Hey, I’m SCADAGirl.

I’m a cybersecurity superhero that ensures that OT & IoT networks are safe.

Here is my commentary on the latest headlines in OT & IoT security.

ICS Advisory (ICSA-20-240-01) Red Lion N-Tron 702-W, 702M12-W

 SCADAfence Research – ICS Ethernet Switches used in Industrial Networks by manufacturer Red Lion are exposed to Remote Command Injection. The switches types are 702-W and 702M12-W. Read More 

---

Critical Vulnerabilities Expose MoFi Routers to Remote Attacks

 SCADAfence Research  – IOT Routers made by MoFi network are vulnerable to Remote Code Execution vulnerabilities. The series affected is MOFI4500, which includes several routers which includes WIFI and 4g capabilities. Companies utilizing such routers for mobile or remote connectivity should check their devices for updates. Read More

---

BLURtooth Vulnerability Lets Attackers Defeat Bluetooth Encryption

SCADAfence Research – IOT BLURtooth vulnerability exposes new generations of bluetooth-enabled devices to MITM attacks. Academic researchers have discovered that certain implementations of Bluetooth 4.0 to 5.0 suffer from weak key generation and thus allow MITM to take place. Read More

---

Netwalker Ransomware Hits Pakistan’s Largest Private Power Utility

SCADAfence Research – Netwalker Ransomware hits the largest private power company in Pakistan. The ransomware caused disruption in billing and online services. Read More 

---

Windows Zerologon PoC Exploits Allow Domain Takeover. Patch This Now!

SCADAfence Research – A PoC was released for the Zerologon vulnerability, which allows attackers to gain Domain Admin privileges and take over windows domain environments. The vulnerability CVE-2020-1472 was patched by Microsoft in the last August update. The vulnerability occurs when an attempt to login as a domain administrator is made, and a spoofed response is sent to the client telling the login succeeded. The vulnerability relies on the fact that it is possible to fallback to unencrypted RPC, and after that, using a security flaw found in Netlogon AES-CFB8 cryptographic negotiation. Please read more for the full article & the POC code. Read More 

---

Ransomware Attack at German Hospital Leads to Death of Patient

 SCADAfence Research – Ransomware attack at a German hospital leads to the death of a patient. The ransomware attack lead to the situation where emergency care could not occur at the hospital, and a patient in a life-threatening condition died after being forced to go to a more distant hospital. Read More

---

ICS Advisory (ICSA-13-011-01)

 SCADAfence Research – Devices running CoDeSys are vulnerable to read/write any files on devices running it. Also devices running CoDeSys require no authentication by default, making attackers able to change the device configuration. Read More

---

The Windows XP Source Code Was Allegedly Leaked Online

 SCADAfence Research – Windows XP Source code was leaked online, and can be downloaded by a torrent. The leaked source code may help attackers find new, yet unknown, vulnerabilities in, even new, Windows operating systems. Read More 

---

Ransomware Hits US-Based Arthur J. Gallagher Insurance Giant

 SCADAfence Research – US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems. Read More 

---

UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack

 SCADAfence Research – UHS hospitals hit by reported country-wide Ryuk ransomware attack, shutting down a few of its hospitals.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown. “We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.” Read More

As industrial systems become increasingly connected to IT, Cloud and ERP systems, they become increasingly exposed to cyber threats such as ransomware. In fact, cyber threats for industrial control systems (ICS) are on the rise.

Asset owners are often operating legacy equipment, which contains a large number of vulnerabilities, including unpatched industrial devices, unsupported operating systems like Windows XP and Windows 7, and others. Although this equipment may be productive for now, it is not secure, and the level of risk rises with time.

SCADAfence runs into these problems constantly with their customers as their industrial cybersecurity products were designed to help their users get through these security obstacles, such as aging equipment, the adoption of IIoT devices in Industry 4.0, and visibility gaps. As SCADAfence helps their customers drive their security and regain control over their network, here are some of the problems that they see in their industrial environments.

The Challenges SCADAfence Sees In Industrial Networks Today

Asset management is often managed with cumbersome Excel sheets, which is often inaccurate, and outdated. Security teams and OT operators need to know about real-time deviations in network traffic to account for cyberattacks like Malware or Ransomware, which can spread in minutes.

