Alerton, a subsidiary of Honeywell, is a major manufacturer of building management systems for heating, ventilation, and air conditioning (HVAC). SCADAfence’s research team discovered vulnerabilities that lead to NIST issuing the first CVEs ever assigned to Alerton products. Left without proper security measures, these vulnerabilities could lead to major disruptions in any facility where they are deployed.

This is a technical report on how our research team discovered these vulnerabilities. 

Alerton Ascent Suite

Alerton Ascent is a suite of controllers, devices, and software used for building management specifically in regard to HVAC. The Ascent product suite is deployed in buildings, server rooms, chemical labs, hospitals and more, with the purpose of maintaining the appropriate air flow and safe temperature required for a room’s or space’s specific need. 

The Alerton Suite is made up of many different components. For example, in the research we conducted the Alerton Ascent network comprised:

1. Alerton Ascent Control Module (ACM) – Main controller
2. VLC-853 – Field controller
3. Alerton Compass – Management and Control Tool
4. Visual Logic – Programming Tool

As seen in the topology map, an ACM is connected to a VLC-853 device over a serial port. The Compass software and Visual Logic software have access to the ACM over ethernet via a network switch. 

Any user, innocent or malicious, can access the various Alerton devices and software either locally or remotely via the network switch, assuming that there are no extra security tools providing network protection (such as an FW or switch port security).

The resulting effect of a malicious user gaining access to the Ascent Suite can result in a degradation of credibility, integrity, and availability of the BMS as a whole. 

Configuration Change for Alerton ACM

The Compass software provides the ability to configure the ACM. This configuration includes setting IP values, enabling or disabling specific ports, defining which networking protocols are active and more. In general, the configuration is set when the system is installed and is rarely changed thereafter. 

The Attack – CVE-2022-30242 and CVE-2022-30245

Two of the CVEs that were disclosed, CVE-2022-30242 (cvss 3.x score of 6.8) and CVE-2022-30245 (cvss 3.x score of 6.5), are vulnerabilities discovered which allow for configuration changes to be made outside of the Compass Software without any authorization or authentication. In addition, the configuration changes that were performed are relayed to the Compass Software, leaving the system operator unaware that a change to the configuration occurred. 

The following is a Wireshark partial capture showing how the configuration data is sent over the network from the Compass Software to the ACM: 

As seen in the traffic snippet above from Wireshark, the configuration is sent to the ACM in ASCII characters and in cleartext with no obfuscation and minor difficulty in understanding or changing the configuration data. 

By extracting the whole configuration from the network traffic, and setting the MSTP0 ENABLE field to N, we can simply disable the COM0 port from any computer with access to the ACM. 

 

As a result of sending a specially crafted packet with the above change, the configuration of the ACM changed, and COM0 was set to disabled, disconnecting the VLC-853 controller from the ACM: 

  

While successful changes in the configuration occurred, the Device Configuration window still indicates to the operator that COM0 is enabled: 

In a real life scenario, this can have significant and/or tragic effects. 

Having this vulnerability leveraged in a real life setting can cause connectivity issues or undefined behavior of the entire network. In the example above, COM0 was disabled, which resulted in the VLC-853 to be cut out of the network. 

If the VLC-853 was responsible for ensuring that a cloud storage server room was properly cooled, operators who notice that VLC-853 is not communicating with the ACM and also are unaware that a configuration change occurred, may be compelled to shutdown the server farm out of fear of the servers overheating causing major disruptions for numerous services worldwide. 

This is obviously a single example for a single change in configuration. Any number of other changes can have similar, troubling effects. 

Programming Changes for Alerton Controllers

Programming management for Alerton Controllers is done using an Alerton proprietary plug-in for Microsoft Visio called Visual Logic. Programs written in using Visual Logic use diagrams to display the program in a visual manner as seen below:

Programs are written, pushed to controllers and run by engineers whose task it is to define the programmatic logic of the controller necessary for it to perform its specific role in the network.

Programs are written and edited on an as-needed basis and are not accessed frequently so long as the target device is fulfilling its intended purpose. 

