Our Researchers Discover Another Vulnerability 

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

CVE-2020-16850 (US ICS-CERT) is a CVSS 8.6 remote CPU DoS vulnerability in Mitsubishi Electric iQ-R Series that has been discovered by SCADAfence researcher Yossi Reuven.

Mitsubishi Electric is one of the world’s leading electronics and electrical equipment manufacturing companies, and is in use by many of our customers. We have been working with Mitsubishi Electric for the last few months in handling multiple vulnerabilities, and on October 8th, Mitsubishi Electric published an official security advisory reporting this vulnerability and its mitigations.

About The Vulnerability – CVE-2020-16850

MELSEC iQ-R Series is Mitsubishi Electric flagship product line – designed for high productivity automation systems. iQ-R CPUs’ communication with GX Works 3 (Engineering software package) is done via Mitsubishi Electric proprietary protocol MELSOFT (which works on both TCP and UDP).

A single specially crafted packet sent by an attacker over the MELSOFT UDP protocol on port 5006 will cause a denial-of-service (DoS) vulnerability due to uncontrolled resource consumption (CWE-400). The PLC’s CPU will get into fault mode, causing a hardware failure (error code: 0x3C00 – hardware failure). The PLC then becomes unresponsive and requires a manual restart to recover.

What SCADAfence Recommends Vendors To Do

Perform an Industrial Vulnerability Management Process

Please refer to our guide on this topic: https://www.scadafence.com/public-preview-a-comprehensive-guide-to-industrial-device-patching/

Monitor for Unauthorized Network Activity and Exploitation

Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network.

Upgrade to the Latest Firmware (When Available)

Currently no firmware update is available (will be released soon by Mitsubishi Electric)

Prevent Unauthorized and Untrusted Access

– Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.

– Use within a LAN and block access from untrusted networks and hosts through firewalls.

Block UDP Port 5006 and Use MELSOFT TCP

MELSOFT is an engineering software for Mitsubishi PLCs and gives users the option to use either the (connectionless) UDP and (connection-oriented) TCP protocols for programming and configuring the devices. SCADAfence recommends to block Block UDP port 5006 since the cyberattack leverages the connectionless UDP protocol and can cause the PLCs to stop functioning and cause a denial of service. Instead, users should use the TCP protocol for communicating with devices in the shop floor or the control network.

Special Thanks & Recognition

The SCADAfence Research team would like to thank the Mitsubishi Electric team for a speedy vulnerability reporting process even during the challenging COVID-19 times.

SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.

Exploit PoC

We wrote a Python POC (GPLv3) script of the exploit in action.

Currently, there’s no patch available. As a result, we limit the access to the exploit to vetted individuals only. The exploit is only available for educational and legal research purposes.

Warning: The script will crash the PLC’s CPU – do not use it in production.

Hey, I’m SCADAGirl.

I’m a cybersecurity superhero that ensures that OT & IoT networks are safe.

Here is my commentary on the latest headlines in OT & IoT security.

ICS Advisory (ICSA-20-240-01) Red Lion N-Tron 702-W, 702M12-W

 SCADAfence Research – ICS Ethernet Switches used in Industrial Networks by manufacturer Red Lion are exposed to Remote Command Injection. The switches types are 702-W and 702M12-W. Read More 

---

Critical Vulnerabilities Expose MoFi Routers to Remote Attacks

 SCADAfence Research  – IOT Routers made by MoFi network are vulnerable to Remote Code Execution vulnerabilities. The series affected is MOFI4500, which includes several routers which includes WIFI and 4g capabilities. Companies utilizing such routers for mobile or remote connectivity should check their devices for updates. Read More

---

BLURtooth Vulnerability Lets Attackers Defeat Bluetooth Encryption

SCADAfence Research – IOT BLURtooth vulnerability exposes new generations of bluetooth-enabled devices to MITM attacks. Academic researchers have discovered that certain implementations of Bluetooth 4.0 to 5.0 suffer from weak key generation and thus allow MITM to take place. Read More

---

Netwalker Ransomware Hits Pakistan’s Largest Private Power Utility

SCADAfence Research – Netwalker Ransomware hits the largest private power company in Pakistan. The ransomware caused disruption in billing and online services. Read More 

---

Windows Zerologon PoC Exploits Allow Domain Takeover. Patch This Now!

