Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks
13.7.23 ICS The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS).
"The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible," Draogos said.
The list of flaws is as follows -
CVE-2023-3595 (CVSS score: 9.8) - An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol (CIP) messages.
CVE-2023-3596 (CVSS score: 7.5) - An out-of-bounds write flaw impacting 1756 EN4* products that could lead to a DoS condition through maliciously crafted CIP messages.
"Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity," CISA said.
Even worse, the flaws could be abused to potentially overwrite any part of the system to fly under the radar and stay persistent, not to mention render the module untrustworthy.
Impacted devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. Patches have been available by Rockwell Automation to address the issues.
"The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack," the industrial cybersecurity company said. "Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same."
TRISIS, also known as TRITON, is an industrial control systems (ICS) malware that has been previously observed targeting Schneider Electric's Triconex safety instrumented system (SIS) controllers used in oil and gas facilities. A petrochemical plant in Saudi Arabia was discovered as a victim in late 2017, according to Dragos and Mandiant.
Dragos cautioned it discovered an "unreleased exploit capability leveraging these vulnerabilities" that are associated with an identified nation-state group and that as of mid-July 2023, "there was no evidence of exploitation in the wild and the targeted victim organizations and industry verticals were unknown."
"In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction," Tenable researcher Satnam Narang said of CVE-2023-3595.
Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach
22.4.23 ICS The Hacker News
Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application.
The new findings, which come courtesy of Symantec's Threat Hunter Team, confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed.
Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022.
"The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized."
The development comes as Mandiant disclosed that the compromise of the 3CX desktop application software last month was facilitated by another software supply chain breach targeting X_TRADER in 2022, which an employee downloaded to their personal computer.
It's currently unclear how UNC4736, a North Korean nexus actor, tampered with X_TRADER, a piece of trading software developed by a company named Trading Technologies. While the service was discontinued in April 2020, it was still available for download on the company's website as recently as last year.
Mandiant's investigation has revealed that the backdoor (dubbed VEILEDSIGNAL) injected into the corrupted X_TRADER app allowed the adversary to gain access to the employee's computer and siphon their credentials, which were then used it to breach 3CX's network, move laterally, and compromise the Windows and macOS build environments to insert malicious code.
The sprawling interlinked attack appears to have substantial overlap with previous North Korea-aligned groups and campaigns that have historically targeted cryptocurrency companies and conducted financially motivated attacks.
The Google Cloud subsidiary has assessed with "moderate confidence" that the activity is linked to AppleJeus, a persistent campaign targeting crypto companies for financial theft. Cybersecurity firm CrowdStrike previously attributed the attack to a Lazarus cluster it calls Labyrinth Chollima.
The same adversarial collective was previously linked by Google's Threat Analysis Group (TAG) to the compromise of Trading Technologies' website in February 2022 to serve an exploit kit that leveraged a then zero-day flaw in the Chrome web browser.
ESET, in an analysis of a disparate Lazarus Group campaign, disclosed a new piece of Linux-based malware called SimplexTea that shares the same network infrastructure identified as used by UNC4736, further expanding on existing evidence that the 3CX hack was orchestrated by North Korean threat actors.
"[Mandiant's] finding about a second supply-chain attack responsible for the compromise of 3CX is a revelation that Lazarus could be shifting more and more to this technique to get initial access in their targets' network," ESET malware researcher Marc-Etienne M.Léveillé told The Hacker News.
The compromise of the X_TRADER application further alludes to the attackers' financial motivations. Lazarus (also known as HIDDEN COBRA) is an umbrella term for a composite of several subgroups based in North Korea that engage in both espionage and cybercriminal activities on behalf of the Hermit Kingdom and evade international sanctions.
Symantec's breakdown of the infection chain corroborates the deployment of the VEILEDSIGNAL modular backdoor, which also incorporates a process-injection module that can be injected into Chrome, Firefox, or Edge web browsers. The module, for its part, contains a dynamic-link library (DLL) that connects to the Trading Technologies' website for command-and-control (C2).
"The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed," Symantec concluded.
CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems
22.3.23 ICS The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released eight Industrial Control Systems (ICS) advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation.
This includes 13 security vulnerabilities in Delta Electronics' InfraSuite Device Master, a real-time device monitoring software. All versions prior to 1.0.5 are affected by the issues.
"Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code," CISA said.
Top of the list is CVE-2023-1133 (CVSS score: 9.8), a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content, thereby allowing an unauthenticated remote attacker to execute arbitrary code.
Two other deserialization flaws, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8) could also be weaponized to obtain remote code execution, CISA cautioned.
Piotr Bazydlo and an anonymous security researcher have been credited with discovering and reporting the shortcomings to CISA.
Another set of vulnerabilities relates to Rockwell Automation's ThinManager ThinServer and affects the following versions of the thin client and remote desktop protocol (RDP) server management software -
6.x – 10.x
11.0.0 – 11.0.5
11.1.0 – 11.1.5
11.2.0 – 11.2.6
12.0.0 – 12.0.4
12.1.0 – 12.1.5, and
13.0.0 – 13.0.1
The most severe of the issues are two path traversal flaw tracked as CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5) that could permit an unauthenticated remote attacker to upload arbitrary files to the directory where the ThinServer.exe is installed.
Even more troublingly, the adversary could weaponize CVE-2023-28755 to overwrite existing executable files with trojanized versions, potentially leading to remote code execution.
"Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software," CISA noted.
Users are advised to update to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2 to mitigate potential threats. ThinManager ThinServer versions 6.x – 10.x are retired, requiring that users upgrade to a supported version.
As workarounds, it is also recommended that remote access of port 2031/TCP is limited to known thin clients and ThinManager servers.
The disclosure arrives more than six months after CISA alerted of a high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that could result in arbitrary remote code execution.