Device Risks
https://www.securityweek.com/fbi-warns-unpatched-and-outdated-medical-device-risks
The FBI is warning healthcare facilities of the risks associated with unpatched and outdated medical devices.
Security flaws in medical devices could adversely impact the operations of healthcare facilities, while also affecting the safety of patients and data confidentiality and integrity, the FBI says.
Both hardware design and device software management faults could lead to security vulnerabilities, especially if specific configurations are used, embedded security features are missing or cannot be updated, or there are too many devices to manage.
Some medical devices may remain in use for up to 30 years, which provides threat actors with enough time to identify and exploit vulnerabilities, especially if the software running on them has reached end of life (EOL).
“Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks,” the FBI says.
https://www.ic3.gov/Media/News/2022/220912.pdf
Tomi Engdahl says:
3 Considerations When Aligning Organizational Structure to IT/OT Governance
https://www.securityweek.com/3-considerations-when-aligning-organizational-structure-itot-governance
Over the last few years, the majority of large enterprises have come a long way in defining their operational technology (OT) governance strategies and making meaningful advances in risk reduction. Technology innovations aside, the top success factors I’ve observed are the way in which governance programs are structured and executed. Most significant is the guiding principle that organizational structure drives strategy.
What do I mean by that?
In organizations with a significant cyber-physical systems (CPS) footprint (e.g., manufacturing, oil & gas, and pharmaceutical), CISOs and their security teams need to collaborate with OT engineering teams to define and execute the OT strategy. And while most organizations have centralized governance and responsibility for OT cybersecurity under the CISO, the devil is in the details with respect to how they define and implement it.
The details of implementation and how the organization is structured fall along a spectrum – from less to more “control” for the security team. I’ve seen multiple variations work well, and believe the key is having a clear understanding of the boundaries and responsibilities for each team. There are at least three main aspects to consider when redesigning the organization or just working with what you’ve inherited, to create a strategy that allows you to reduce risk effectively. These include budget, implementation, and ongoing reporting
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Fix High-Severity Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-fix-high-severity-vulnerabilities
Siemens and Schneider Electric have released their Patch Tuesday security advisories to inform customers about dozens of vulnerabilities affecting their industrial products.
Siemens has released five new advisories describing a total of 37 patched vulnerabilities. One of the advisories covers third-party component flaws in the Sinec INS (Infrastructure Network Services) web-based application for managing network services.
A total of 14 high- and medium-severity vulnerabilities have been found in third-party components used by the product, including BIND, ISC DHCP, OpenSSL, Lodash, and Axios. Siemens says these weaknesses could allow an attacker to cause a DoS condition, obtain sensitive data, or violate system integrity.
Schneider Electric has only released one new advisory, but the company has updated over a dozen existing advisories.
The new advisory describes multiple high-severity deserialization issues in EcoStruxure Machine SCADA Expert and Pro-face Blue Open Studio products that could lead to arbitrary code execution, information disclosure, or DoS.
Tomi Engdahl says:
Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices
https://www.securityweek.com/spyware-ransomware-cryptojacking-malware-increasingly-detected-ics-devices
Spyware, ransomware and cryptojacking malware have been increasingly detected on industrial control system (ICS) computers, according to data collected in the first half of 2022 by cybersecurity firm Kaspersky.
The data comes from ICS-related Windows devices protected by Kaspersky products, including HMIs, SCADA systems, historians, data gateways, engineering workstations, computers used for the administration of industrial networks, and devices used to develop software for industrial systems.
In the first half of 2022, Kaspersky products blocked malicious objects on nearly 32% of protected ICS devices, which is roughly the same as in the two previous years.
However, the total number of malware families exceeded 7,200 — this number was at approximately 5,000 in the past two years.
The most significant increase, roughly 3 percentage points, was seen for malicious scripts and phishing pages, as well as malicious documents.
According to Kaspersky data, the percentage of devices on which spyware was blocked has been steadily increasing since the first half of 2020. Spyware in this case includes trojans, backdoors and keyloggers.
