Over the past decade, we have seen a proliferation of internet-connected industrial control systems (ICS) devices as part of the broader trend of digital transformation. All too often, however, ICS devices connected to the internet are not protected by sufficiently strong passwords (if any) or any other security controls, making them a low-hanging fruit to low-skill threat actors.
These actors also have multiple legitimate, internet-scanning public services—such as Shodan.io and Cenys.io—at their disposal to help them find web-based human-machine interfaces (HMIs) and similar ICS devices inadvertently exposed to the internet. If a targeted device is password-protected, a threat actor can attempt to brute force their way in. However, in many cases, these ICS devices are not password-protected at all, granting adversaries immediate, unfettered access.
For HMIs and other ICS devices on Level 2 (Process Network) of the Purdue Model, any direct connection to the internet (Level 5) is inherently problematic, as it provides threat actors with a fast track to accessing ICS physical processes at Level 0. A fundamental challenge related to the security of ICS devices is the price and complexity of establishing a secure remote connection to certain devices, especially those located in remote locations where the adherence to the classic Purdue Model is not feasible.
Claroty researchers identified a timely example of how publicly accessible ICS devices can spell trouble for critical infrastructure operators this past Monday, May 25, when a group of Palestinian hackers who call themselves the Jerusalem Electronic Army published a series of social media posts in which they claim to have compromised control systems related to Israel's water infrastructure.
Group members claim the attack is part of an ongoing second wave of targeted cyber attacks against Israel. These claims appear to be substantiated by multiple screenshots showing access to a web-based HMI for monitoring thermal water processes, including information related to water pressure, temperature, and the location of the monitored device (see image below).
Based on information provided by the Israeli CERT, Claroty researchers surmise the ICS device shown in the published screenshots was not password protected, thus allowing the adversary group to access it simply by finding it.For attention-seeking adversaries with limited capabilities, accessing internet-facing ICS devices it can be an easy, non-technical way to get attention and claim victory without carrying out an actual cyber attack. In this recent case, the group's access to an ICS device for the Israeli water supply simply allowed them to monitor processes, and thus had no operational impact. That being said, depending on the functionality of the device they can access, it is possible for an adversary to cause significant disruption and harm.
Beyond exemplifying how internet-facing HMIs are an easy target for adversaries, the Jerusalem Electronic Army's recent interest in Israel's critical water infrastructure reflects increased interest and buzz around attacks targeting critical infrastructure in general, particularly with respect to nation states. Until very recently, the group's activities had been limited to weak attempts to deface Israeli government websites. The majority of these devices are not only exposed to the internet, but also to dedicated ICS protocols, such as Modbus, EthernetIP, and others. These protocols have a larger potential impact on ICS processes, and only require a small amount of user education to leverage.
This sudden shift to OT was likely inspired by Iran's recent attempt at a cyberattack against an Israeli water facility, which sparked headlines and renewed tensions related to potential cyber warfare between the two nation states. While security issues related to internet-connected ICS devices is nothing new, the increased awareness of critical infrastructure as a highly visible and easily sensationalized target has drastically increased the appeal of ICS targets among threat actors keen on generating shock value.
The exposed ICS device related to Israel's water supply has since been removed from the internet, vast quantities of ICS devices connected to the internet remain unprotected. At a bare minimum, Claroty strongly advises ICS operators to comply with Israel CERT's recommendations related to threats targeting critical infrastructure. In addition, OT security teams should ensure all internet-connected devices are password-protected, and whenever possible, adhere to ICS security best practices and implement secure access using mechanisms such as VPNs, encryption, and access control lists.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