SCADAfence Research – A PoC was released for the Zerologon vulnerability, which allows attackers to gain Domain Admin privileges and take over windows domain environments. The vulnerability CVE-2020-1472 was patched by Microsoft in the last August update. The vulnerability occurs when an attempt to login as a domain administrator is made, and a spoofed response is sent to the client telling the login succeeded. The vulnerability relies on the fact that it is possible to fallback to unencrypted RPC, and after that, using a security flaw found in Netlogon AES-CFB8 cryptographic negotiation. Please read more for the full article & the POC code. Read More 

---

Ransomware Attack at German Hospital Leads to Death of Patient

 SCADAfence Research – Ransomware attack at a German hospital leads to the death of a patient. The ransomware attack lead to the situation where emergency care could not occur at the hospital, and a patient in a life-threatening condition died after being forced to go to a more distant hospital. Read More

---

ICS Advisory (ICSA-13-011-01)

 SCADAfence Research – Devices running CoDeSys are vulnerable to read/write any files on devices running it. Also devices running CoDeSys require no authentication by default, making attackers able to change the device configuration. Read More

---

The Windows XP Source Code Was Allegedly Leaked Online

 SCADAfence Research – Windows XP Source code was leaked online, and can be downloaded by a torrent. The leaked source code may help attackers find new, yet unknown, vulnerabilities in, even new, Windows operating systems. Read More 

---

Ransomware Hits US-Based Arthur J. Gallagher Insurance Giant

 SCADAfence Research – US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems. Read More 

---

UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack

 SCADAfence Research – UHS hospitals hit by reported country-wide Ryuk ransomware attack, shutting down a few of its hospitals.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown. “We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.” Read More

As industrial systems become increasingly connected to IT, Cloud and ERP systems, they become increasingly exposed to cyber threats such as ransomware. In fact, cyber threats for industrial control systems (ICS) are on the rise.

Asset owners are often operating legacy equipment, which contains a large number of vulnerabilities, including unpatched industrial devices, unsupported operating systems like Windows XP and Windows 7, and others. Although this equipment may be productive for now, it is not secure, and the level of risk rises with time.

SCADAfence runs into these problems constantly with their customers as their industrial cybersecurity products were designed to help their users get through these security obstacles, such as aging equipment, the adoption of IIoT devices in Industry 4.0, and visibility gaps. As SCADAfence helps their customers drive their security and regain control over their network, here are some of the problems that they see in their industrial environments.

The Challenges SCADAfence Sees In Industrial Networks Today

Asset management is often managed with cumbersome Excel sheets, which is often inaccurate, and outdated. Security teams and OT operators need to know about real-time deviations in network traffic to account for cyberattacks like Malware or Ransomware, which can spread in minutes.

When having SCADAfence installed passively in their network, their customers often discover tens to hundreds of “shadow” OT devices or devices that the operators didn’t know existed. Even worse, many of the unaccounted for devices may be connected to the internet.

Four Ways to Solve These Constant Industrial Network Challenges

1. Maximum Rate Bandwidth for Increased Data Analysis  The SCADAfence Platform was built to handle large amounts of traffic. Utilizing Garland Technology’s visibility solutions, they read every bit, byte, and packet using full deep packet inspection (DPI) to have the highest detection rate in the industry. Most industrial network monitoring platforms don’t have the bandwidth to process this sizable data.

2. Setting an Operational Baseline with Advanced AI Capabilities  SCADAfence also offers a unique Micro Granular Baseline technology. This technology learns every device’s granular traffic characteristics. Providing the most accurate detection mechanism, this unique technology helps their customers to dramatically reduce false-positives without the need to reconfigure the baseline, even with operational changes. Customers gain precise and reliable results in hours vs weeks, with continuous intelligence utilizing advanced AI capabilities.