Tomi Engdahl says:
EU proposes security standards for IoT products https://therecord.media/eu-proposes-security-standards-for-iot-products/
European Union lawmakers introduced new security standards Thursday for internet-connected products from smartphones to fridges as the bloc attempts to address the growing threat posed by cyberattacks. The proposed Cyber Resilience Act (CRA) introduces several key measures including basic security requirements for products to be considered safe for the market and obligations on their manufacturers about handling vulnerabilities after any are discovered.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2022/09/16/uusia-tietoturvavaatimuksia-laite-ja-ohjelmistotuotteille/
Tomi Engdahl says:
EU Wants to Toughen Cybersecurity Rules for Smart Devices
https://www.securityweek.com/eu-wants-toughen-cybersecurity-rules-smart-devices
The European Union’s executive arm proposed new legislation Thursday that would force manufacturers to ensure that devices connected to the internet meet cybersecurity standards, making the 27-nation bloc less vulnerable to attacks.
The EU said a ransomware attack takes place every 11 seconds, and the global annual cost of cybercrime is estimated at 5.5 trillion euros in 2021. In Europe alone, cyberattacks cost between 180 and 290 billion euros each year, according to EU officials.
The European Commission said an increase of cyberattacks was witnessed during the coronavirus pandemic and that Russia’s war in Ukraine has raised concerns that European energy infrastructure could also be targeted amid a global energy crunch.
The law, proposed as the Cyber Resilience Act, aims to remove from the EU market all products with digital elements that are not adequately protected.
Tomi Engdahl says:
AMTSO Publishes Guidance for Testing IoT Security Products
https://www.securityweek.com/amtso-publishes-guidance-testing-iot-security-products
The Anti-Malware Testing Standards Organization (AMTSO) has published guidelines for testers and vendors looking to check the efficiency and functionality of security products designed to protect Internet of Things (IoT) devices.
The Guidelines for Testing of IoT Security Products cover the principles for testing security products for IoT, recommendations on setting up testing environments, the testing for specific security functionality, and performance benchmarking.
The document encourages testers to focus on validating the end result and the performance of the provided protections and not to differentiate products based on their use of a technology or another, while also offering samples for IoT security solution benchmarking.
Furthermore, the guidance explains that IoT security products work differently compared to traditional products, typically by taking action without alerting the user, and recommends using an admin console during testing, or devices where the attack is visible or can be observed over a network.
“Threat actors are eager to exploit any crack in your defenses, including outdated passwords, firmware, or certificates. Because devices are so distributed and often of different makes and models, manually managing device security across multiple locations like cameras, kiosks, intercoms, and other equipment can be very difficult to accomplish at scale,” Broomhead said.
Guidelines for Testing of IoT Security Products
https://www.amtso.org/wp-content/uploads/2022/07/AMTSO-Guidelines-for-testing-of-IoT-Security-Products-FINAL.pdf
Tomi Engdahl says:
Water Tank Management System Used Worldwide Has Unpatched Security Hole
https://www.securityweek.com/water-tank-management-system-used-worldwide-has-unpatched-security-hole
A water tank management system used by organizations worldwide is affected by a critical vulnerability that can be exploited remotely and the vendor does not appear to want to patch it.
The affected product is made by the water and energy unit of Irish building materials company Kingspan. The Kingspan TMS300 CS water tank management system provides tank level information via a screen, web server, application, online portal or email. It features wired and wireless multi-tank level measurements, alarms, and internet or local network connectivity.
Kingspan water management product vulnerabilityAccording to an advisory published this week by CISA, researcher Maxim Rupp discovered that the product is affected by a critical vulnerability caused by the lack of properly implemented access control rules, which allows an unauthenticated attacker to view or modify the device’s settings.
The researcher discovered that an attacker can access the device’s settings without authenticating, simply by navigating to specific URLs. These URLs can be identified by browsing the web interface or via a brute force attack, Rupp told SecurityWeek.
The flaw has been assigned the CVE identifier CVE-2022-2757 and a CVSS score of 9.8.
These devices can be configured to be accessible from the internet. An attacker can exploit the security hole from anywhere as long as they have access to the device’s web interface, Rupp explained.