When having SCADAfence installed passively in their network, their customers often discover tens to hundreds of “shadow” OT devices or devices that the operators didn’t know existed. Even worse, many of the unaccounted for devices may be connected to the internet.

Four Ways to Solve These Constant Industrial Network Challenges

1. Maximum Rate Bandwidth for Increased Data Analysis  The SCADAfence Platform was built to handle large amounts of traffic. Utilizing Garland Technology’s visibility solutions, they read every bit, byte, and packet using full deep packet inspection (DPI) to have the highest detection rate in the industry. Most industrial network monitoring platforms don’t have the bandwidth to process this sizable data.

2. Setting an Operational Baseline with Advanced AI Capabilities  SCADAfence also offers a unique Micro Granular Baseline technology. This technology learns every device’s granular traffic characteristics. Providing the most accurate detection mechanism, this unique technology helps their customers to dramatically reduce false-positives without the need to reconfigure the baseline, even with operational changes. Customers gain precise and reliable results in hours vs weeks, with continuous intelligence utilizing advanced AI capabilities.

3. Instant Analytics and Reporting for Governance and Compliance   The SCADAfence Governance Portal, provides fully automated compliance dashboards and detailed compliance reports, which allows their customers to view status trends and comparisons over time. These accurate and up-to-date compliance status are based on real network traffic data analytics that tracks and measure industrial regulations and organizational best practices.

This is especially important to critical infrastructures, which have to meet certain frameworks and compliances to work under the correct guidelines. This tool ensures that their customers can remain fully compliant with industrial standards such as NERC-CIP, IEC-62443, NIST, ISO-27001, NIS NCSC, NIST CSF, and others – including internal policies that can be set up by their own organizations.

Taking in the packet traffic from Garland’s network TAPs, SCADAfence’s stand-alone monitoring will passively scan the traffic from every appliance with the utmost industry standards. Users can choose the industry standard that they want to be compliant with and the Governance Portal will show updated real-time reports in clear detail. SCADAfence finds that their customers find this incredibly valuable and time-efficient.

4. 100% Packet-level Network Visibility with Garland Technology  It’s very important with a network monitoring solution to not be intrusive in your OT process. SCADAfence offers continuous passive OT network monitoring that provides visibility, automatic asset discovery, inventory management, risk management, and threat detection is needed to capture the current operational behavior of the environment.

Generating 100% packet-level visibility with Garland’s visibility solution, SCADAfence is able to render critical insights to detect and provide alerts on cybersecurity and operational incidents like suspicious activities, exposures, malware attacks, and operational alerts such as service availability, and misconfigurations. This allows users to gain unique visibility into remote access connections and correlate OT actions to IT accounts.

For more information visit the Garland Technology and SCADAfence joint solution.  Looking to add visibility to your industrial environment, but not sure where to start?  Join us for a brief network Design-IT consultation or demo. No obligation – it’s what we love to do.

The original post can be found on garlandtechnology.com

It is hard to think of another facility more crucial than power distribution facilities, which control everything from turning on the lights in homes to running critical infrastructure systems. The US Institute for Critical Infrastructure Technology (ICIT) recently labelled what it terms ‘disruptionware’ in the context of an attack on a national energy grid as “a weapon of mass destruction.”

Western countries have been concerned about the threat of cyber-attacks crippling energy grids ever since the Russian targeting of the Ukrainian power grid in 2015 and, more recently, indictments by the US Department of Justice against two Chinese threat actors for targeting groups including a Department of Energy site.

The same group that targeted the Ukrainian grid, named as Dragonfly or Energetic Bear, was subsequently alleged to have been responsible for numerous other attacks on energy facilities, including a major attack on the UK power grid, which only came to light as a result of a leaked memo from GCHQ and the UK National Grid, has been on high alert for cyber-attacks since the start of the COVID-19 crisis.

Yet these vital facilities are not only poorly protected when compared to many other types of organization, but are also becoming increasingly vulnerable to cyber-attacks. Threats such as Trisis, Industroyer and BlackEnergy are now increasingly deployed in order to exploit a growing number of glaring vulnerabilities within power distribution systems.

The push to modernize power distribution facilities has brought in its wake a host of new entry points for threat actors to exploit. The rapid shift to smart grids means that utilities are now adding tens of thousands of largely unprotected devices such as new sensors, controllers, relays and meters.