3. Instant Analytics and Reporting for Governance and Compliance   The SCADAfence Governance Portal, provides fully automated compliance dashboards and detailed compliance reports, which allows their customers to view status trends and comparisons over time. These accurate and up-to-date compliance status are based on real network traffic data analytics that tracks and measure industrial regulations and organizational best practices.

This is especially important to critical infrastructures, which have to meet certain frameworks and compliances to work under the correct guidelines. This tool ensures that their customers can remain fully compliant with industrial standards such as NERC-CIP, IEC-62443, NIST, ISO-27001, NIS NCSC, NIST CSF, and others – including internal policies that can be set up by their own organizations.

Taking in the packet traffic from Garland’s network TAPs, SCADAfence’s stand-alone monitoring will passively scan the traffic from every appliance with the utmost industry standards. Users can choose the industry standard that they want to be compliant with and the Governance Portal will show updated real-time reports in clear detail. SCADAfence finds that their customers find this incredibly valuable and time-efficient.

4. 100% Packet-level Network Visibility with Garland Technology  It’s very important with a network monitoring solution to not be intrusive in your OT process. SCADAfence offers continuous passive OT network monitoring that provides visibility, automatic asset discovery, inventory management, risk management, and threat detection is needed to capture the current operational behavior of the environment.

Generating 100% packet-level visibility with Garland’s visibility solution, SCADAfence is able to render critical insights to detect and provide alerts on cybersecurity and operational incidents like suspicious activities, exposures, malware attacks, and operational alerts such as service availability, and misconfigurations. This allows users to gain unique visibility into remote access connections and correlate OT actions to IT accounts.

For more information visit the Garland Technology and SCADAfence joint solution.  Looking to add visibility to your industrial environment, but not sure where to start?  Join us for a brief network Design-IT consultation or demo. No obligation – it’s what we love to do.

The original post can be found on garlandtechnology.com

It is hard to think of another facility more crucial than power distribution facilities, which control everything from turning on the lights in homes to running critical infrastructure systems. The US Institute for Critical Infrastructure Technology (ICIT) recently labelled what it terms ‘disruptionware’ in the context of an attack on a national energy grid as “a weapon of mass destruction.”

Western countries have been concerned about the threat of cyber-attacks crippling energy grids ever since the Russian targeting of the Ukrainian power grid in 2015 and, more recently, indictments by the US Department of Justice against two Chinese threat actors for targeting groups including a Department of Energy site.

The same group that targeted the Ukrainian grid, named as Dragonfly or Energetic Bear, was subsequently alleged to have been responsible for numerous other attacks on energy facilities, including a major attack on the UK power grid, which only came to light as a result of a leaked memo from GCHQ and the UK National Grid, has been on high alert for cyber-attacks since the start of the COVID-19 crisis.

Yet these vital facilities are not only poorly protected when compared to many other types of organization, but are also becoming increasingly vulnerable to cyber-attacks. Threats such as Trisis, Industroyer and BlackEnergy are now increasingly deployed in order to exploit a growing number of glaring vulnerabilities within power distribution systems.

The push to modernize power distribution facilities has brought in its wake a host of new entry points for threat actors to exploit. The rapid shift to smart grids means that utilities are now adding tens of thousands of largely unprotected devices such as new sensors, controllers, relays and meters.

Existing perimeter security is currently largely incapable of controlling all entry points to the network; once any one of these is bypassed, attackers can access a wide range of assets and remain undetected for long periods of time. Increasing connectivity of OT networks to remote sub-stations as well as to organizational systems also brings with it a host of vulnerable and often unsecured entry points.

Automation components, such as programmable logic controllers (PLCs) function via microprocessors and contain function-specific software programming. They also have management and communications capabilities running over network paths. These have been a major target for cyber-attacks as a means of gaining access to control systems.