Based on the product’s documentation, Rupp said an attacker could change various settings after exploiting this vulnerability, including ones related to sensors, tank details, and alarm thresholds.
According to CISA, the impacted product is used worldwide in the water and wastewater systems sector. The agency says the vulnerability remains unpatched.
“Kingspan has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Kingspan customer support for additional information,” CISA said.
Tomi Engdahl says:
Game Acceleration Module Vulnerability Exposes Netgear Routers to Attacks
https://www.securityweek.com/game-acceleration-module-vulnerability-exposes-netgear-routers-attacks
Multiple Netgear router models are vulnerable to arbitrary code execution via FunJSQ, a third-party module for online game acceleration, European security and compliance assessment company Onekey warns.
Integrated in various Netgear routers and Orbi WiFi systems, the gaming optimization module is developed by China-based Xiamen Xunwang Network Technology.
What Onekey has discovered is that the FunJSQ module has an insecure update process with only superficial checks of the update packages received from the server: packages are unsigned and are validated on the device using a hash checksum only.
The module lacks secure communication for the update process, allowing an attacker to tamper with data returned from the server, and package contents are extracted to the root folder with elevated privileges, this allowing an attacker with control over the update package to overwrite anything on the device.
“All of these combined can lead to arbitrary code execution from the WAN interface,” Onekey notes.
Two CVE identifiers were issued for the discovered vulnerabilities, namely CVE-2022-40619 (unauthenticated command injection) and CVE-2022-40620 (insecure update mechanism).
Netgear was informed of the security holes in June and has released a first set of patches for the vulnerable devices this month.
Security Advisory for Vulnerabilities in FunJSQ on Some Routers and Orbi WiFi Systems, PSV-2022-0117
https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117
Tomi Engdahl says:
CISA orders agencies to patch vulnerability used in Stuxnet attacks https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-vulnerability-used-in-stuxnet-attacks/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added half a dozen vulnerabilities to its catalog of Known Exploited Vulnerabilities and is ordering federal agencies to follow vendors instructions to fix them. Of the six security flaws, only one was disclosed this year. It impacts Trend Micros Apex One platform for automated threat detection and response.
https://www.cisa.gov/uscert/ncas/current-activity/2022/09/15/cisa-adds-six-known-exploited-vulnerabilities-catalog
Tomi Engdahl says:
https://www.otorio.com/
Tomi Engdahl says:
Extracting Firmware from Embedded Devices (SPI NOR Flash)
https://www.youtube.com/watch?v=nruUuDalNR0
One of the first things you have to do when hacking and breaking embedded device security is to obtain the firmware. If you’re lucky, you can download it from the manufacturer’s website or, if you have a shell, you can just copy it over to your computer.
But what if none of these options are available?
In this video, we will show you how you can connect directly to a NOR flash chip with the SPI protocol to dump the firmware and find your vulns, even if off the shelf tools don’t work!
00:00 Intro
00:40 Technical Introduction
01:55 Flash Memory Types
03:51 NOR Flash
06:25 SPI Protocol
07:55 Our Training
09:27 Logic Analyzer
12:04 How SPI Works
13:53 Firmware Extraction
Tomi Engdahl says:
Hack everything: re-purposing everyday devices – Matt Evans
https://www.youtube.com/watch?v=VY9SBPo1Oy8
Arduino is everywhere, but so is electronic junk. Got a project in mind? Take something you already have and repurpose it instead. Make it into something more interesting, for free! Learn how it works, see what it’s really capable of and save it from landfill.
In this talk, we’ll journey through some examples of common electronic devices to find out:
- Why things are hackable, which useful interfaces they may have and how to use them.
Tomi Engdahl says:
Hack All The Things: 20 Devices in 45 Minutes
https://www.youtube.com/watch?v=h5PRvBpLuJs
When we heard Hack All The Things, we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure.
Tomi Engdahl says:
Prisman myymästä kattolampusta löytyi kiusallinen ongelma – ”Laitamme myyntikieltoon” https://www.is.fi/digitoday/art-2000009081545.html
SOK keskeytti bluetooth-kattovalaisimen myynnin mahdollisten tietosuojaongelmien tutkimiseksi.
