Skip to content

ICS / OT 安全新聞更新 | SCADAfence – 7 月 15 日

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:


ShadowPad Backdoor Targeting Industrial Control Systems

Description: Chinese threat actors have been observed using ShadowPad malware to infiltrate building automation systems.

Attack Parameters: During the initial attacks, the group exploited ProxyLogon to deploy ShadowPad malware. The attacks involved the use of Cobalt Strike and web shells for remote access, and the creation of scheduled tasks to set up daily execution of malicious payloads.

Impact: Although the final goals of the campaign remain unknown, the attackers are believed to be interested in long-term intelligence gathering.

Recommendations: Microsoft has released a patch for ProxyLogon, the initial attack vector used by this malware.

SCADAfence Coverage: The SCADAfence Platform detects the use of Cobalt Strike and the creation of scheduled tasks.

OT:ICEFALL Vulnerabilities

Description: 56 vulnerabilities, dubbed Icefall collectively, have been disclosed, affecting OT equipment by 10 vendors used in various critical infrastructure environments. Many of these vulnerabilities are due to the insecure-by-design nature of OT products.
Some of these vulnerabilities have been exploited in the wild. An RCE vulnerability affecting Omron controllers was exploited to develop PIPEDREAM.

Affected Vendors: Honeywell, Motorola, Omron, Siemens, Emerson, JTEKT, Bentley Nevada, Phoenix Contract, ProConOS, and Yokogawa.

Attack Parameters: The flaws are related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.

Impact: The flaws allow remote code execution, compromising credentials, firmware and configuration changes, authentication bypass, and logic manipulation.

Recommendations: Apply the latest firmware updates from the vendor, if available. Not all of the mentioned vendors have released fixes for these vulnerabilities.

SCADAfence Coverage: These vulnerabilities are included in the SCADAfence CVE DB.

11 Codesys Vulnerabilities

Description: Codesys has released patches to address 11 vulnerabilities that could lead to information disclosure and denial-of-service.

Affected Vendors: Controllers by ABB, Wago, Eaton, Bosch Rexroth, Bachmann, Festo, Keba, Kinco, and Exor are likely affected by these vulnerabilities.

Attack Parameters: Two of the most critical vulnerabilities relate to the cleartext use of passwords and a failure to enable password protection by default in the CODESYS Control runtime system.

Impact: These vulnerabilities are simple to exploit. Successful exploitation could lead to sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution.

Recommendations: Patches have been released for these vulnerabilities.

SCADAfence Coverage: These vulnerabilities are included in the SCADAfence CVE DB.


Brute Ratel (BRc4) Red-Teaming Tool

Description: The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by threat actors to evade detection.
Like Cobalt Strike, Brute Ratel is an attack simulation tool that allows red teamers to deploy Badgers (similar to Cobalt Strike beacons) on remote hosts. Threat actors were spotted using this tool instead of Cobalt Strike, as BRc4 is designed to evade detection by EDR and AV capabilities.

Targets: A number of potential victims have been identified, including an Argentinian organization, and IP TV producer providing North and South American content, and a textile manufacturer in Mexico.

Attack Parameters: The tool masquerades as a CV file, but in reality, is an ISO file that installs BRc4 on the user’s machine and establishes communications with a remote server. The delivery of this file is typically achieved via spear-phishing campaigns.

Impact: The transition from the use of Cobalt Strike to BRc4 by threat actors is significant due to the effectiveness of BRc4 at evading EDR and AV detection.

Recommendations: If this tool is used in the network for legitimate purposes, limit its capabilities to prevent malicious uses. Otherwise, block all use of this tool.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet.
The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.


SessionManager Backdoor

Description: A newly discovered malware, dubbed SessionManager, masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws.

Attack Parameters: SessionManager hooks itself in the HTTP communications processing of the web server by checking HTTP data just before IIS answers to an HTTP request.
After deployment, the malware allows its operators to harvest credentials, collect information from the network and infected devices, and deliver additional payloads, such as Mimikatz, ProcDump, and a legitimate Avast memory dump tool.

Impact: Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization, allowing them to collect emails, update further malicious access, or  manage compromised servers that can be leveraged as malicious infrastructure.

Recommendations: Microsoft has released a patch for ProxyLogon.

SCADAfence Coverage: The SCADAfence Platform detects the use of Mimikatz and HTTP command injection. The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.


Maui Ransomware Targeting U.S Healthcare Organizations

Description: North Korean state-sponsored threat actors were observed using Maui ransomware against US healthcare and public-health sectors to encrypt servers responsible for healthcare services.

