The cybersecurity company CISA has expanded its Recognized Exploited Vulnerabilities (KEV) catalog with an outdated ‘OpenPLC ScadaBR’ flaw that was lately leveraged by hackers to deface what they believed to be an industrial management system (ICS).
OpenPLC is an open supply programmable logic controller (PLC) designed to supply a low-cost industrial automation answer. ScadaBR is an open supply answer that gives human-machine interfaces (HMIs), supporting connections to numerous PLCs, together with OpenPLC.
The ScadaBR vulnerability, tracked as CVE-2021-26829 and categorised as ‘medium severity’, was patched in June 2021. It has been described as a cross-site scripting (XSS) bug that may be exploited for arbitrary code execution.
CISA added CVE-2021-26829 to its KEV catalog on Friday and instructed authorities companies to handle it by December 19.
Safety agency Forescout reported in October {that a} pro-Russia hacktivist group named TwoNet had attacked certainly one of its ICS/OT honeypots, which had been set as much as mimic a water remedy plant.
The hackers defaced the related HMI, disrupted processes, and manipulated different ICS, later boasting concerning the ‘achievement’ on their Telegram channel.
In keeping with Forescout, TwoNet exploited CVE-2021-26829 to alter the HMI login web page’s description to ‘Hacked by Barlati’, a message that will be displayed in a pop-up window each time the web page is visited by a person.
Because the HMI was faux, the assault didn’t have any real-world affect, however the incident confirmed that hackers could also be focusing on CVE-2021-26829 of their assaults. Commercial. Scroll to proceed studying.
A video printed again in 2021 reveals how straightforward it will be for an attacker to use CVE-2021-26829 to show an arbitrary message every time an HMI web page is visited, by including HTML/JavaScript code to a particular subject on the ‘System settings’ web page.
The identical video additionally confirmed how the XSS vulnerability may be exploited for session hijacking, however TwoNet solely leveraged it for a easy defacement, which signifies that the hackers don’t possess superior hacking abilities.
This isn’t stunning. Hacktivists — and state-sponsored risk teams working below the guise of hacktivism — typically goal ICS/OT within the water sector. Assaults on OT are sometimes most well-liked by hacktivists as a result of the potential affect may be important, and so they can obtain their aim by leveraging easy-to-exploit vulnerabilities corresponding to default or hardcoded credentials.
There don’t seem like another experiences describing in-the-wild exploitation of CVE-2021-26829. It’s unclear if the vulnerability has been exploited by different risk actors.
Nonetheless, subtle risk actors, working outdoors of the noisy hacktivist sphere, would doubtless exploit such vulnerabilities in extremely focused assaults which might be both by no means found or stay confidential between the sufferer and incident response companies.
Associated: Over 370 Organizations Take Half in GridEx VIII Grid Safety Train
Associated: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Rockwell, Aveva, Schneider
Associated: Japan Points OT Safety Steering for Semiconductor Factories
