Security Intelligence
Loading table of contents...
Moxa, the maker of industrial-grade networking and communications devices, has advised that two vulnerabilities have been discovered in several of its routers and network security appliances designed to facilitate communications for industrial control systems (ICS).
The first vulnerability, designated CVE-2024-9138 and provided a high severity rating, is due to the presence of hardcoded credentials that could allow threat actors to obtain root-level privileges.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The second vulnerability, designated CVE-2024-9140 and provided a critical severity rating, is a command injection flaw that abuses weak input restrictions. CVE-2024-9140 can be exploited remotely by threat actors to execute arbitrary code.
Moxa has released updates to address the vulnerabilities and is advising affected customers to upgrade as soon as possible to prevent exploitation. The company did not indicate whether it had observed any active exploitation of the flaws.
Source: Bleeping Computer
Analysis
According to a Shodan search, there are approximately 4,415 internet-exposed Moxa devices, however, it’s unclear how many of them are impacted by the recently discovered vulnerabilities. The majority are located in Russia, which should be of grave concern to the Russian government given that pro-Ukrainian hackers will be eager to compromise them in hopes of disrupting the industrial processes they serve.
Internet-exposed Moxa devices (Source: Shodan.io)
Hardcoded credentials are essentially a default username and password that is hardcoded into a system or device that facilitates access to the entire or parts of the device’s firmware. They are often the same for every device unless changed or disabled by end users, which generally doesn’t happen.
It is almost certain that today’s sophisticated threat actors will compromise devices that use hardcoded credentials. As a result, many hardware manufacturers and software vendors have discontinued this practice and adopted more secure alternatives. It’s unclear why Moxa still uses hardcoded credentials, as this practice is known for being highly exploitable.
Attacks on ICS-related devices can be particularly potent since their compromise could disrupt or severely degrade the industrial process they help facilitate, such as energy production, manufacturing, chemical and pharmaceutical production, etc.
In 2024, water and wastewater systems (WWS) were frequently targeted by threat actors. For example, Arkansas City, Kansas, was forced to switch its water treatment facility to manual operations due to a cyberattack deemed serious enough that the Department of Homeland Security and the FBI were called in to investigate. This and several other similar attacks on WWS led to the Cybersecurity and Infrastructure Security Agency (CISA), the Water Information Sharing and Analysis Center (WaterISAC), and the U.S. Environmental Protection Agency (EPA) to issue warnings and guidance for evaluating cybersecurity practices and identifying measures to reduce water and wastewater facilities’ exposure to cyberattacks.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats to operational technology (OT), including ICS. Field Effect MDR users are automatically notified if OT/ICS threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Given that OT/ICS are popular targets for hackers and the vital importance of the industrial processes they control, it’s essential to ensure that these systems are not only kept up to date, but tested regularly for unknown vulnerabilities, misconfigurations, rogue user accounts, the use of default credentials, and other signs of compromise. It’s also vital that ICSs are not exposed to the internet unless there is a legitimate business need to do so, and only after proper controls (IP whitelisting, multifactor authentication, etc.) are implemented.
