Skip to content

ICS / OT 安全新聞更新 | SCADAfence – 6月20日

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:

ICS

Siemens DoS Vulnerability (CVE-2022-24040)

A vulnerability affecting Siemens’ PXC4.E16 building automation controllers can be exploited to conduct a DoS attack (CVE-2022-24040).

Attack Parameters: The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account.

Impact: An attacker could make the device unavailable for days by attempting a login.

Recommendations: Siemens released a patch for this vulnerability.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, connection to and from the Internet, and unauthorized connections to OT assets.

Open Automation Software Platform Vulnerabilities

Multiple vulnerabilities were found affecting Open Automation Software (OAS) platform, leading to device access, denial-of-service, and remote code execution. The OAS platform is a widely used data connectivity solution that unites industrial devices (PLCs, OPCs, Modbus), SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.

Targets: OAS is used by Michelin, Volvo, Intel, JBT AeroTech, the U.S. Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and several other high-profile industrial entities.

Attack Parameters: The most critical of these vulnerabilities, CVE-2022-26833, can be exploited by sending a series of HTTP requests. Most of the other vulnerabilities can be exploited using a variety of specific network requests.

Impact: Successful exploitation of these vulnerabilities may lead to DoS and RCE.

Recommendations: While patches are still unavailable for these vulnerabilities, they can be mitigated by disconnecting the OAS platform from the Internet and from Internet-facing devices.

SCADAfence Coverage: The SCADAfence Platform detects DoS attempts, such as HTTP flooding attempts. 

IT

Microsoft Office MSDT Vulnerability (CVE-2022-30190)

A new zero-day vulnerability, dubbed “Follina”, allows attackers to execute malicious PowerShell commands using Microsoft Office programs (CVE-2022-30190).
This is a new attack vector leveraging Microsoft Office programs as it works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.


Targets: Threat actors, such as Chinese APT groups, used this vulnerability to target organizations in Russia and in Tibet, and government entities in Europe and in the U.S.

Attack Parameters: The vulnerability leverages malicious Word documents that execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT). It is triggered when an office application, such as Word, calls MSDT using the MS-MSDT URL protocol.

Impact: Attackers can exploit this vulnerability to remotely execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, or create new Windows accounts as allowed by the user’s rights.

Recommendations:

    1. Microsoft has released a patch for this vulnerability. 
    2. Microsoft recommended that affected users disable the MSDT URL.
    3. An unofficial patch has been released, adding sanitation of the user-provided path to avoid rendering the Windows diagnostic wizardry inoperable.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, connection to and from the Internet, and unauthorized connections.

Confluence Server and Data Center RCE Vulnerability (CVE-2022-26134)

A vulnerability affecting Confluence Server and Data Center was disclosed, which allows unauthenticated attackers to gain remote code execution on unpatched servers (CVE-2022-26134).


Attack Parameters: This vulnerability can be exploited without needing credentials or user interaction, by sending a specially crafted web request to the Confluence system.


Impact: Threat actors were observed exploiting this vulnerability to install BEHINDER, a web shell that allows threat actors to execute commands on the compromised server remotely and has built-in support for interaction with Meterpreter and Cobalt Strike.

A PoC exploit for this vulnerability has been published.

Recommendations: Atlassian released patches for this vulnerability.

SCADAfence Coverage: The SCADAfence Platform detects exploitation of this vulnerability, as well as the use of Meterpreter and Cobalt Strike. 

Ransomware

Foxconn Ransomware Attack by LockBit
Foxconn electronics manufacturer has confirmed that one of its Mexico-based production plants has been impacted by a ransomware attack. While the company did not provide information about the responsible group, LockBit gang claimed the attack.

Attack Parameters:

  1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
  2. Execution – LockBit is executed via command line or created scheduled tasks.
  3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
  4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network.

Impact: According to Foxconn, the impact on its overall operations will be minimal, and the recovery will unfold according to a pre-determined plan.

Recommendations:  Following are additional best practices recommendations:

  1. Make sure secure offline backups of critical systems are available and up-to-date.
  2. Apply the latest security patches on the assets in the network.
  3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
  4. Encrypt sensitive data when possible.
  5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects the creation of scheduled tasks, as well as the use of Mimikatz, PsExec, and Cobalt Strike.

RDP and SMB connections can be tracked with User Activity Analyzer.
SFP detects suspicious behavior, which includes LockBit’s, based on IP reputation, hash reputation, and domain reputation.

