Over the past decade, we have seen a proliferation of internet-connected industrial control systems (ICS) devices as part of the broader trend of digital transformation. All too often, however, ICS devices connected to the internet are not protected by sufficiently strong passwords (if any) or any other security controls, making them a low-hanging fruit to low-skill threat actors.
These actors also have multiple legitimate, internet-scanning public services—such as Shodan.io and Cenys.io—at their disposal to help them find web-based human-machine interfaces (HMIs) and similar ICS devices inadvertently exposed to the internet. If a targeted device is password-protected, a threat actor can attempt to brute force their way in. However, in many cases, these ICS devices are not password-protected at all, granting adversaries immediate, unfettered access.
For HMIs and other ICS devices on Level 2 (Process Network) of the Purdue Model, any direct connection to the internet (Level 5) is inherently problematic, as it provides threat actors with a fast track to accessing ICS physical processes at Level 0. A fundamental challenge related to the security of ICS devices is the price and complexity of establishing a secure remote connection to certain devices, especially those located in remote locations where the adherence to the classic Purdue Model is not feasible.
Claroty researchers identified a timely example of how publicly accessible ICS devices can spell trouble for critical infrastructure operators this past Monday, May 25, when a group of Palestinian hackers who call themselves the Jerusalem Electronic Army published a series of social media posts in which they claim to have compromised control systems related to Israel's water infrastructure.
Group members claim the attack is part of an ongoing second wave of targeted cyber attacks against Israel. These claims appear to be substantiated by multiple screenshots showing access to a web-based HMI for monitoring thermal water processes, including information related to water pressure, temperature, and the location of the monitored device (see image below).
Based on information provided by the Israeli CERT, Claroty researchers surmise the ICS device shown in the published screenshots was not password protected, thus allowing the adversary group to access it simply by finding it.For attention-seeking adversaries with limited capabilities, accessing internet-facing ICS devices it can be an easy, non-technical way to get attention and claim victory without carrying out an actual cyber attack. In this recent case, the group's access to an ICS device for the Israeli water supply simply allowed them to monitor processes, and thus had no operational impact. That being said, depending on the functionality of the device they can access, it is possible for an adversary to cause significant disruption and harm.
Beyond exemplifying how internet-facing HMIs are an easy target for adversaries, the Jerusalem Electronic Army's recent interest in Israel's critical water infrastructure reflects increased interest and buzz around attacks targeting critical infrastructure in general, particularly with respect to nation states. Until very recently, the group's activities had been limited to weak attempts to deface Israeli government websites. The majority of these devices are not only exposed to the internet, but also to dedicated ICS protocols, such as Modbus, EthernetIP, and others. These protocols have a larger potential impact on ICS processes, and only require a small amount of user education to leverage.
This sudden shift to OT was likely inspired by Iran's recent attempt at a cyberattack against an Israeli water facility, which sparked headlines and renewed tensions related to potential cyber warfare between the two nation states. While security issues related to internet-connected ICS devices is nothing new, the increased awareness of critical infrastructure as a highly visible and easily sensationalized target has drastically increased the appeal of ICS targets among threat actors keen on generating shock value.
The exposed ICS device related to Israel's water supply has since been removed from the internet, vast quantities of ICS devices connected to the internet remain unprotected. At a bare minimum, Claroty strongly advises ICS operators to comply with Israel CERT's recommendations related to threats targeting critical infrastructure. In addition, OT security teams should ensure all internet-connected devices are password-protected, and whenever possible, adhere to ICS security best practices and implement secure access using mechanisms such as VPNs, encryption, and access control lists.
CWE-345 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY:
In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions.
Update to Access Commander version 3.2.
CVSS v3: 4.7
CWE-345 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY:
In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.
Update to Access Commander version 3.2.
CVSS v3: 6.3
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker to write files on the filesystem to achieve arbitrary remote code execution.
Update to Access Commander version 3.2.
CVSS v3: 7.2
CWE-290: AUTHENTICATION BYPASS BY SPOOFING
Snap One OVRC cloud uses the MAC address as an identifier to provide information when requested. An attacker can impersonate other devices by supplying enumerated MAC addresses and receive sensitive information about the device.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 7.5
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaimed devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.
OvrC Pro: All versions prior to 7.3 are affected.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 9.1