MUUN muassa Prisma-myymälöistä vastaava S-ryhmä keskeytti bluetooth-kaiuttimella varustetun plafondin myymisen Ilta-Sanomien kysyttyä tuotteen mahdollisista ongelmista.
Kaikki sai alkunsa parin päivän takaisesta Reddit-keskustelusta, jossa eräs käyttäjä kertoi väärien ihmisten ottavan valaisimeen yhteyttä puhelimillaan. IS Digitoday ei ole vahvistanut väitteitä.
– Naapurin lama-aivot yhdistävät puhelimiansa meidän kattolamppuun, jossa on myös bt-kaiutin. Miten saan yhteyden suojattua ettei tarvitsisi randomisti alkaa kuunnella naapurin kokkausohjeita tai teinin musaa, käyttäjä kyseli.
Kyseistä Trio Maia -mallista lamppua on myyty Suomessa eri kanavissa, joista S-ryhmä lienee kuitenkin suurin.
https://www.reddit.com/r/Suomi/comments/xgvwbp/bluetoothlaitteen_suojaus/
Tomi Engdahl says:
iBoot Power Distribution Unit Flaws Allow Hackers to Remotely Shut Down Devices
https://www.securityweek.com/iboot-power-distribution-unit-flaws-allow-hackers-remotely-shut-down-devices
Critical vulnerabilities discovered by researchers in Dataprobe’s iBoot power distribution unit (PDU) can allow malicious actors to remotely hack the product and shut down connected devices, potentially causing disruption within the targeted organization.
The vulnerabilities affecting the iBoot-PDU product were identified by researchers at industrial cybersecurity firm Claroty, who found a total of seven issues, including ones allowing a remote, unauthenticated attacker to execute arbitrary code.
iBoot PDU vulnerabilitiesThe impacted PDU provides a web interface and a cloud platform for configuring the product and controlling each individual outlet for remote power management.
A 2021 report from Censys showed that there were more than 2,000 PDUs directly exposed to the internet and nearly one-third of them were iBoot PDUs.
In addition to showing that hackers could exploit these internet-exposed devices, the Claroty researchers showed that attackers could also reach devices that are not directly exposed to the web, through the cloud-based platform that provides access to the device’s management page.
Tomi Engdahl says:
Critical Remote Hack Flaws Found in Dataprobe’s Power Distribution Units https://thehackernews.com/2022/09/critical-remote-hack-flaws-found-in.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an industrial control systems (ICS) advisory warning of seven security flaws in Dataprobe’s iBoot-PDU power distribution unit product, mostly used in industrial environments and data centers.
“Successful exploitation of these vulnerabilities could lead to unauthenticated remote code execution on the Dataprobe iBoot-PDU device,” the agency said in a notice. Credited with disclosing the flaws is industrial cybersecurity firm Claroty, which said the weaknesses could be remotely triggered “either through a direct web connection to the device or via the cloud.”
Tomi Engdahl says:
Jumping NAT to Shut Down Electric Devices
https://claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices
Executive Summary
Team82 has uncovered and disclosed multiple vulnerabilities in Dataprobe’s iBoot-PDU, the company’s intelligent power distribution unit product.
iBoot-PDU can be managed from any location via a web-based interface; devices that are not directly connected to the internet can also be managed via Dataprobe’s cloud-based platform.
Some of the vulnerabilities uncovered by Team82 can lead to unauthenticated remote code execution on the iBoot-PDU.
Team82 has also developed a means by which it can enumerate cloud-connected iBoot-PDU devices, expanding the available attack surface to all connected devices.
An attacker would be able to remotely exploit these vulnerabilities either through a direct web connection to the device or via the cloud.
This research is an extension of Team82’s previous work exploiting cloud-based OT devices. Read “Top-Down, Bottom-Up: Exploiting Vulnerabilities in the OT-Cloud Era” here.
