The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is reminding users of Rockwell Automation’s ControlLogix Ethernet/IP (ENIP) communication modules to patch their systems to fix two security flaws that could impact industrial processes and underlying infrastructure. The reminder comes after at least one cybersecurity company has discovered that an identified nation-state threat actor group currently has the capability to leverage these vulnerabilities.
Designated CVE-2023-3595 and CVE-2023-3596, the bugs are out-of-bounds write flaws that could lead to arbitrary code execution with persistence and denial of service (DoS) conditions on the target system by sending maliciously crafted common industrial protocol (CIP) messages.
A similar vulnerability was previously exploited by a threat actor group known as TRISIS during an attack on Schneider Electric's Triconex safety instrumented system (SIS) controllers used by the oil and gas facilities. Notable targets included a major petrochemical plant in Saudi Arabia.
Source: The Hacker News
Analysis
In October 2020, the U.S. Department of the Treasury named and sanctioned the Russian State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for its involvement in the TRISIS attack on the Saudi petrochemical plant.
According to the Treasury Department’s statement, TsNIIKhM specifically and recklessly designed its malware to target and manipulate industrial safety systems responsible for the safe emergency shutdown of industrial processes at critical infrastructure facilities. The malware was initially deployed through phishing and, once installed, attempted to manipulate the facility’s industrial control system (ICS) controllers. During the attack, the facility automatically shut down after several of the ICS controllers entered a fail-safe state, preventing the malware’s full functionality from being deployed, and prompting an investigation that ultimately led to the discovery of the malware. In 2019, TRISIS was also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.
The TRISIS attack wasn’t Russia’s first foray into attacking another country’s critical infrastructure. In December 2015, the Russian Military Intelligence Directorate (GRU) used BlackEnergy malware to conduct a cyberattack on three Ukrainian energy providers, which resulted in the loss of power to 200,000 homes. The malware was originally deployed by spear phishing messages that had Microsoft Excel attachments containing malicious macros.
It's not just nation-state actors with the capability and motivation to attack and disrupt critical infrastructure, either. In May 2021, DarkSide ransomware actors received $4.4 million in exchange for providing the key to decrypt computerized equipment managing the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S. The disruption resulted in fuel shortages and panic-buying in several states.
Finally, even hackers with limited technical skills can manipulate misconfigured or exposed ICS devices given the right opportunity. For example, in 2021, an unknown hacker gained access to the water treatment system in Oldsmar, Florida, and used it to increase the sodium hydroxide levels to dangerous levels. Fortunately, an employee noticed the controls being manipulated on his screen and terminated the actor’s access.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software like ControlLogix. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Given that ICS are popular targets for hackers, and the vital importance of the industrial process they control, it’s extremely important to ensure that these systems are not only patched, but tested regularly for unknown vulnerabilities, misconfigurations, rogue user accounts, and other signs of compromise. It’s also vital that ICS are not exposed to the internet unless there is a legitimate business need to do so, and only after proper controls (IP whitelisting, MFA, etc.) are put in place.
Field Effect strongly encourages users of ControlLogix devices to update to the latest version as soon as possible.
References