Attack Parameters: Maui lacks features that are commonly present in ransomware tools, such as a ransomware note with instructions for data recovery. The malware is designed for manual execution by a remote attacker via a command-line interface, using it to target specific files on the infected machine for encryption.

Impact: Maui attacks disrupted services at the victim organizations for a prolonged period.

Recommendations: Following are additional best practices recommendations:
Make sure secure offline backups of critical systems are available and up-to-date.
Apply the latest security patches on the assets in the network.
Use unique passwords and multi-factor authentication on authentication paths to OT assets.
Encrypt sensitive data when possible.
ducate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet.
The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

Ripple20 are 19 vulnerabilities revealed by Israeli firm JSOF that affect millions of OT and IOT devices. The vulnerabilities reside in a TCP/IP stack developed by Treck, Inc. The TCP/IP stack is widely used by manufacturers in the OT and IoT industries and thus affects a tremendous amount of devices.

Among the affected devices are Cisco Routers, HP Printers, Digi IoT devices, PLCs by Rockwell Automation and many more. Official advisories by companies who confirmed having affected devices can be found here, in the “More Information” section.

The most critical vulnerabilities are three that can cause a stable Remote Code Execution (CVE-2020-11896, CVE-2020-11897, CVE-2020-11901) and another that can cause the target device’s memory heap to be leaked (CVE-2020-11898).

On behalf of our customers, we set out to explore the real impact of these vulnerabilities, which we’re now sharing with the public.

The research has been conducted by researchers Maayan Fishelov and Dan Haim, and has been managed by SCADAfence’s Co-Founder and CTO, Ofer Shaked.

Exploitability Research
We set out to check the exploitability of these vulnerabilities, starting with CVE-2020-11898 (the heap memory leak vulnerability), one of the 19 published vulnerabilities.

We created a Python POC script that is based on JSOF official whitepaper for this vulnerability. According to JSOF, the implementation is very similar to CVE-2020-11896, which is an RCE vulnerability that is described in the whitepaper. Also mentioned about the RCE vulnerability: “Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”

Trial Results:
Test 1 target: Samsung ProXpress printer model SL-M4070FR firmware version V4.00.02.18 MAY-08-2017. This device is vulnerable according to the HP Advisory.

Test 1 result: The printer’s network crashed and required a hard reset to recover. We were unable to reproduce the heap memory leak as described, and this vulnerability would have been tagged as unauthenticated remote DoS instead, on this specific printer.

Test 2 target: HP printer model M130fw. This device is vulnerable according to the HP Advisory.

Test 2 result: Although reported as vulnerable by the manufacturer, we were unable to reproduce the vulnerability, and we believe that this device isn’t affected by this vulnerability. We believe that’s because the IPinIP feature isn’t enabled on this printer, which we’ve verified with a specially crafted packet.

Test 3 target: Undisclosed at this stage due to disclosure guidelines. We will reveal this finding in the near future.

Test 3 result: We found an unreported vendor and device, on which we can use CVE-2020-11898 to remotely leak 368 bytes from the device’s heap, disclosing sensitive information. No patch is available for this device. Due to our strict policy of using Google’s Responsible Disclosure, we’ve reported this to the manufacturer, to allow them to make a patch available prior to the publication date.

Key Takeaways
We’ve confirmed the exploitability vulnerabilities on our IoT lab devices.

On the negative side: The vulnerabilities exist on additional products that are unknown to the public. Attackers are likely to use this information gap to attack networks.
On the positive side: Some devices that are reported as affected by the manufacturers are actually not affected, or are affected by other vulnerabilities. It might require attackers to tailor their exploits to specific products, increasing the cost of exploitation, and prevent them from using the vulnerability on products that are reported as vulnerable.

SCADAfence Research Recommendations
Check your asset inventory and vulnerability assessment solutions for unpatched products affected by Ripple20.
The SCADAfence Platform creates an asset inventory with product and software versions passively and actively, and allows you to manage your CVEs across all embedded and Windows devices.
Prioritize patching or other mitigation measures based on: Exposure to the internet, exposure to insecure networks (business LAN and others), criticality of the asset.
This prioritization can automatically be obtained from tools such as the SCADAfence Platform.
Detect exploitation based on network traffic analysis.
The SCADAfence Platform detects usage of these exploits in network activity by searching for patterns that indicate usage of this vulnerability in the TCP/IP communications.
If you have any questions or concerns about Ripple20, please contact us and we’ll be happy to assist you and share our knowledge with you or with your security experts.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.