SCADAfence Blog

ICS / OT Security News Update June, 2022 | SCADAfence

Written by Lali Hadar | Jun 20, 2022 9:14:17 AM

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:

ICS

Siemens DoS Vulnerability (CVE-2022-24040)

A vulnerability affecting Siemens’ PXC4.E16 building automation controllers can be exploited to conduct a DoS attack (CVE-2022-24040).

Attack Parameters: The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account.

Impact: An attacker could make the device unavailable for days by attempting a login.

Recommendations: Siemens released a patch for this vulnerability.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, connection to and from the Internet, and unauthorized connections to OT assets.

Open Automation Software Platform Vulnerabilities

Multiple vulnerabilities were found affecting Open Automation Software (OAS) platform, leading to device access, denial-of-service, and remote code execution. The OAS platform is a widely used data connectivity solution that unites industrial devices (PLCs, OPCs, Modbus), SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.

Targets: OAS is used by Michelin, Volvo, Intel, JBT AeroTech, the U.S. Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and several other high-profile industrial entities.

Attack Parameters: The most critical of these vulnerabilities, CVE-2022-26833, can be exploited by sending a series of HTTP requests. Most of the other vulnerabilities can be exploited using a variety of specific network requests.

Impact: Successful exploitation of these vulnerabilities may lead to DoS and RCE.

Recommendations: While patches are still unavailable for these vulnerabilities, they can be mitigated by disconnecting the OAS platform from the Internet and from Internet-facing devices.

SCADAfence Coverage: The SCADAfence Platform detects DoS attempts, such as HTTP flooding attempts. 

IT

Microsoft Office MSDT Vulnerability (CVE-2022-30190)

A new zero-day vulnerability, dubbed “Follina”, allows attackers to execute malicious PowerShell commands using Microsoft Office programs (CVE-2022-30190).
This is a new attack vector leveraging Microsoft Office programs as it works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.


Targets: Threat actors, such as Chinese APT groups, used this vulnerability to target organizations in Russia and in Tibet, and government entities in Europe and in the U.S.

Attack Parameters: The vulnerability leverages malicious Word documents that execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT). It is triggered when an office application, such as Word, calls MSDT using the MS-MSDT URL protocol.

Impact: Attackers can exploit this vulnerability to remotely execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, or create new Windows accounts as allowed by the user's rights.

Recommendations:

    1. Microsoft has released a patch for this vulnerability. 
    2. Microsoft recommended that affected users disable the MSDT URL.
    3. An unofficial patch has been released, adding sanitation of the user-provided path to avoid rendering the Windows diagnostic wizardry inoperable.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, connection to and from the Internet, and unauthorized connections.

 

Confluence Server and Data Center RCE Vulnerability (CVE-2022-26134)

A vulnerability affecting Confluence Server and Data Center was disclosed, which allows unauthenticated attackers to gain remote code execution on unpatched servers (CVE-2022-26134).


Attack Parameters: This vulnerability can be exploited without needing credentials or user interaction, by sending a specially crafted web request to the Confluence system.


Impact: Threat actors were observed exploiting this vulnerability to install BEHINDER, a web shell that allows threat actors to execute commands on the compromised server remotely and has built-in support for interaction with Meterpreter and Cobalt Strike.

A PoC exploit for this vulnerability has been published.

Recommendations: Atlassian released patches for this vulnerability.

SCADAfence Coverage: The SCADAfence Platform detects exploitation of this vulnerability, as well as the use of Meterpreter and Cobalt Strike. 

 

Ransomware

Foxconn Ransomware Attack by LockBit
Foxconn electronics manufacturer has confirmed that one of its Mexico-based production plants has been impacted by a ransomware attack. While the company did not provide information about the responsible group, LockBit gang claimed the attack.

Attack Parameters:

  1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
  2. Execution – LockBit is executed via command line or created scheduled tasks.
  3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
  4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network.

Impact: According to Foxconn, the impact on its overall operations will be minimal, and the recovery will unfold according to a pre-determined plan.

Recommendations:  Following are additional best practices recommendations:

  1. Make sure secure offline backups of critical systems are available and up-to-date.
  2. Apply the latest security patches on the assets in the network.
  3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
  4. Encrypt sensitive data when possible.
  5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects the creation of scheduled tasks, as well as the use of Mimikatz, PsExec, and Cobalt Strike.

RDP and SMB connections can be tracked with User Activity Analyzer.
SFP detects suspicious behavior, which includes LockBit’s, based on IP reputation, hash reputation, and domain reputation.

For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.