Dataprobe has addressed these vulnerabilities in a new version update. Users are urged to update to Version 1.42.06162022. Dataprobe also recommends users disable SNMP, telnet, and HTTP, if not in use, as a mitigation against some of these vulnerabilities.
ICS-CERT has issued an advisory as well. Find it here.
ICS Advisory (ICSA-22-263-03)
Dataprobe iBoot-PDU
https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03
Tomi Engdahl says:
Top-Down and Bottom-Up: Exploiting Vulnerabilities In the OT Cloud Era
https://claroty.com/team82/research/exploiting-vulnerabilities-in-the-ot-cloud-era
Executive Summary
Claroty’s Team82 has researched the exploitability of cloud-based management platforms responsible for monitoring and configuring industrial control systems (ICS).
The momentum of adopting cloud for industrial control systems (ICS) is undeniable, motivating Team82 to examine the security of these platforms and architectures.
Team82 developed techniques to exploit vulnerabilities in automation vendor CODESYS’s Automation Server through two unique attack vectors.
The research also included the discovery of vulnerabilities in the WAGO PLC platform and the development of a complex exploit chain to attack a single cloud-managed PLC and eventually take over the cloud-based host account.
All of the vulnerabilities found and disclosed by Team82 have been fixed or mitigated by CODESYS and WAGO. Please reference the table below.
Inside a Cloud-Based SCADA Infrastructure
When referring to the cloud, we are usually referring to the portion of a company’s IT or OT infrastructure that is hosted on the remote, internet-facing servers of predominant providers, such as Amazon Web Services, Google Cloud Platform, or Microsoft Azure. Part of that infrastructure includes hosted applications that leverage a cloud-based management console supporting different users, including OT engineers, managers, and administrators. Each user has a specific role, and the management console needs to support different kinds of functionality to the SCADA network based on the offered services declared by the vendor. Those functionalities include the ability to download configuration files to PLCs, collect tags data from PLCs, or provide HMI-like web-based screens.
There are many ways to integrate SCADA devices with the cloud, but overall the idea is the same. At the top of the architecture, we have the different users and their machines which interact with the cloud-based management console. Through the management console, operators and administrators tune settings, including specifications for which devices are commissioned and configured. These settings also dictate the logic that needs to be executed by the PLCs and configure what data points (tags) will be collected and presented by the management console’s view screens.
Attack Surface of Cloud-Based SCADA Platforms
Traditional attacks against cloud-based platforms are valid against OT infrastructure too, and similarly, are focused on exposing the internal network to new types of attacks. In general, the risk can be divided into a couple of categories, including:
Loss of control over data: If data is stored outside the network, it may be exposed to unauthorized third parties. In addition, there is no guarantee the data lies encrypted and its owner has control over what happens with the data on the cloud provider’s servers.
Expanded internet-facing attack surface: Since the cloud platform must be managed, typically using a cloud-based management console interface, this also introduces a newly expanded attack surface. Attackers interact with the internet-accessible management console to find web-based vulnerabilities, such as SQL injection and path-traversal vulnerabilities (see for example our Cassia Networks Access Controller server vulnerability), or even utilize zero-day exploits against cloud instances. All of this was not possible when infrastructure was located internally on the OT network, behind network address translation (NAT) and firewalls.
The Vulnerabilities
Vendor
CVE
CWE
Product
CODESYS CVE-2021-29241 CWE-476: NULL Pointer Dereference Gateway V3
CODESYS CVE-2021-29240 CWE-345: Insufficient Verification of Data Authenticity Package Manager
CODESYS CVE-2021-29238 CWE-352: Cross-Site Request Forgery (CSRF) Automation Server
WAGO CVE-2021-34566 CWE-120: Shared Memory Overflow WAGO PFC iocheckd service
WAGO CVE-2021-34567 CWE-125: Out-of-bounds Read WAGO PFC iocheckd service
WAGO CVE-2021-34568 CWE-770: Allocation of Resources Without Limits or Throttling WAGO PFC iocheckd service
WAGO CVE-2021-34569 CWE-787: Out-of-bounds Write WAGO PFC diagnostic tools
Tomi Engdahl says:
https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulation-in-system-files