Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PLCs. Show all posts

Ewon Cosy+ Industrial Devices Vulnerable to Serious Security Exploits


 

Recently, severe security flaws were identified in the Ewon Cosy+ industrial remote access devices, which could allow attackers to gain complete control over the systems. This vulnerability presents a serious risk, as it could lead to unauthorised access, allowing attackers to decrypt sensitive data, steal credentials, and hijack VPN sessions to launch further attacks on industrial networks.

Root Access Exploits and VPN Session Hijacking

Security researcher Moritz Abrell from SySS GmbH brought these critical vulnerabilities to light during a presentation at DEF CON 32. The identified flaws could enable attackers to achieve root-level access on Ewon Cosy+ devices, providing them with the ability to decrypt protected firmware and data, such as passwords stored in configuration files. More alarmingly, attackers could obtain valid VPN certificates, enabling them to take over VPN sessions, thereby compromising the security of both the devices and the connected industrial networks.

Ewon, in response to these findings, issued a security update on July 29, 2024, which addresses these vulnerabilities in the latest firmware versions. The update tackles several issues, including data leaks through cookies, cross-site scripting (XSS) vulnerabilities, and improper encryption practices. Notably, the update fixes critical issues such as the ability to execute processes with elevated privileges and vulnerabilities that could allow attackers to inject malicious code.

How the Vulnerabilities Were Exploited

The Ewon Cosy+ system relies on a VPN connection that is managed through a platform called Talk2m, which uses OpenVPN for secure communication. Researchers found that it was possible to exploit a command injection vulnerability within the system, allowing unauthorised access to the device. Additionally, a persistent XSS vulnerability was discovered, which could be used to gain administrative control.

One particularly troubling vulnerability involved the storage of session credentials in an unprotected cookie, encoded in Base64. This flaw allows an attacker to gain root access by simply waiting for an administrator to log in to the device. With root access, attackers can install persistent threats, extract encryption keys, and decrypt sensitive firmware files. The presence of a hard-coded encryption key within the system further heightens the risk, as it can be used to extract even more sensitive data.

Risk of VPN Session Takeover

Among the concerning risks associated with these vulnerabilities is the possibility of VPN session hijacking. The Ewon Cosy+ devices communicate with the Talk2m platform via HTTPS, using mutual TLS (mTLS) for authentication. However, the system's reliance on the device's serial number for generating Certificate Signing Requests (CSR) poses a security flaw. An attacker could exploit this weakness by creating a CSR with a serial number matching the target device, thereby hijacking the VPN session and rendering the original device inaccessible.

Once the VPN session is taken over, the attacker can reroute the connection to their infrastructure, potentially intercepting critical data, such as programmable logic controller (PLC) programs, which are essential to the operation of industrial systems.

This is a reminder of the challenges faced in securing industrial remote access solutions. The potential for attackers to gain root access and hijack VPN sessions could have devastating consequences, not only for the individual devices but also for the wider industrial networks they are connected to.

Organisations using Ewon Cosy+ devices are strongly urged to apply the recommended firmware updates immediately and review their security protocols to minimise the risk of exploitation. Regular updates and stringent security practices are essential to protecting industrial systems from the developing threat of cyberattacks.

As attackers continue to exploit weaknesses in remote access tools, it is critical for companies to remain proactive in securing their systems. By addressing these vulnerabilities promptly and ensuring their systems are up to date, organisations can protect their infrastructure from the risks posed by these security flaws.


Web-Based PLC Malware: A New Frontier in Industrial Cybersecurity Threats

 

The increasing prevalence of programmable logic controllers (PLCs) featuring embedded web servers has opened avenues for potential catastrophic remote attacks on operational technology (OT) within industrial control systems (ICS) in critical infrastructure sectors. 

Researchers from the Georgia Institute of Technology have developed malware that could enable adversaries to remotely access embedded web servers in PLCs, potentially leading to manipulation of output signals, falsification of sensor readings, disabling safety systems, and other actions with severe consequences, including loss of life. PLCs are integral components of ICS, responsible for controlling physical processes and machinery in manufacturing, industrial, and critical infrastructure settings. 

Malware targeting PLCs typically aims to disrupt or sabotage the physical processes they control. The newly developed web-based PLC malware differs fundamentally from traditional PLC malware. Unlike previous versions that required prior physical or network access, the web-based malware attacks the front-end web layer in PLCs using malicious JavaScript. 

This approach eliminates some limitations faced by previous malicious code, providing advantages such as platform independence, ease of deployment, and higher levels of persistence. Historically, PLC malware-infected firmware or control logic, requires specific access or is easily erasable via factory resets. The web-based malware targets the web layer, making it fundamentally different and more challenging to mitigate. 