Existing perimeter security is currently largely incapable of controlling all entry points to the network; once any one of these is bypassed, attackers can access a wide range of assets and remain undetected for long periods of time. Increasing connectivity of OT networks to remote sub-stations as well as to organizational systems also brings with it a host of vulnerable and often unsecured entry points.

Automation components, such as programmable logic controllers (PLCs) function via microprocessors and contain function-specific software programming. They also have management and communications capabilities running over network paths. These have been a major target for cyber-attacks as a means of gaining access to control systems.

Legacy industrial control system (ICS) protocols such as Modbus and DNP3, commonly used throughout power systems, have little or no security measures and lack authentication capabilities. These can easily be intercepted, spoofed or altered – potentially causing a dangerous event in the operations environment.

Like many other utilities, power distribution organizations also increasingly rely on remotely accessible equipment and mobile devices. While this has an immediate payback in terms of efficiency and convenience, it has also created vulnerabilities stemming from unsecure access or from connection to critical systems via remote tools and devices.

Coming from a world of stand-alone secure systems, many vendors of ICS systems also unwittingly create ‘backdoor’ access to devices and software, which are easy to exploit. Some vendors are even known to threaten to void equipment warranties should their products be reconfigured from the original factory settings by changing passwords or installing unapproved security packages.

The absence of constant network monitoring systems in most OT networks means that many utilities cannot even obtain basic forensic data related to cyber intrusions and attacks. This not only leaves such facilities vulnerable to financially motivated ransomware demands, but also to potentially devastating attacks from state-sponsored threat actors bent on causing physical destruction as well as economic damage.

Badly secured facilities mean that potentially highly destructive intrusions can sit on a power distribution network’s system undetected for months until they are triggered at a time calculated to cause maximum damage, possibly coinciding with other forms of attack or during a period of social unrest or national emergency such as the current COVID-19 crisis.

In order to protect against system abuse or cyber-attacks, power distribution networks must provide real-time monitoring across their newly-extended security perimeters in order to detect anomalous and non-authorized behavior while addressing both external and internal attack vectors.

source from:https://www.infosecurity-magazine.com/opinions/glaring-vulnerabilities-power

It’s true, the SCADAfence Governance Portal can now connect to any third-party application through Syslog or rest-API and we’re providing the entire on-boarding for free until the end of this year. (Details at the end of this blog post).

How You Can Use The Governance Portal

The SCADAfence Governance Portal, first introduced in 2019, has been developed for IT & OT users to enable real-time compliance monitoring across the entire organization and remote site, and to assure compliance with regulations and standards such as NERC-CIP, IEC-62443, NIST, ISO-27001, NIS NCSC, NIST CSF, and others.

Earlier this year, the SCADAfence Governance Portal was enhanced to allow you to extend your compliance automatic coverage by receiving inputs from external tools directly to the Governance Portal.

The SCADAfence Governance Portal had just become your very own full organizational OT/IT Governance & Compliance management system. You can now manage all inputs from your entire security, management and orchestration tools in a central location and get real time compliance status for all of your sites.

How You Can Connect The Governance Portal To Third-Party Applications

It’s easier than you think. 

You configure your external tool to send out the relevant information to the SCADAfence Governance Portal, and it will automatically add this new information to the process of compliance calculation. 

That’s it. 

You immediately enjoy extended coverage in areas that cannot be measured based on network traffic data. For instance, you can easily set up your Endpoint definitions to send alerts when outdated virus definitions are detected or receive inputs from your firewall on blocked traffic.

The Main Benefits Of Using The SCADAfence Governance Portal:

• It’s a multi-site regulatory and policy compliance framework for your organization.
• It’s a compliance policy manager – you can define your own policy and measure your organization based on it.
• You get real-time compliance dashboards – these are automatically created and available at all times for immediate compliance visibility.
• You have detailed reports – you can even drill down into each site and into each improvement opportunity.

The Look & Feel Of The Compliance Score Dashboards

Ultimately, the SCADAfence Governance Portal offers a one-of-a-kind solution which can help you to increase your readiness and compliance for organizational policies and regulatory compliance by performing automatic regulatory assessments based on real network traffic data.

