Over the past decade, we have seen a proliferation of internet-connected industrial control systems (ICS) devices as part of the broader trend of digital transformation. All too often, however, ICS devices connected to the internet are not protected by sufficiently strong passwords (if any) or any other security controls, making them a low-hanging fruit to low-skill threat actors.
These actors also have multiple legitimate, internet-scanning public services—such as Shodan.io and Cenys.io—at their disposal to help them find web-based human-machine interfaces (HMIs) and similar ICS devices inadvertently exposed to the internet. If a targeted device is password-protected, a threat actor can attempt to brute force their way in. However, in many cases, these ICS devices are not password-protected at all, granting adversaries immediate, unfettered access.
For HMIs and other ICS devices on Level 2 (Process Network) of the Purdue Model, any direct connection to the internet (Level 5) is inherently problematic, as it provides threat actors with a fast track to accessing ICS physical processes at Level 0. A fundamental challenge related to the security of ICS devices is the price and complexity of establishing a secure remote connection to certain devices, especially those located in remote locations where the adherence to the classic Purdue Model is not feasible.
Claroty researchers identified a timely example of how publicly accessible ICS devices can spell trouble for critical infrastructure operators this past Monday, May 25, when a group of Palestinian hackers who call themselves the Jerusalem Electronic Army published a series of social media posts in which they claim to have compromised control systems related to Israel's water infrastructure.
Group members claim the attack is part of an ongoing second wave of targeted cyber attacks against Israel. These claims appear to be substantiated by multiple screenshots showing access to a web-based HMI for monitoring thermal water processes, including information related to water pressure, temperature, and the location of the monitored device (see image below).
Based on information provided by the Israeli CERT, Claroty researchers surmise the ICS device shown in the published screenshots was not password protected, thus allowing the adversary group to access it simply by finding it.For attention-seeking adversaries with limited capabilities, accessing internet-facing ICS devices it can be an easy, non-technical way to get attention and claim victory without carrying out an actual cyber attack. In this recent case, the group's access to an ICS device for the Israeli water supply simply allowed them to monitor processes, and thus had no operational impact. That being said, depending on the functionality of the device they can access, it is possible for an adversary to cause significant disruption and harm.
Beyond exemplifying how internet-facing HMIs are an easy target for adversaries, the Jerusalem Electronic Army's recent interest in Israel's critical water infrastructure reflects increased interest and buzz around attacks targeting critical infrastructure in general, particularly with respect to nation states. Until very recently, the group's activities had been limited to weak attempts to deface Israeli government websites. The majority of these devices are not only exposed to the internet, but also to dedicated ICS protocols, such as Modbus, EthernetIP, and others. These protocols have a larger potential impact on ICS processes, and only require a small amount of user education to leverage.
This sudden shift to OT was likely inspired by Iran's recent attempt at a cyberattack against an Israeli water facility, which sparked headlines and renewed tensions related to potential cyber warfare between the two nation states. While security issues related to internet-connected ICS devices is nothing new, the increased awareness of critical infrastructure as a highly visible and easily sensationalized target has drastically increased the appeal of ICS targets among threat actors keen on generating shock value.
The exposed ICS device related to Israel's water supply has since been removed from the internet, vast quantities of ICS devices connected to the internet remain unprotected. At a bare minimum, Claroty strongly advises ICS operators to comply with Israel CERT's recommendations related to threats targeting critical infrastructure. In addition, OT security teams should ensure all internet-connected devices are password-protected, and whenever possible, adhere to ICS security best practices and implement secure access using mechanisms such as VPNs, encryption, and access control lists.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