For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

Ripple20 are 19 vulnerabilities revealed by Israeli firm JSOF that affect millions of OT and IOT devices. The vulnerabilities reside in a TCP/IP stack developed by Treck, Inc. The TCP/IP stack is widely used by manufacturers in the OT and IoT industries and thus affects a tremendous amount of devices.

Among the affected devices are Cisco Routers, HP Printers, Digi IoT devices, PLCs by Rockwell Automation and many more. Official advisories by companies who confirmed having affected devices can be found here, in the “More Information” section.

The most critical vulnerabilities are three that can cause a stable Remote Code Execution (CVE-2020-11896, CVE-2020-11897, CVE-2020-11901) and another that can cause the target device’s memory heap to be leaked (CVE-2020-11898).

On behalf of our customers, we set out to explore the real impact of these vulnerabilities, which we’re now sharing with the public.

The research has been conducted by researchers Maayan Fishelov and Dan Haim, and has been managed by SCADAfence’s Co-Founder and CTO, Ofer Shaked.

Exploitability Research
We set out to check the exploitability of these vulnerabilities, starting with CVE-2020-11898 (the heap memory leak vulnerability), one of the 19 published vulnerabilities.

We created a Python POC script that is based on JSOF official whitepaper for this vulnerability. According to JSOF, the implementation is very similar to CVE-2020-11896, which is an RCE vulnerability that is described in the whitepaper. Also mentioned about the RCE vulnerability: “Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”

Trial Results:
Test 1 target: Samsung ProXpress printer model SL-M4070FR firmware version V4.00.02.18 MAY-08-2017. This device is vulnerable according to the HP Advisory.

Test 1 result: The printer’s network crashed and required a hard reset to recover. We were unable to reproduce the heap memory leak as described, and this vulnerability would have been tagged as unauthenticated remote DoS instead, on this specific printer.

Test 2 target: HP printer model M130fw. This device is vulnerable according to the HP Advisory.

Test 2 result: Although reported as vulnerable by the manufacturer, we were unable to reproduce the vulnerability, and we believe that this device isn’t affected by this vulnerability. We believe that’s because the IPinIP feature isn’t enabled on this printer, which we’ve verified with a specially crafted packet.

Test 3 target: Undisclosed at this stage due to disclosure guidelines. We will reveal this finding in the near future.

Test 3 result: We found an unreported vendor and device, on which we can use CVE-2020-11898 to remotely leak 368 bytes from the device’s heap, disclosing sensitive information. No patch is available for this device. Due to our strict policy of using Google’s Responsible Disclosure, we’ve reported this to the manufacturer, to allow them to make a patch available prior to the publication date.

Key Takeaways
We’ve confirmed the exploitability vulnerabilities on our IoT lab devices.

On the negative side: The vulnerabilities exist on additional products that are unknown to the public. Attackers are likely to use this information gap to attack networks.
On the positive side: Some devices that are reported as affected by the manufacturers are actually not affected, or are affected by other vulnerabilities. It might require attackers to tailor their exploits to specific products, increasing the cost of exploitation, and prevent them from using the vulnerability on products that are reported as vulnerable.

SCADAfence Research Recommendations
Check your asset inventory and vulnerability assessment solutions for unpatched products affected by Ripple20.
The SCADAfence Platform creates an asset inventory with product and software versions passively and actively, and allows you to manage your CVEs across all embedded and Windows devices.
Prioritize patching or other mitigation measures based on: Exposure to the internet, exposure to insecure networks (business LAN and others), criticality of the asset.
This prioritization can automatically be obtained from tools such as the SCADAfence Platform.
Detect exploitation based on network traffic analysis.
The SCADAfence Platform detects usage of these exploits in network activity by searching for patterns that indicate usage of this vulnerability in the TCP/IP communications.
If you have any questions or concerns about Ripple20, please contact us and we’ll be happy to assist you and share our knowledge with you or with your security experts.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

INDIANAPOLIS, August 4, 2020 — Scale Computing, a market leader in edge computing, virtualization, and hyperconverged solutions, today announced it is experiencing increased demand for its HC3 virtualization platform across the healthcare industry.

The healthcare industry is consumed with the need to simplify the management of IT assets and reduce the time and effort expended on maintaining the current IT environment. Paris Community Hospital, Riverwood Healthcare Center, Costa Salud Community Health, and North Valley Hospital all faced significant IT challenges. These included a need to enable virtualization without complexity, improve availability of critical workloads, improve disaster recovery, and solve single vendor support of infrastructure, all while needing to meet an affordable price point.