The automatic compliance score calculation provides ready-to-use compliance dashboards and reports which enables end-to-end management of the compliance process as well as gradual enforcement process with flexible policy options.

 

How To Get The SCADAfence Governance Portal For Free Until 2021

Want to get it for your organization risk-free? Just click this link and fill in your details: https://l.scadafence.com/schedule-a-demo-governance

We will then provide you with full on-boarding for the Governance Portal for free, from October 1st until December 31st 2020.

A Shocking Flaw

Here’s an all too often overlooked item in the security architecture of industrial networks.

Below is a diagram of an industrial network architecture we’ve seen in a number of places.

In the diagram, a PLC with multiple network interfaces, in this case a PROFINET-enabled Siemens S7-300 or a S7-1500, is used to connect to the SCADA network on one side, and on the other side – to the I/O network.

Let’s imagine the following scenario:

1. An attacker has gained access to a host in the SCADA network (10.0.0.x).
2. The attacker wants to directly attack the I/O devices at 192.168.0.x, in order to sabotage the industrial process.

The question is: What should the attacker do in order to reach the I/O devices?

Think about it, then scroll down to see the answer.

Here’s the diagram of the industrial network architecture:

If you answered “nothing”, that’s the correct answer.

The S7-300, S7-1500 and other controllers with multiple network interfaces are sometimes used to “separate” the SCADA and I/O networks.

However, there is no such separation. If you use this feature, from the perspective of the SCADA network, there’s full L2+ access to the I/O network, and vice-versa.

The PROFINET interface on the S7-1500 (for example, the S7-1511 PN model) is a network switch, allowing anyone from the SCADA network full access to the I/O network, and vice versa.

From the perspective of the attacker, the network is completely flat.

As documented in the manual entry for the S7-1500 PROFINET-enabled CPU:

Source: Siemens, S7-1500 CPU 1511-PN Manual

And as documented in the manual entry for the S7-300 PROFINET-enabled CPU:

Source: Siemens, S7-300 CPU 319-3 PN/DP Manual

How Cyber Attackers Manipulate this Flaw

All an attacker has to do in order to access the I/O network directly, is to take a device in the SCADA network, add an IP address in the I/O network and then communicate with the field devices (in the I/O network) over any protocol they choose (Ethernet, IP, TCP, UDP, ICMP, etc).

This means that for example, if you have PROFINET I/O modules running on the I/O network, they’re accessible from ANY IP on the SCADA network, both by L2 (direct Ethernet) and by L3 (IP).

If you use this topology and you trust the I/O network to be separate from the OT network, this is a major flaw in your architecture.

How to Check if your I/O Field Network is Accessible From your SCADA Network

1. Perform the test during maintenance windows or in production with caution. Contact SCADAfence support if you need help.
2. Find out what is the IP range for your I/O network / fieldbus.
3. Select an IP address that’s not in use, in the I/O network range.
4. Change the IP of a test machine in the SCADA network using the following command:

netsh int ipv4 add address "Local Area Connection" 192.168.0.253 255.255.255.0

1. Then, ping an I/O controller, a sensor, a PLC, or any other IP that answers pings in the I/O network. If you got a response back, your I/O network is flat together with your SCADA network.

How to Discover These Vulnerabilities Automatically

This flawed design has been discovered by the SCADAfence Platform: The platform has been used to monitor both the SCADA and I/O networks of a certain industrial facility. Although the I/O network was supposed to be segmented from the SCADA network, in the sensor installed in the SCADA network, the SCADAfence security teams have seen broadcasts originating from the I/O network. When the SCADAfence security teams inspected the topology further, they discovered that in contradiction with what the system integrator and OT team believed – the networks were connected and were completely flat.

How Many Networks are Separating Between I/O and SCADA Using A Network Switch?

For the purpose of this research, it was a network misconfiguration that the SCADAfence platform helped uncover. Nonetheless, this question is very important for OT & IoT network security.

This network architecture flaw is a very clear example of how network packet analysis is a fundamental technology for the security of OT and IoT networks.

If you want to try out the SCADAfence Platform and uncover all of the vulnerabilities in your OT network, we will be glad to help you. Book your free demo here: https://l.scadafence.com/schedule-a-demo-scadafence

Hey, I’m SCADAGirl.