The Attack – CVE-2022-30243 and CVE-2022-30244

In our research, we successfully wrote a program to an Alerton ACM device without authorization or authentication. In addition, the Visual Logic software did not provide an indication that a programming change occurred or that there is a difference in the program saved in the engineering software to that actually running on the ACM. This leaves an operator clueless as to why a controller has malfunctioned, changed its activity or stopped processing altogether.

This resulted in the disclosure of two CVEs, CVE-2022-30243 (cvss 3.x score of 8.8) and CVE-2022-30244 (cvss 3.x score of 8.0)

The packet sequence for writing a program to the ACM is a set sequence of Bacnet commands and is listed, in order as follows: 

With the exclusion of ADD_CODE_BLOCK_PACKET, all of the commands above are static, constant BACnet packets with a dynamic parameter of invoke ID. Being a BACnet system, there are no authorization checks to ensure that the commands being sent are from a reliable and authorized source. 

An attacker who has network access to any of the Alerton controllers can send a maliciously crafted program, using the above sequence of commands, to change a program on the target controller. This is done without the knowledge of an operator, as there is no indication of a program change in the Compass software or the Visual Logic Programming Visio plug-in. 

The following image is a diagram of the program that we pushed to the controller in the previous section; however, an additional component was added and pushed to the controller from a third-party computer with no access to the Visual Logic software:  

The only indication that a programming change occurred is by clicking the Read from Device button as seen in the image below, and comparing the downloaded program to that which is stored on the engineering station:

As with the configuration change vulnerabilities, if these vulnerabilities are leveraged on an Alerton controller in a real-life, production network the effects can be catastrophic. 

If a controller is managing the air flow in a chemical lab, and a program is written to the controller that essentially renders it useless for its current purpose (either by sending a stub program, or sending a program that does not fulfill the air flow requirement), anyone in the lab could potentially be in life threatening situation. 

The potential scenarios that can occur by taking advantage of these vulnerabilities are endless, and can be very serious and even lethal. 

Full details on the CVEs can be found on the official NIST website:
https://nvd.nist.gov/vuln/detail/CVE-2022-30242

https://nvd.nist.gov/vuln/detail/CVE-2022-30243

https://nvd.nist.gov/vuln/detail/CVE-2022-30244

https://nvd.nist.gov/vuln/detail/CVE-2022-30245

In response to SCADAfence’s findings, Honeywell issued a Product Security Bulletin informing Alerton ACM Controller users of the vulnerabilities. 

To learn more about how the SCADAfence Platform can protect your OT network, visit our website or request a demo.

A SCADAfence New Feature Report

Here is the standard, old school way of automated risk assessment across an OT network:  First, scan each device individually. Then evaluate its specific level of risk based on the device’s known vulnerabilities, exposure outside the network, level of criticality to operations, and several other factors. If the device creates a risk, the system issues an alert. This is probably how your current system operates and overall, you likely think that works pretty well.

But the truth is, that approach leaves a large opening in your overall security. Because each device doesn’t just exist in its own bubble. It has a specific place as part of a larger network, and it needs to be analyzed as such. Therefore, The SCADAfence Platform organizes logical groups of connected devices into units called “security zones.” A security zone might be a number of PLCs all on the same line, groups of engineering stations, or it could be groups of devices that exist in the same area of the network. 

The SCADAfence Platform’s new Architecture Risk Assessment feature provides insights into OT network risks based on automated assessments of each security zone and interactions between devices in separate zones. This method uncovers risks that would otherwise be missed.

Detecting Risks Across Security Zones

SCADAfence’s security experts have designed a method to evaluate each security zone in a more holistic manner and rate the risk from each zone to the overall architecture of your OT network.

Architecture Risk Assessment mimics the mind of a top security expert who analyzes the entirety of a network. It closes the gap between the current practice of alerting only on security issues of individual devices and the best-practice risk assessment methodologies of security experts who assess the entire network. The end result is more high-level risks being detected across your OT network. Also, it allows network administrators to reduce risks to their network and identify potential problems before incidents occur.

