Team82 Blog / 1 min read
Over the past decade, we have seen a proliferation of internet-connected industrial control systems (ICS) devices as part of the broader trend of digital transformation. All too often, however, ICS devices connected to the internet are not protected by sufficiently strong passwords (if any) or any other security controls, making them a low-hanging fruit to low-skill threat actors.
These actors also have multiple legitimate, internet-scanning public services—such as Shodan.io and Cenys.io—at their disposal to help them find web-based human-machine interfaces (HMIs) and similar ICS devices inadvertently exposed to the internet. If a targeted device is password-protected, a threat actor can attempt to brute force their way in. However, in many cases, these ICS devices are not password-protected at all, granting adversaries immediate, unfettered access.
For HMIs and other ICS devices on Level 2 (Process Network) of the Purdue Model, any direct connection to the internet (Level 5) is inherently problematic, as it provides threat actors with a fast track to accessing ICS physical processes at Level 0. A fundamental challenge related to the security of ICS devices is the price and complexity of establishing a secure remote connection to certain devices, especially those located in remote locations where the adherence to the classic Purdue Model is not feasible.
Claroty researchers identified a timely example of how publicly accessible ICS devices can spell trouble for critical infrastructure operators this past Monday, May 25, when a group of Palestinian hackers who call themselves the Jerusalem Electronic Army published a series of social media posts in which they claim to have compromised control systems related to Israel's water infrastructure.
Group members claim the attack is part of an ongoing second wave of targeted cyber attacks against Israel. These claims appear to be substantiated by multiple screenshots showing access to a web-based HMI for monitoring thermal water processes, including information related to water pressure, temperature, and the location of the monitored device (see image below).
Based on information provided by the Israeli CERT, Claroty researchers surmise the ICS device shown in the published screenshots was not password protected, thus allowing the adversary group to access it simply by finding it.For attention-seeking adversaries with limited capabilities, accessing internet-facing ICS devices it can be an easy, non-technical way to get attention and claim victory without carrying out an actual cyber attack. In this recent case, the group's access to an ICS device for the Israeli water supply simply allowed them to monitor processes, and thus had no operational impact. That being said, depending on the functionality of the device they can access, it is possible for an adversary to cause significant disruption and harm.
Beyond exemplifying how internet-facing HMIs are an easy target for adversaries, the Jerusalem Electronic Army's recent interest in Israel's critical water infrastructure reflects increased interest and buzz around attacks targeting critical infrastructure in general, particularly with respect to nation states. Until very recently, the group's activities had been limited to weak attempts to deface Israeli government websites. The majority of these devices are not only exposed to the internet, but also to dedicated ICS protocols, such as Modbus, EthernetIP, and others. These protocols have a larger potential impact on ICS processes, and only require a small amount of user education to leverage.
This sudden shift to OT was likely inspired by Iran's recent attempt at a cyberattack against an Israeli water facility, which sparked headlines and renewed tensions related to potential cyber warfare between the two nation states. While security issues related to internet-connected ICS devices is nothing new, the increased awareness of critical infrastructure as a highly visible and easily sensationalized target has drastically increased the appeal of ICS targets among threat actors keen on generating shock value.
The exposed ICS device related to Israel's water supply has since been removed from the internet, vast quantities of ICS devices connected to the internet remain unprotected. At a bare minimum, Claroty strongly advises ICS operators to comply with Israel CERT's recommendations related to threats targeting critical infrastructure. In addition, OT security teams should ensure all internet-connected devices are password-protected, and whenever possible, adhere to ICS security best practices and implement secure access using mechanisms such as VPNs, encryption, and access control lists.
CWE-256: Plaintext Storage of a Password
In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 6.5
CWE-121: Stack-based Buffer Overflow
In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 4.3
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 7.5
CWE-319: CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.
Softing edgeConnector: Version 3.60 and Softing edgeAggregator: Version 3.60 are affected. Update Softing edgeConnector and edgeAggregator to v3.70 or greater.
CVSS v3: 8.0
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Unitronics released an update to its Unistream Unilogic software, fixing multiple security vulnerabilities. Update ASAP to version 1.35.227 or latest version provided by Unitronics.
[Read more: New Critical Vulnerabilities in Unitronics UniStream Devices Uncovered.]
CVSS v3: 8.8