Team82 Blog / 5 min read
UPDATED Dec. 14 with CVE information from CISA.
Kinetic conflicts have often been accompanied by attacks online; hacktivists, for example, are often keen to spread their politically motivated messages and attach themselves to one side or another during a conflict. The ongoing war between Israel and Hamas is no exception with a group known as the CyberAv3ngers claiming to have infiltrated 10 water treatment plants in Israel.
Cybersecurity leaders in the U.S. took notice when the group’s activity spread to a relatively small water facility in Aliquippa, Pa., which on Nov. 25 reported a disruptive attack against one of its booster stations that forced officials to resort to manual processes to maintain safe delivery of water to its 6,600-plus customers.
Officials at the Municipal Water Authority of Aliquippa (MWAA) said public safety was never in jeopardy, and that law enforcement has been called in to investigate. Details are scarce on the initial intrusion, but the target was a PLC/HMI device manufactured by an Israeli company called Unitronics. Several security cameras were also compromised during the intrusion, which also seems to be a CyberAv3ngers calling card.
The attackers left behind a message, shown below: “Every equipment ‘Made in Israel’ is CyberAv3ngers legal target,” which is the first time the group has singled out Israeli technology in its messaging.
Here’s what we know about the attack on the MWAA.
The MWAA booster station—which are pumps that maintain water pressure and flow to the overall system—did trigger an alarm during the attack to officials who said they immediately shut down the station and began manual operations.
“They did not get access to anything in our actual water treatment plant or other parts of our system, other than a pump that regulates pressure to elevated areas of our system,” MWAA chairman Matthew Mottes told a local publication. “This pump was on its own computer network, separated from our primary network and is physically miles away.”
The compromised Unitronics V570 PLC/HMI was, at a minimum, defaced, indicating that the attackers at least had access to the device. It’s unclear whether they may have used that access to damage or interfered with operations by moving laterally elsewhere on the network.
There have been previous reports of remotely exploitable vulnerabilities in the Unitronics VisiLogic software, a development environment and engineering workstation used to program, upload, and download data from PLCs. Unitronics did remediate these issues, and no known public exploits were available at the time.
On Dec. 14, CISA published an advisory for CVE-2023-6448 and the use of default administrative passwords in Unitronics Vision Series PLCs and HMIs. Unitronics self-reported the vulnerability to CISA and recommends users update to VisiLogic version 9.9.00.
Security company Forescout also noted the availability of Metasploit modules and scripts for scanning and fingerprinting Unitronics devices. It’s unknown whether any of these tools were used in the attack against MWAA.
A Shodan search for Unitronics devices reveals close to 2,000 that are internet-facing, including almost 300 V570 series devices. Unitronics PLCs were also the center of a disruptive attack in Israel in April that impacted water delivery for a dozen farms in the Jordan Valley and a sewage company’s water treatment control systems. The PLC was internet-facing and guarded only by a default password that had not been changed by admins, according to a published report.
According to Unitronics documentation, some of its PLCs support VNC as a remote access technology. VNC is a desktop sharing application that is used for support and maintenance purposes for remote equipment. An attacker could, for example, create a specific Shodan search that identifies Unitronics devices with an open VNC port and determine whether authentication is disabled. Default, known, or easily guessable passwords also put these systems at risk to brute force attacks.
The Cybersecurity Infrastructure and Security Agency (CISA) also published an alert this week that it was responding to the MWAA incident along with law enforcement. It cautioned that other facilities may be targeted in similar opportunistic attacks such as the MWAA incident. CISA said in its alert “cybersecurity weaknesses” such as poor password security and unsecure connections to the internet were likely exploited.
CISA recommends to Unitronics users:
Change the default password (1111) on all PLCs and HMIs
Implement multifactor authentication for remote access from internal and external networks to OT systems
Remove PLCs from the internet
Secure remote connections with a firewall or VPN; multi factor authentication may be deployed on the firewall or VPN should the PLC or HMI not support it
Ensure PLC and HMI applications are backed up and available
Change default ports that may be targeted (20256 for Unitronics and 5900 for VNC)
Ensure PLC versions are current
Hacktivists are going to continue to inject and align their activities into military and political conflicts, and these incidents may not be confined to the regions where kinetic conflict is happening. Even trivial attacks can be disruptive, and organizations are urged to adhere to minimal security measures such as password security and secure remote access to blunt these attacks.
The water and wastewater critical infrastructure sector has as recently as two years ago identified major cybersecurity challenges it faces that span everything from human and financial resourcing to threat intelligence, and security tooling. Some of the areas ripe for improvement included the need to minimize exposure of control systems to the internet, identification and remediation of vulnerabilities, and secure remote access to OT systems.
This lines up with advice from the federal government, including CISA, that basic security hygiene is a minimal baseline for organizations across the 16 critical infrastructure sectors. The MWAA attack should also reinforce to security leaders that any organization is at risk for opportunistic attacks at scale that could quickly turn disruptive.
CWE-285: IMPROPER AUTHORIZATION
Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-321: USE OF HARD-CODED CRYPTOGRAPHIC KEY
The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-89: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION')
An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 8.8
CWE-257: STORING PASSWORDS IN A RECOVERABLE FORMAT
The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 4.9
CWE-489: ACTIVE DEBUG CODE
Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 9.8