I’m a cybersecurity superhero that ensures that OT & IoT networks are safe.

Here is my commentary on the latest headlines in OT & IoT security.

ICS Advisory (ICSA-20-224-04) Siemens SCALANCE, RUGGEDCOM 

SCADAfence Research – Siemens SCALANCE and RUGGEDCOM switches, as well as security network segmentation devices are exposed to a Remote Code Execution vulnerability. A successful exploitation can significantly lower the security of the target organization’s network by allowing attackers to access OT networks that are supposed to be protected by those devices.

Additionally, Siemens Desigo CC Windows Application, which is designed for controlling and programming Building Management Systems (BMS) is vulnerable to a Remote Code Execution vulnerability. A successful exploitation may result in the attackers controlling or sabotaging the BMS system.

Bugs in HDL Automation Expose IoT Devices to Remote Hijacking

SCADAfence Research  – New vulnerabilities were discovered in an automation system for smart homes and buildings that allowed taking over accounts belonging to other users and control associated devices. The vulnerabilities found in those devices might allow attackers to take control of the building’s air conditioning system, lightning and more. For more on BMS security, click here.

Vulnerable Perimeter Devices: A Huge Attack Surface

SCADAfence Research – JSOF, a local team of cybersecurity researchers, released the second whitepaper on their DNS client exploitation vulnerability (CVE-2020-11901) that got CVSS score of 9.1. This was the vulnerability that was demonstrated in their video. They show this vulnerability to be really severe but in my opinion it is less severe than they market it. The vulnerability is the DNS client of target devices. Because most of the affected devices don’t use DNS at all (i.e,PLCs / OT devices / Medical devices) generally use direct IP addresses to communicate – not DNS hostnames, thus it is not possible to attack them. Also, if some of them do send DNS queries, you have to be in some sort of MITM to see them and send them a response with an exploit.

The latest vulnerabilities in various gateway servers possess a threat to organizations who didn’t patch. Research shows the various gateways exposed to the internet – F5 Big-IP (1M devices), Citrix NetScalar Gateway (80K devices), Palo Alto Global Protect (60K devices), Microsoft Remote Desktop Gateway (40K devices), amongst others. For more on IoT security, click here.

ICS Advisory (ICSA-20-212-02) Mitsubishi Electric Multiple Factory Automation Engineering Software Products

SCADAfence Research – Numerous Mitsubishi Engineering Software Products are vulnerable to remote code execution and denial of service vulnerabilities – A total of 3 vulnerabilities were discovered. Among the software impacted are Mitsubishi’s PLC programming software GX Works2 and GX Works3. Also other network configuration software are impacted. Successful exploitation of this vulnerability may allow threat actors to take over engineering workstations. For more vulnerabilities that we found in Mitsubishi Electric products, click here.

ICS Advisory (ICSA-20-210-02) Softing Industrial Automation OPC

SCADAfence Research – A buffer overflow allowing Remote Code Execution influencing all Softing Industrial Automation OPC products (OPC servers for PLCs & networks) was discovered. OPC is a way of communication in OT networks, thus, successful exploitation may result in controlling the OPC servers. Attackers leveraging this can cause sabotage to industrial processes.

 

Overview

As the NSA urges companies to secure their industrial networks, two vulnerabilities were found in Schneider Electric Triconex SIS devices. Both of the vulnerabilities reside within the Tricon Communication Module (TCM) which connects the Triconex SIS to Ethernet networks. The first vulnerability (CVE-2020-7486) is a Denial of Service attack that causes the TCM to enter a fault state, and the latter (CVE-2020-7491), a more serious one, is a legacy debug port exposed to the network, that allows attackers to get root style privileges on the TCM, and upload malicious firmware to it.

While the vulnerabilities themselves are severe, exploiting them will not directly impact the SIS operation. In case of a failure in a plant, SIS operations will work normally. 

Most SIS devices use the key switch methodology, where a physical switch controls the state of the SIS. When the SIS is operating normally, this switch should be in the ‘Run’ state. In order to harm the SIS from the TCM by uploading malicious code to it, the SIS key switch must first be physically changed to ‘Program’ or ‘Remote’.