Without this functionality, you would require an analyst to manually review and analyze the traffic between security zones, and identify possible risks. And of course, reviewing things manually is more time consuming, more expensive, and would overlook many important risks. 

The Architecture Risk Assessment feature can be used during the risk assessment / security posture process which is typically performed before introducing new security controls, or it can be scheduled to be re-run periodically. 

Use This Feature Out-Of-The-Box or Customize It

The SCADAfence Platform has built-in rules that alert on insecure behavior between assets when they are interacting across security zones. For example, the system will alert if it detects administrative access from an external network to critical process equipment inside the OT network. Other systems, that alert only on activities of an individual device, would overlook this risk.

In addition to the built-in rules, the Architecture Risk Assessment functionality allows user-defined rules to be added as well.

The SCADAfence Platform Architecture Risk Assessment Feature evaluates the security risk across logical zones and allows user-defined rule sets.

Summary of Benefits of Architecture Risk Assessment

• Automatically identify potential risks to your OT network caused by architectural weaknesses such as lack of network segmentation.
• Understand additional layers of risk caused by activity happening between groups of assets in addition to risks caused by weaknesses of individual assets.
• Out-of-the-box expertise for architecture risk assessment.
• Save your organization time and money. No more need for manual analysis and review of traffic between network zones.

SCADAfence New Feature Reports is an occasional series of blogs exploring the many newly added features of the SCADAfence Platform in detail. For more information or to see SCADAfence in action, request a personalized demo.

A SCADAfence New Feature report

A large, robust Industrial Control Systems (ICS) network can contain tens of thousands of devices. Each of those devices may have any number of associated known CVEs (Common Vulnerabilities and Exposures). Do the math and what you’ll come up with is a terrifying mountain of possible vulnerabilities. What’s a CISO to do? How to prioritize the work of implementing all the patches needed to keep the OT network safe? The problem is exacerbated if the CISO has limited OT Security team members available. (Check out the 2022 State Of Operational Technology Report for more on that)

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks including BlackCat & Luna, and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:

A Change In The Air

This blog is a response to a recently published article that implied a link between the June 8th explosion at the Freeport LNG plant and Russian threat actors. The author attempted to connect non-existent dots between Triton malware that has been associated with the Russian-linked APT group “XENOTIME” and the Freeport incident.

A Change In The Air

Iran’s steel Industry was hit by a hacktivist group calling themselves ”Goneshke Darande” [Predatory Sparrow] on June 27th, 2022. The attack focused specifically on three steel companies that are currently subject to international sanctions, Mobarakeh Steel Company, Hormozgan Steel Company, and Khuzestan Steel Industries. This blog will investigate the Khuzestan attack.

At 3:08:22 pm local time, a compromised internal plant camera at Khuzestan shows the loss of control and within 12 minutes the camera captured catastrophic failure. In the video it appears that there is a disruption in the vacuum degassing stage of the ladle metallurgy process where the molten steel in the ladle is under vacuum to remove dissolved gasses entrained in the steel before it gets poured. This is problematic because remnants of even a few parts per million of hydrogen gas remaining in the pour causes massive defects and drastic loss of structural integrity. 

The attackers posted images from the compromised ICS leading up to the event on their twitter account.

From this screenshot we can deduce that the Khuzestan Steel Factory was using a Siemens PCS7 Process Control System and based on the graphics it was most likely S7-400 controllers. Digging a little deeper into the OSINT (Open Source Intel) it appears that see that IRISA International Systems Engineering & Automation Company worked on designing and implementing various portions of the steel factory.

In my book Pentesting Industrial Control Systems under section 2 – Understanding the Cracks Chapter 4 – Open Source Ninja, I elaborate on the fact that gaining insight to openly available data for a client’s industry, process, employees, equipment, and technology is absolutely essential. Throughout the chapter I go on to caution companies and specifically blue teamers that monitor social media posts of employees and 3rd party vendors, as they might innocently and non-maliciously publish critical information related to your company’s production environment. 

