Critical infrastructure facilities running on operational technology (OT) devices are now a “constant target” of threat actors looking to disrupt industrial operations, according to research released Tuesday by Forescout.
Threat actors target OT and IoT devices because they are the most difficult to patch. In one instance, threat actors have been observed exploiting a cross-site script (XSS) vulnerability that affects OT converter devices from Chiyu Technology, a Taiwanese manufacturer, leading to speculation that the attackers are possibly linked to China.
Forescout said the vulnerability — CVE-2021-31250 — was attacking Chiyu coverters typically used to connect serial devices — such as access control, CNC machines, and flow meters — to the IP network for monitoring and control.
“We saw this as more of a targeted attack,” said Elisa Costante, vice president, research at Forescout. “The fact that it was a Taiwan manufacturer targeted is even more interesting because it means it was possibly connected to Chinese activities.”
Costante said the researchers also observed attackers using protocols associated with the electricity sector to create connections and exploit OT devices. Along with Modbus, Constante said they observed attackers using DNP3, MMS, and Synchrophasor to attack OT devices and systems that typically have weak authentication and encryption.
“Attackers are constantly probing these devices for weaknesses and many organizations are often blind to that because they believe they do not have OT assets to protect,” said the Forescout report. “The truth is that building automation and even protocols such as Modbus for industrial automation are now found in almost every organization and are a target for attackers.”
Bot networks are getting more advanced, complex
The company also said botnets have expanded their capabilities, targeting internet of things (IoT) devices to conduct lateral movement in enterprise networks.
Constante said security researchers need to understand that botnets such as Mirai have evolved. When it first hit in 2016, the Mirai botnet attacked IP cameras using the Telnet protocol, exploiting default passwords mainly to launch denial-of-service attacks. Today, such networks have expanded to using the SSH protocol to target medical devices and network-attached storage to drop other types of malware, such as ransomware.
“They are expanding their capabilities and using the SSH protocol to attack other vulnerabilities and do lateral movement,” Constante said. “When people hear of botnets they dismiss them, but they really need to look at them carefully because they are being used in a more complex way, targeting IoT.”
Murali Palanisamy, chief solutions officer at AppViewX, explained that OT security and SSH security are areas that have been neglected amidst the rapid development of the IoT market. OpenSSH and SSH implementations have not changed much in spite of enhancements and additional security controls such as SSH Certificates.
“Very few organizations have even implemented the SSH Certificates, mainly due to the need for automation to manage them and just-in-time access capabilities,” said Palanisamy.
Bud Broomhead, chief executive officer of Viakoo, added that devices within the IoT/OT network that act as gateways, or enable analog to digital conversion to digitally connect analog IoT/OT devices, are always a target for threat actors.
“The teams managing IoT/OT devices are often the line-of-business and not IT, and therefore may not have the skills or training to hunt down threats in their infrastructure very effectively,” said Broomhead. “That’s why in cases like with Chiyu devices, there may not be much attention paid to them unless the line-of-business managing them is trained in how to assess their vulnerabilities and perform cyber hygiene.”