 

Hiding Malicious Activity, As Seen In Stuxnet

Leveraging CVE-2020-7491, an attacker can write its own firmware to the TCM. Because the TCM resides between the SIS and the OT Ethernet network, malicious code installed on it TCM can be used to hide or modify activity sent or received by the SIS.

SIS HMIs are usually connected to the Ethernet network. These HMIs can be fed incorrect information from the TCM module, causing fake SIS data to be displayed in the HMI. 

Moreover, the TCM could hide the malicious code blocks from the programming software, rendering it undetected from engineers. 

Similar practices have been seen in the past in the Stuxnet campaign, hooking network code to hide malicious activity. A rootkit was installed on PCs with engineering software and a part of its operation was to hide the infected PLC code blocks from being seen in the programming software.
Moreover, Stuxnet prevented operators from noticing its set of instructions sent to peripheral devices (centrifuges, etc) by hiding those instructions from the process image output. These monitoring and HMIs devices were fed incorrect information showing that the PLCs are functioning normally, and no out of the ordinary instructions were sent to them.

 

Mitigation Recommendations

1. There are countless vulnerabilities in industrial equipment, and more vulnerabilities are discovered every day. A safety net in the form of a passive, industrial network traffic monitoring system (such as the SCADAfence Platform), will be able to slow down all attacks, enabling you to respond, and will detect most attack vectors. Such products increase the cost of an attack, in a way that makes the attack irrelevant for most attackers. See our webinar on Efficient Industrial Cyber Security Programs for more information.
2. Update the TCM modules using the latest firmware from Schneider Electric. Updates can be found in the official advisory – Legacy Triconex  Product Vulnerabilities
3. Make sure SIS devices are behind a firewall and only communicating in ports they should communicate in. Both vulnerabilities were found in undocumented services communicating on non standard ports.

 

Overview

As the NSA urges companies to secure their industrial networks, two vulnerabilities were found in Schneider Electric Triconex SIS devices. Both of the vulnerabilities reside within the Tricon Communication Module (TCM) which connects the Triconex SIS to Ethernet networks. The first vulnerability (CVE-2020-7486) is a Denial of Service attack that causes the TCM to enter a fault state, and the latter (CVE-2020-7491), a more serious one, is a legacy debug port exposed to the network, that allows attackers to get root style privileges on the TCM, and upload malicious firmware to it.

While the vulnerabilities themselves are severe, exploiting them will not directly impact the SIS operation. In case of a failure in a plant, SIS operations will work normally. 

Most SIS devices use the key switch methodology, where a physical switch controls the state of the SIS. When the SIS is operating normally, this switch should be in the ‘Run’ state. In order to harm the SIS from the TCM by uploading malicious code to it, the SIS key switch must first be physically changed to ‘Program’ or ‘Remote’.

 

Hiding Malicious Activity, As Seen In Stuxnet

Leveraging CVE-2020-7491, an attacker can write its own firmware to the TCM. Because the TCM resides between the SIS and the OT Ethernet network, malicious code installed on it TCM can be used to hide or modify activity sent or received by the SIS.

SIS HMIs are usually connected to the Ethernet network. These HMIs can be fed incorrect information from the TCM module, causing fake SIS data to be displayed in the HMI. 

Moreover, the TCM could hide the malicious code blocks from the programming software, rendering it undetected from engineers. 

Similar practices have been seen in the past in the Stuxnet campaign, hooking network code to hide malicious activity. A rootkit was installed on PCs with engineering software and a part of its operation was to hide the infected PLC code blocks from being seen in the programming software.
Moreover, Stuxnet prevented operators from noticing its set of instructions sent to peripheral devices (centrifuges, etc) by hiding those instructions from the process image output. These monitoring and HMIs devices were fed incorrect information showing that the PLCs are functioning normally, and no out of the ordinary instructions were sent to them.

 

Mitigation Recommendations

1. There are countless vulnerabilities in industrial equipment, and more vulnerabilities are discovered every day. A safety net in the form of a passive, industrial network traffic monitoring system (such as the SCADAfence Platform), will be able to slow down all attacks, enabling you to respond, and will detect most attack vectors. Such products increase the cost of an attack, in a way that makes the attack irrelevant for most attackers. See our webinar on Efficient Industrial Cyber Security Programs for more information.
2. Update the TCM modules using the latest firmware from Schneider Electric. Updates can be found in the official advisory – Legacy Triconex  Product Vulnerabilities
3. Make sure SIS devices are behind a firewall and only communicating in ports they should communicate in. Both vulnerabilities were found in undocumented services communicating on non standard ports.