The silver lining of this cyber incident is that no one was hurt and it may open more discussions on industrial cyber security awareness.

To learn more about how the SCADAfence Platform can protect your OT network request a demo today.

Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:

ICS

Siemens DoS Vulnerability (CVE-2022-24040)

A vulnerability affecting Siemens’ PXC4.E16 building automation controllers can be exploited to conduct a DoS attack (CVE-2022-24040).

Attack Parameters: The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account.

Impact: An attacker could make the device unavailable for days by attempting a login.

Recommendations: Siemens released a patch for this vulnerability.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, connection to and from the Internet, and unauthorized connections to OT assets.

Open Automation Software Platform Vulnerabilities

Multiple vulnerabilities were found affecting Open Automation Software (OAS) platform, leading to device access, denial-of-service, and remote code execution. The OAS platform is a widely used data connectivity solution that unites industrial devices (PLCs, OPCs, Modbus), SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.

Targets: OAS is used by Michelin, Volvo, Intel, JBT AeroTech, the U.S. Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and several other high-profile industrial entities.

Attack Parameters: The most critical of these vulnerabilities, CVE-2022-26833, can be exploited by sending a series of HTTP requests. Most of the other vulnerabilities can be exploited using a variety of specific network requests.

Impact: Successful exploitation of these vulnerabilities may lead to DoS and RCE.

Recommendations: While patches are still unavailable for these vulnerabilities, they can be mitigated by disconnecting the OAS platform from the Internet and from Internet-facing devices.

SCADAfence Coverage: The SCADAfence Platform detects DoS attempts, such as HTTP flooding attempts. 

IT

Microsoft Office MSDT Vulnerability (CVE-2022-30190)

A new zero-day vulnerability, dubbed “Follina”, allows attackers to execute malicious PowerShell commands using Microsoft Office programs (CVE-2022-30190).
This is a new attack vector leveraging Microsoft Office programs as it works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.

Targets: Threat actors, such as Chinese APT groups, used this vulnerability to target organizations in Russia and in Tibet, and government entities in Europe and in the U.S.

Attack Parameters: The vulnerability leverages malicious Word documents that execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT). It is triggered when an office application, such as Word, calls MSDT using the MS-MSDT URL protocol.

Impact: Attackers can exploit this vulnerability to remotely execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, or create new Windows accounts as allowed by the user’s rights.

Recommendations:

1. 1. Microsoft has released a patch for this vulnerability. 
   2. Microsoft recommended that affected users disable the MSDT URL.
   3. An unofficial patch has been released, adding sanitation of the user-provided path to avoid rendering the Windows diagnostic wizardry inoperable.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, connection to and from the Internet, and unauthorized connections.

Confluence Server and Data Center RCE Vulnerability (CVE-2022-26134)

A vulnerability affecting Confluence Server and Data Center was disclosed, which allows unauthenticated attackers to gain remote code execution on unpatched servers (CVE-2022-26134).

Attack Parameters: This vulnerability can be exploited without needing credentials or user interaction, by sending a specially crafted web request to the Confluence system.

Impact: Threat actors were observed exploiting this vulnerability to install BEHINDER, a web shell that allows threat actors to execute commands on the compromised server remotely and has built-in support for interaction with Meterpreter and Cobalt Strike.

A PoC exploit for this vulnerability has been published.

Recommendations: Atlassian released patches for this vulnerability.

SCADAfence Coverage: The SCADAfence Platform detects exploitation of this vulnerability, as well as the use of Meterpreter and Cobalt Strike. 

Ransomware

Foxconn Ransomware Attack by LockBit
Foxconn electronics manufacturer has confirmed that one of its Mexico-based production plants has been impacted by a ransomware attack. While the company did not provide information about the responsible group, LockBit gang claimed the attack.

Attack Parameters:

1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
2. Execution – LockBit is executed via command line or created scheduled tasks.
3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network.

Impact: According to Foxconn, the impact on its overall operations will be minimal, and the recovery will unfold according to a pre-determined plan.