Legacy industrial control system (ICS) protocols such as Modbus and DNP3, commonly used throughout power systems, have little or no security measures and lack authentication capabilities. These can easily be intercepted, spoofed or altered – potentially causing a dangerous event in the operations environment.

Like many other utilities, power distribution organizations also increasingly rely on remotely accessible equipment and mobile devices. While this has an immediate payback in terms of efficiency and convenience, it has also created vulnerabilities stemming from unsecure access or from connection to critical systems via remote tools and devices.

Coming from a world of stand-alone secure systems, many vendors of ICS systems also unwittingly create ‘backdoor’ access to devices and software, which are easy to exploit. Some vendors are even known to threaten to void equipment warranties should their products be reconfigured from the original factory settings by changing passwords or installing unapproved security packages.

The absence of constant network monitoring systems in most OT networks means that many utilities cannot even obtain basic forensic data related to cyber intrusions and attacks. This not only leaves such facilities vulnerable to financially motivated ransomware demands, but also to potentially devastating attacks from state-sponsored threat actors bent on causing physical destruction as well as economic damage.

Badly secured facilities mean that potentially highly destructive intrusions can sit on a power distribution network’s system undetected for months until they are triggered at a time calculated to cause maximum damage, possibly coinciding with other forms of attack or during a period of social unrest or national emergency such as the current COVID-19 crisis.

In order to protect against system abuse or cyber-attacks, power distribution networks must provide real-time monitoring across their newly-extended security perimeters in order to detect anomalous and non-authorized behavior while addressing both external and internal attack vectors.

source from:https://www.infosecurity-magazine.com/opinions/glaring-vulnerabilities-power

It’s true, the SCADAfence Governance Portal can now connect to any third-party application through Syslog or rest-API and we’re providing the entire on-boarding for free until the end of this year. (Details at the end of this blog post).

How You Can Use The Governance Portal

The SCADAfence Governance Portal, first introduced in 2019, has been developed for IT & OT users to enable real-time compliance monitoring across the entire organization and remote site, and to assure compliance with regulations and standards such as NERC-CIP, IEC-62443, NIST, ISO-27001, NIS NCSC, NIST CSF, and others.

Earlier this year, the SCADAfence Governance Portal was enhanced to allow you to extend your compliance automatic coverage by receiving inputs from external tools directly to the Governance Portal.

The SCADAfence Governance Portal had just become your very own full organizational OT/IT Governance & Compliance management system. You can now manage all inputs from your entire security, management and orchestration tools in a central location and get real time compliance status for all of your sites.

How You Can Connect The Governance Portal To Third-Party Applications

It’s easier than you think. 

You configure your external tool to send out the relevant information to the SCADAfence Governance Portal, and it will automatically add this new information to the process of compliance calculation. 

That’s it. 

You immediately enjoy extended coverage in areas that cannot be measured based on network traffic data. For instance, you can easily set up your Endpoint definitions to send alerts when outdated virus definitions are detected or receive inputs from your firewall on blocked traffic.

The Main Benefits Of Using The SCADAfence Governance Portal:

• It’s a multi-site regulatory and policy compliance framework for your organization.
• It’s a compliance policy manager – you can define your own policy and measure your organization based on it.
• You get real-time compliance dashboards – these are automatically created and available at all times for immediate compliance visibility.
• You have detailed reports – you can even drill down into each site and into each improvement opportunity.

The Look & Feel Of The Compliance Score Dashboards

Ultimately, the SCADAfence Governance Portal offers a one-of-a-kind solution which can help you to increase your readiness and compliance for organizational policies and regulatory compliance by performing automatic regulatory assessments based on real network traffic data.

The automatic compliance score calculation provides ready-to-use compliance dashboards and reports which enables end-to-end management of the compliance process as well as gradual enforcement process with flexible policy options.

 

How To Get The SCADAfence Governance Portal For Free Until 2021

Want to get it for your organization risk-free? Just click this link and fill in your details: https://l.scadafence.com/schedule-a-demo-governance

We will then provide you with full on-boarding for the Governance Portal for free, from October 1st until December 31st 2020.