SigRed Overview

SigRed is a vulnerability that was exposed yesterday (July 14th 2020) by the security firm Check Point. Successful exploitation of the vulnerability could lead to a malicious actor gaining control of the organizational DNS server, often leading in turn to domain administrator privileges, allowing the attacker complete control of any domain-joined Windows machine.

The vulnerability lies in Microsoft’s DNS server and could be triggered from either inside the network, by an attacker controlling an internal asset, or, in some conditions (as stated below), from outside the network, making it even more dangerous.

As Microsoft Active Directory is deeply integrated with DNS services, the DNS service is virtually always enabled on domain controllers. An attacker gaining control of a domain controller through the DNS service could lead to a complete compromise of the network, allowing the attacker complete access to all Windows machines joined to the domain, whether patched or not, using the domain administrator privileges of the compromised domain controller. Even if the compromised DNS server does not serve as a domain controller, It is likely that the Domain administrator credentials are stored locally and can be retrieved by a tool such as Mimikaktz. Furthermore, the attacker is also able to return custom responses to DNS, allowing man-in-the-middle for unencrypted protocols, such as HTTP, FTP and others.

Exploitation Methods

The precondition for this exploit is that the local organization’s DNS server is configured to recursively resolve queries to external domains using root-hints. This configuration is the default configuration when the DNS service is installed.

Exploitation is either impossible or further complicated in the following cases:

1. The DNS server is an authoritative server of a DNS zone and does not recursively resolve queries to other domains.
2. The DNS server is part of an independent DNS infrastructure, such as an air-gapped network. In such a case, the attacker will need either write access to the DNS server or existing control over an authoritative DNS server serving an arbitrary zone on the network.
3. The DNS server is configured to use a forwarder server (such as 8.8.8.8 or 1.1.1.1) instead of directly using root hints. In such a case, the attacker will need to propagate the attack through the chain of recursive calls, which has not yet proven possible but cannot be completely discarded.

The vulnerability can be exploited in two ways:

1. From inside the network:
   An attacker that has a hold of an asset inside the network, can compromise the organization’s local DNS server by sending queries for external domain records which are controlled by the attacker (e.g. http://www.evil.com). Such a request will cause the local DNS server to communicate directly with the attacker’s DNS server. A malicious crafted response from the attacker’s server could lead the attacker to compromise the local DNS server.
2. From outside the network:
   An attacker can send a malicious link to a user inside the network to a website it controls (via e-mail, for example). Once the user opens the link in either Microsoft Edge Legacy or Internet Explorer (does not apply to Google Chrome, Mozilla Firefox or Microsoft Edge Chromium, not tested on other browsers), a malicious web page is sent back to the client that causes the client itself to perform a series of DNS queries to the local organization’s DNS server, that in turn, would query the attacker’s DNS server, at which point the DNS server can be compromised in the same manner as presented above.

 

Exploitability in OT Networks

Most OT networks have Windows endpoints that are used for process control, technical maintenance and others. An attacker successfully exploiting this vulnerability from either inside or outside the network can gain domain administrator privileges, allowing full access to all domain-joined workstations and servers even if already patched.
At this point, the attacker will be able to install ransomware, malware, steal information, disrupt OT operations and/or access any machine in the domain for any purpose.

As many OT networks are slower to patch systems than IT networks, they are exposed for a longer period of time, allowing attackers to exploit this vulnerability. As a successful exploitation often results in domain administrator privileges, a single unpatched DNS server is sufficient to compromise the entire network, even if all other DNS servers are already patched.

Mitigation Recommendations

Microsoft has released a patch (July 14th 2020) to the vulnerability. We urge everyone to update their Microsoft Windows Servers as soon as possible.

If for any reason one is unable to currently patch its Windows Servers, running the following command would limit the DNS response size to 0xFF00 (65280), and will prevent the vulnerability from running

 

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters” /v “TcpReceivePacketSize” /t REG_DWORD /d 0xFF00 /f && net stop DNS && net start DNS