Team82 Blog / 2 min read
A hacktivist group known as GhostSec has claimed on a public Telegram group that it has been able to encrypt an industrial remote terminal unit (RTU) router that features SCADA capabilities including support for industrial serial interfaces RS-232 and RS-485, and MODBUS protocol variations.
GhostSec has been called an adjunct group to Anonymous, carrying out politically motivated hacks, including one claim this week that it had access to, and stolen, email from the Brazilian government. It has also previously been connected to compromises of programmable logic controllers and other OT devices.
In this alleged attack, the group has apparently turned its attention to the Russian invasion of Ukraine. From screenshots provided by the group on Telegram, encrypted files on a TELEOFIS RTU968 v2 in question have had the suffix “.f***Putin” appended to them.
The group claimed on Telegram that the compromised device is from Belarus, and also did not demand a ransom, instead leaving behind a lengthy message that includes the note: “There is no notification letter. There is no payment.”
The TELEOFIS RTU968 V2 is a new 3G router that supports wired and wireless connections of commercial and industrial facilities to the Internet. The built-in 3G modem will provide high-speed wireless Internet access anywhere where there is a network coverage of a cellular operator. It could be considered a remote terminal unit (RTU) because it supports Industrial interfaces RS-232 and RS-485 and is able to convert industrial protocols Modbus RTU/ASCII to Modbus TCP.
From public internet scans we discovered that there are 194 internet-exposed devices in Russia, Kazakhstan, Belarus, and 117 of them have the SSH service enabled.
We were curious to know what was the initial attack vector so we downloaded the firmware and conducted research on it (.tar → .UBI root filesystem, Linux kernel).
We discovered that the device runs over a 32-bit ARM architecture with an ARM926EJ-S processor which is part of ARM9 family of general-purpose microprocessors. It runs the OpenWrt 21.02.2 operating system, which is a Linux distribution with BusyBox.
After going through the device’s configurations and rc.d startup scripts, we came to the conclusion that the device comes with a pre-configured SSH service on port 22 (default port) and allows using a root password as a method of authentication. Furthermore, the device comes with a weak preconfigured root password that can be broken with the hashcat password recovery tool in two seconds.
Hacktivist groups, though largely politically motivated, have demonstrated the ability to be disruptive to businesses and operations in certain situations. GhostSec’s latest alleged activity is another indication that these groups have an interest in seeking out ICS devices that—if attacked—can impact productivity and safety within industrial automation settings.
CWE-285: IMPROPER AUTHORIZATION
Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-321: USE OF HARD-CODED CRYPTOGRAPHIC KEY
The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-89: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION')
An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 8.8
CWE-257: STORING PASSWORDS IN A RECOVERABLE FORMAT
The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 4.9
CWE-489: ACTIVE DEBUG CODE
Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 9.8