Recommendations:  Following are additional best practices recommendations:

1. Make sure secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects the creation of scheduled tasks, as well as the use of Mimikatz, PsExec, and Cobalt Strike.

RDP and SMB connections can be tracked with User Activity Analyzer.
SFP detects suspicious behavior, which includes LockBit’s, based on IP reputation, hash reputation, and domain reputation.

For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.

SCADAfence Wins 3 Awards at RSA 2022 – 1. Most Innovative Governance, Risk and Compliance (GRC) 2. Next Gen ICS/SCADA Security  3. Most Innovative Internet of Things (IoT) Security  

San Francisco, California June 6, 2022 – SCADAfence, the global technology leader in OT & IoT cyber security, is proud to announce we have won the following awards from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine:

• Most Innovative Governance, Risk and Compliance (GRC)
• Next Gen ICS/SCADA Security
• Most Innovative Internet of Things (IoT) Security

SCADAfence has won the award for Most Innovative Governance, Risk and Compliance (GRC) in recognition of the governance portal, which provides a multi-site regulatory and policy compliance framework. The portal provides companies with OT networks increased readiness and compliance for organizational policies and regulations. The SCADAfence governance portal is unique in the marketplace, that allows organizations to audit compliance based on real traffic data across multiple sites, and provides ready-to-use compliance dashboard and reports. SCADAfence is currently the only vendor who offers this technology.

Additionally, SCADAfence has won the award for Next Gen Next Gen ICS/SCADA Security since they have a unique Micro Granular Baseline technology. This technology learns every device granularly, per asset and per traffic characteristics. This unique technology provides the most accurate detection mechanism, and dramatically reduces false-positives without the need to reconfigure the baseline upon any changes. Customers get baselining results in hours vs weeks and it keeps getting smarter with advanced AI capabilities.

SCADAfence has also won the award for Most Innovative Internet of Things (IoT) Security, for their ability to provide comprehensive protection to complex industrial IIoT networks comprising thousands of devices from various manufacturers with multiple vulnerabilities.

“We’re thrilled to receive one of the most prestigious and coveted cybersecurity awards in the world from Cyber Defense Magazine” said Elad Ben-Meir, CEO of SCADAfence. “We knew the competition would be tough and fierce. We couldn’t be more pleased to be recognized as Innovators and leaders in the OT security industry.”

“SCADAfence embodies three major features the judges look for to become winners: understanding tomorrow’s threats, today, providing a cost-effective solution and innovating in unexpected ways that can help stop the next breach,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine.

We’re thrilled to be a part of  this coveted group of winners, located here: www.cyberdefenseawards.com/

About SCADAfence

SCADAfence is the global technology leader in OT & IoT cyber security. The SCADAfence platform enables organizations with complex OT networks to embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. The non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and governance with minimal false-positives. SCADAfence delivers proactive security and visibility to some of the world’s most complex OT networks, including the largest manufacturing facility in Europe. SCADAfence enables organizations in manufacturing, building management and critical infrastructure industries to operate securely, reliably and efficiently. To learn more, go to http://www.scadafence.com

About CDM InfoSec Awards

This is Cyber Defense Magazine’s eighth year of honoring InfoSec innovators. Our submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at http://www.cyberdefenseawards.com

About the Judging

The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next?” so we are looking for Next Generation InfoSec Solutions.

About Cyber Defense Magazine

With over 5 Million monthly readers and growing, and over 17,000 pages of searchable online infosec content, Cyber Defense Magazine and our sister magazine being announced after the show is the premier source of IT Security information. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conference. CDM is a proud member of the Cyber Defense Media Group, a division of Ingersoll Lockwood. Learn more about us at http://www.cyberdefensemagazine.com and visit http://www.cyberdefensetv.com and http://www.cyberdefenseradio.com to see and hear some of the most informative interviews of many of these winning company executives.

A Change In The Air

The past several decades have seen a seismic shift in how the world thinks about energy. Concerns about climate change and global geopolitics have caused many nations to declare a goal of moving on from dependency on fossil fuels toward more renewable energy sources, such as wind power.