The outcomes of cyberattacks using this new strain of malware mirror those of previous successful PLC attacks, including the infamous Stuxnet campaign that targeted Siemens PLCs to dismantle high-speed centrifuges at Iran's Natanz uranium enrichment facility. While other attacks, such as BlackEnergy, Triton/Trisis, and INCONTROLLER, have demonstrated the potential damage to systems controlling physical processes, the Georgia Tech researchers' web-based PLC malware offers a more persistent and easier-to-deploy method. 

The researchers conducted a proof-of-concept cyberattack in a scenario resembling a Stuxnet-like attack on a widely used PLC controlling an industrial motor. The PLC featured a web-based interface for remote monitoring, programming, and configuration. In their test scenario, the researchers explored how an attacker could gain initial access to the PLC by remotely injecting malicious code into the web server. 

The web-based PLC malware allowed the attacker to physically damage the industrial motor, manipulate admin settings for further compromise, and steal data for industrial espionage. The unique aspect of this web-based PLC malware lies in its residence in PLC memory while being executed client-side by various browser-equipped devices across the ICS environment. The malware utilizes ambient browser-based credentials to interact with the PLC's legitimate web APIs, facilitating attacks on real-world machinery. 

This type of malware presents challenges for defenders due to its ease of deployment and platform-agnostic nature. As industrial systems continue to integrate web-based interfaces for remote access and monitoring, the security community must stay vigilant to address evolving threats like web-based PLC malware and ensure the resilience of critical infrastructure against potential cyber-physical attacks.

PLCs Exploited by "Evil PLC Attack" to Breach Networks

PLCs can be weaponized in a novel attack to take advantage of engineering workstations and then infiltrate OT and enterprise networks.

The "Evil PLC Attack" was developed by the Team82 group of Claroty, and it targets engineers who work on industrial networks, configure, and troubleshoot PLCs. Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson engineering workstation software are all impacted by the problem.

Security experts claim that the research produced functional proof-of-concept vulnerabilities for seven of the industry's top automation businesses, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.

Industrial gadgets that regulate production processes in essential infrastructure areas must include programmable logic controllers. PLCs are set up to start and halt processes, as well as to produce alarms, in addition to orchestrating the automation activities.

It is therefore not unexpected that PLCs have been the target of sophisticated attacks for more than a decade, starting with Stuxnet and continuing with PIPEDREAM aka INCONTROLLER, with the intention of causing physical outages.

The attack method  
  • Initially skeptical engineers connect to the compromised PLC using the engineering workstation software as a diagnostic tool after an opportunistic adversary purposefully causes a problem on an internet-exposed PLC.
  • When an engineer performs an upload operation to acquire a functional copy of the existing PLC logic, the con man takes advantage of the previously unknown platform weaknesses to execute malicious code on the workstation.
  • According to the researchers, "the PLC saves other forms of data that are used by the engineering software and not the PLC itself," which makes it possible for the unneeded data to be altered in order to control the engineering software.
  • Study shows "that the fact that the PLC retains extra forms of data that are used by the engineering software and not the PLC itself"  creates a scenario in which the unused data saved on the PLC can be altered to manipulate the engineering software. 
In other words, the approach allows code execution upon an engineering connection/upload operation by weaponizing the PLC with data that isn't necessarily a part of an offline project file.

According to the coordinated disclosure policy of the business, Team82 certified that all of the findings were communicated to the seven affected vendors.

According to the business, the majority of manufacturers released mitigation plans, patches, or solutions for the Evil PLC Attack.



Unprotected Private Key Allows Remote Hacking of PLCs

 

Industrial associations have been cautioned for this present week that a critical authentication bypass vulnerability can permit hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation that are marketed under the Logix brand. These gadgets, which range from the size of a little toaster to a huge bread box or considerably bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs utilizing Rockwell software called Studio 5000 Logix Designer. 

The vulnerability requires a low skill level to be exploited, CISA said. The vulnerability, which is followed as CVE-2021-22681, is the consequence of the Studio 5000 Logix Designer software making it possible for hackers to exfiltrate a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and confirms correspondence between the two gadgets. A hacker who got the key could then copy an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations Rockwell credited with independently discovering the flaw. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.” 

Rockwell isn't issuing a patch that straightforwardly addresses the issues coming from the hard-coded key. Instead, the organization is suggesting that PLC clients follow explicit risk mitigation steps. The steps include putting the controller mode switch into run, and if that is impractical, following different suggestions that are explicit to each PLC model.

 Those steps are laid out in an advisory Rockwell is making accessible to clients, just as in the CISA warning. Rockwell and CISA likewise suggest PLC clients adhere to standard security-in-depth security advice. Chief among the suggestions is guaranteeing that control system gadgets aren't accessible from the Internet. On the off chance that Logix PLC clients are segmenting industrial control networks and following other prescribed procedures, almost certainly, the risk posed by CVE-2021-22681 is negligible. What's more, if individuals haven't executed these practices, hackers likely have simpler ways to hijack the devices.