Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Rockwell Automation. Show all posts

PLCs Exploited by "Evil PLC Attack" to Breach Networks

PLCs can be weaponized in a novel attack to take advantage of engineering workstations and then infiltrate OT and enterprise networks.

The "Evil PLC Attack" was developed by the Team82 group of Claroty, and it targets engineers who work on industrial networks, configure, and troubleshoot PLCs. Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson engineering workstation software are all impacted by the problem.

Security experts claim that the research produced functional proof-of-concept vulnerabilities for seven of the industry's top automation businesses, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.

Industrial gadgets that regulate production processes in essential infrastructure areas must include programmable logic controllers. PLCs are set up to start and halt processes, as well as to produce alarms, in addition to orchestrating the automation activities.

It is therefore not unexpected that PLCs have been the target of sophisticated attacks for more than a decade, starting with Stuxnet and continuing with PIPEDREAM aka INCONTROLLER, with the intention of causing physical outages.

The attack method  
  • Initially skeptical engineers connect to the compromised PLC using the engineering workstation software as a diagnostic tool after an opportunistic adversary purposefully causes a problem on an internet-exposed PLC.
  • When an engineer performs an upload operation to acquire a functional copy of the existing PLC logic, the con man takes advantage of the previously unknown platform weaknesses to execute malicious code on the workstation.
  • According to the researchers, "the PLC saves other forms of data that are used by the engineering software and not the PLC itself," which makes it possible for the unneeded data to be altered in order to control the engineering software.
  • Study shows "that the fact that the PLC retains extra forms of data that are used by the engineering software and not the PLC itself"  creates a scenario in which the unused data saved on the PLC can be altered to manipulate the engineering software. 
In other words, the approach allows code execution upon an engineering connection/upload operation by weaponizing the PLC with data that isn't necessarily a part of an offline project file.

According to the coordinated disclosure policy of the business, Team82 certified that all of the findings were communicated to the seven affected vendors.

According to the business, the majority of manufacturers released mitigation plans, patches, or solutions for the Evil PLC Attack.



Severe Flaws in Rockwell PLC Could Allow Attackers to Implant Malicious Code

 

Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software have two new security flaws that might be exploited by an intruder to introduce malicious code into affected systems and silently manipulate automation operations. 

In a way similar to Stuxnet and the Rogue7 assaults, the vulnerabilities have the ability to impair industrial operations and cause physical damage to factories. 

Claroty's Sharon Brizinov noted in a write-up published, "Programmable logic and predefined variables drive these [automation] processes, and changes to either will alter the normal operation of the PLC and the process it manages." 

The following is a list of two flaws – 
  • CVE-2022- (CVSS score: 10.0) — A remotely exploited weakness that allows a hostile actor to write user-readable "textual" computer code to a memory location independent from the compiled code that is being executed (aka bytecode). The problem is in Rockwell's ControlLogix, CompactLogix, and GuardLogix control systems' PLC firmware. 
  • CVE-2022-1159 =This vulnerability has a CVSS score of 7.7. Without the user's knowledge, an attacker with administrative access to a workstation running the Studio 5000 Logix Designer application can disrupt the compilation process and inject code into the user programme. 

Successfully exploiting the flaws could enable an attacker to change user programmes and download malicious code to the controller, effectively changing the PLC's normal operation and allowing rogue commands to be sent to the industrial system's physical devices. 

Brizinov explained, "The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC." 

Because of the severity of the weaknesses, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning outlining mitigation actions that users of the affected hardware and software can take as part of a "comprehensive defence-in-depth strategy."

Unprotected Private Key Allows Remote Hacking of PLCs

 

Industrial associations have been cautioned for this present week that a critical authentication bypass vulnerability can permit hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation that are marketed under the Logix brand. These gadgets, which range from the size of a little toaster to a huge bread box or considerably bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs utilizing Rockwell software called Studio 5000 Logix Designer. 

The vulnerability requires a low skill level to be exploited, CISA said. The vulnerability, which is followed as CVE-2021-22681, is the consequence of the Studio 5000 Logix Designer software making it possible for hackers to exfiltrate a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and confirms correspondence between the two gadgets. A hacker who got the key could then copy an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations Rockwell credited with independently discovering the flaw. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.” 

Rockwell isn't issuing a patch that straightforwardly addresses the issues coming from the hard-coded key. Instead, the organization is suggesting that PLC clients follow explicit risk mitigation steps. The steps include putting the controller mode switch into run, and if that is impractical, following different suggestions that are explicit to each PLC model.

 Those steps are laid out in an advisory Rockwell is making accessible to clients, just as in the CISA warning. Rockwell and CISA likewise suggest PLC clients adhere to standard security-in-depth security advice. Chief among the suggestions is guaranteeing that control system gadgets aren't accessible from the Internet. On the off chance that Logix PLC clients are segmenting industrial control networks and following other prescribed procedures, almost certainly, the risk posed by CVE-2021-22681 is negligible. What's more, if individuals haven't executed these practices, hackers likely have simpler ways to hijack the devices.