Microsoft, Zimbra, Rockwell, Joe Biden, Tax Software, Black Mirror, and Aaran Leyland – SWN #309

Infrastructure operators have been warned of potentially “destructive consequences” if they don’t address a critical remote code execution (RCE) flaw discovered in a type of communications equipment commonly used across multiple industries.

It is the latest alert to be sounded in operational technology (OT) and industrial control system (ICS) circles as concerns grow about the risks advanced persistent threat (APT) groups pose to critical infrastructure and industry in general.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Wednesday about two vulnerabilities—one of them critical—affecting a range of Rockwell Automation Allen-Bradley ControlLogix communication modules.

The communications modules are used widely in operational technology settings, including by critical infrastructure operators such as water and energy providers. Organizations using the modules have been urged to address the vulnerabilities by updating to the latest versions of the devices’ firmware “as soon as possible”.

In an advisory (registration required), Rockwell Automation said it had worked with the government to analyze a “novel exploit capability” affecting the modules. The exploit was attributed to unnamed APT actors.

“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” the advisory said.

“Previous threat actors’ cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”

Hackers could take control Rockwell Automation said malicious actors could exploit the vulnerabilities to alter the modules’ firmware, wipe their memory, falsify traffic to and from the devices, and establish persistence.

“This could result in destructive actions where vulnerable modules are installed, including critical infrastructure,” the advisory said.

The first vulnerability, CVE-2023-3595, had a CVSS v3 rating of 9.8 (critical) and could allow hackers to gain RCE with persistence by sending malicious Common Industrial Protocol (CIP) messages.

“This risk of exploitation is amplified if the module is not segmented from the internet,” said Tenable senior staff research engineer, security response, Satnam Narang, in a post about the vulnerabilities.

“In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction.”

The second vulnerability, CVE-2023-3596, had a CVSS rating of 7.5 (high) and could enable threat actors to instigate a denial of service via CIP messages.

Critical infrastructure fears grow Rockwell Automation’s communication modules are used across a range of industries including energy, transportation and water to enable vital links between IT systems, machines and OT facilities.

“It is common to have multiple network interfaces (physical network cards) configured to bridge and/or segment networks in industrial environments,” Narang said.

Industry’s growing reliance on OT and ICS systems has increased the risk of destructive cyberattacks being launched against critical infrastructure. There are fears that advanced industrial malware, such as PIPEDREAM has already been widely and stealthily injected into many critical systems.