Infrastructure operators have been warned of potentially “destructive consequences” if they don’t address a critical remote code execution (RCE) flaw discovered in a type of communications equipment commonly used across multiple industries.
It is the latest alert to be sounded in operational technology (OT) and industrial control system (ICS) circles as concerns grow about the risks advanced persistent threat (APT) groups pose to critical infrastructure and industry in general.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Wednesday about two vulnerabilities—one of them critical—affecting a range of Rockwell Automation Allen-Bradley ControlLogix communication modules.
The communications modules are used widely in operational technology settings, including by critical infrastructure operators such as water and energy providers. Organizations using the modules have been urged to address the vulnerabilities by updating to the latest versions of the devices’ firmware “as soon as possible”.
In an advisory (registration required), Rockwell Automation said it had worked with the government to analyze a “novel exploit capability” affecting the modules. The exploit was attributed to unnamed APT actors.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” the advisory said.
“Previous threat actors’ cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
Hackers could take control
Rockwell Automation said malicious actors could exploit the vulnerabilities to alter the modules’ firmware, wipe their memory, falsify traffic to and from the devices, and establish persistence.
“This could result in destructive actions where vulnerable modules are installed, including critical infrastructure,” the advisory said.
The first vulnerability, CVE-2023-3595, had a CVSS v3 rating of 9.8 (critical) and could allow hackers to gain RCE with persistence by sending malicious Common Industrial Protocol (CIP) messages.
“This risk of exploitation is amplified if the module is not segmented from the internet,” said Tenable senior staff research engineer, security response, Satnam Narang, in a post about the vulnerabilities.
“In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction.”
The second vulnerability, CVE-2023-3596, had a CVSS rating of 7.5 (high) and could enable threat actors to instigate a denial of service via CIP messages.
Critical infrastructure fears grow
Rockwell Automation’s communication modules are used across a range of industries including energy, transportation and water to enable vital links between IT systems, machines and OT facilities.
“It is common to have multiple network interfaces (physical network cards) configured to bridge and/or segment networks in industrial environments,” Narang said.
Industry’s growing reliance on OT and ICS systems has increased the risk of destructive cyberattacks being launched against critical infrastructure. There are fears that advanced industrial malware, such as PIPEDREAM has already been widely and stealthily injected into many critical systems.
In February this year, amid concerns about the threats posed by PIPEDREAM and other malware, members of the House Homeland Security Committee asked the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency to provide a briefing on potential cyberattacks that domestic terrorists could deploy against U.S. energy infrastructure.
Bad Xenotime memories resurface
In a post, Dragos researchers said the Rockwell Automation communication module RCE vulnerability was similar to a zero-day vulnerability exploited by the Xenotime threat group using Trisis malware.
“Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same,” the researchers said.
“Additionally, in both cases, there exists the potential to corrupt the information used for incident response and recovery. The attacker could potentially overwrite any part of the system to hide themselves and stay persistent, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection.”
Communication modules subjected to this type of exploitation would be rendered untrustworthy and would need to be de-commissioned, the post said.
“Dragos advises all ICS/OT asset owners to identify assets with impacted communications modules and update their Rockwell Automation ControlLogix firmware to the latest version as soon as possible.”