Paris Community Hospital, part of Horizon Health, is a 25-bed critical-access hospital located in Paris, Illinois. It is a full-service provider that includes emergency medicine, surgery, rehabilitation services, radiology, diabetes education, and more. The company’s four-person IT team turned to Scale Computing to simplify the management of its IT assets and reduce the time and effort expended on maintaining the environment. Scale Computing HC3 provided a cost-effective way to simplify its IT infrastructure and VDI management as well as improved performance. It also delivered enhanced security and control and enabled rapid deployment of virtual desktops, cutting time-to-implementation from a week to two hours.

Edgar Weeks, information services manager, Paris Community Hospital, comments: “With the previous environment, the high cost of maintenance and replacement, as well as the overhead required to go through so many devices and workstations individually, was a serious issue for a small, lean organization like us. Scale Computing delivered a solution that has addressed all the challenges we faced more cost-effectively than all other options. We can add users faster, manage connections more effectively, provide better control over user access and deliver vastly improved security.”

Riverwood Healthcare Center has been providing care to residents of Aitkin County in Northern Minnesota for more than 60 years. Riverwood IT leadership turned to Scale Computing to help virtualize their operations and fortify their disaster recovery efforts with a single vendor. The Scale Computing HC3 solution simplified the center’s efforts, working across its entire infrastructure and reducing the time the Riverwood IT team spends managing its infrastructure by nearly 25%, and with a much smaller footprint.

Mike Kongsjord, IT administrator, Riverwood Healthcare Center, stated: “HC3 reduced time in implementation, making our response to requests more efficient, thus increasing satisfaction. Overall maintenance of the device is much less than supporting physical servers.”

Costa Salud Community Health is located in Rincon, Puerto Rico. The health center’s general practitioners provide comprehensive, continuous and primary healthcare services to patients. Costa Salud Community Health was looking for a single vendor solution to support its infrastructure and improve disaster recovery, all at an affordable cost. It turned to Scale Computing’s HC3 for hypervisor licensing renewal and to support higher uptime SLAs for critical workloads. Thanks to its built-in high availability, HC3 decreased the time spent recovering from a hardware failure running a critical workload from 1-8 hours to less than 10 minutes (an 83-97% reduction in recovery time). Scale Computing’s solution also reduced the time the IT staff spends managing infrastructure by more than 75% after deployment of HC3.

Ismael Ruiz, IT vice president, Costa Salud Community Health, commented: “The Scale Computing solution was very interesting from the beginning. Employees do not need certifications to use the platform. Also, we do not have to be constantly upgrading. One opportunity we saw apart from the cost was support. No matter the time, a service engineer always helps us by phone in a short time. In our case, we evaluated a lot of products and HC3 was the best suited for our operations.”

North Valley Hospital, located in Washington state, strives to provide quality patient care and education that enhances the health and well-being of its communities. While struggling to find availability to accompany its critical workloads and enable virtualization without complexity, North Valley Hospital looked to Scale Computing. Scale Computing’s HC3 not only addressed those issues, but also improved disaster recovery. The high availability built into HC3 allowed North Valley Hospital to decrease the recovery time needed for a hardware failure running a critical workload, from 8-24 hours to less than 10 minutes (97-99% reduction in recovery time). In addition, after deploying HC3, the amount of time the IT staff spends managing infrastructure was reduced by 50-74%.

Carlos Antuna, IT manager, North Valley Hospital, commented: “HC3 reduced complexity and increased availability.”

“When it comes to IT, healthcare organizations face many of the same challenges as any other organization, including limited budgets and scalability. Healthcare organizations also face challenges related to storing, managing and protecting critical patient data and research data and keeping systems available to handle critical care,” said Jeff Ready, CEO and co-founder, Scale Computing. “Healthcare organizations of all types have been choosing HC3 hyperconverged infrastructure from Scale Computing to serve their IT infrastructure needs. HC3 offers simplicity, scalability, availability, and affordability to organizations who need to streamline operations with a reliable solution. Whether a healthcare organization is specialized in emergency services, mental health, medical imaging, research or any other aspect of care, HC3 is the smart choice.”

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Scale Computing
Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore™ technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform. Read what our customers have to say on Gartner Peer Insights, Spiceworks, TechValidate and TrustRadius.