Researchers demonstrated recently that hackers could launch a Stuxnet-style attack against Schneider Electric’s Modicon programmable logic controllers (PLCs), but it’s believed that products from other vendors could also be vulnerable to the same type of attack.
The notorious Stuxnet malware, which the United States and Israel used to cause damage to Iran’s nuclear program, was designed to target SIMATIC S7-300 and S7-400 PLCs made by Siemens. Stuxnet loaded malicious code onto targeted PLCs by abusing Siemens’ STEP7 software, which is provided by the German industrial giant for programming controllers.
Stuxnet replaced a library named s7otbxdx.dll, which STEP7 uses to access a PLC, with a malicious version using a method called reflective DLL loading, which involves loading a DLL from memory. This allowed the attackers to inject their malicious code into the targeted controller.
Researchers at Airbus CyberSecurity have analyzed Schneider Electric’s Modicon M340 PLC to determine if it’s vulnerable to similar attacks. The attack targeted the controller via Schneider’s EcoStruxure Control Expert engineering software, formerly known as Unity Pro.
Their analysis led to the discovery of a vulnerability that can be exploited to upload malicious code to Modicon M340 and M580 PLCs by replacing one of the DLL files associated with the engineering software.
Such an attack could have serious consequences, including the disruption of manufacturing processes or other types of damage, Airbus CyberSecurity told SecurityWeek.
“More interestingly from the IT point of view, the attacker could transform the PLC into a proxy,” Airbus researchers explained. “This would allow him to send requests and communicate with the network to which the PLC is connected. For example, he could access the internal corporate network to steal intellectual property or launch attacks to target other connected systems.”
The experts also pointed out that the attacker can maintain control of the compromised device over the internet and without having access to the corporate network once the vulnerability has been exploited and the malicious code loaded.
“The legitimate automation software would be running without showing any signs that a malicious program was embedded. The malicious part would periodically send requests to a command and control server controlled by the attacker over the Internet,” they explained.
While such an attack could be highly damaging or disruptive — or it could give the attacker an advantage — exploiting the vulnerability is not an easy task. The hacker first needs to gain access to the targeted organization’s ICS perimeter and be able to communicate with the targeted PLC.
“This is already a very significant operation which is likely to involve gaining privileged access over a number of machines. If attackers have reached this point, multiple security defense measures either are not in place or have failed,” Airbus CyberSecurity researchers noted.
The attacker then needs to download the automation program from the PLC. This can be done from a compromised engineering station or if the PLC is accessible to any machine on the network without authentication. The attacker must then recompile the automation program using the techniques described by Airbus researchers, and create a malicious program that they embed into the legitimate automation software.
Finally, the attacker needs to upload the modified program to the PLC and run it, but this requires stopping and starting the automation software, and experts say this operation could be noticed.
On the other hand, the researchers said, “From this point on, the attacker could design and compile any given program and send it through the C&C server. The DownloadExec program on the PLC would download and execute it on the fly (no need to go through a stop/start sequence).”
The vulnerability discovered by Airbus researchers in Schneider Electric products is tracked as CVE-2020-7475 and classified as high severity. It has been patched by the company with a hotfix for EcoStruxure Control Expert and firmware updates for Modicon M340 and M580 controllers. Step-by-step instructions have been provided by the vendor for addressing the flaw.
However, Schneider also pointed out that these types of vulnerabilities impact the products of other vendors as well, although no vendors have been named.
“Airbus Cybersecurity’s research was intended to demonstrate the theoretical possibility of executing a very specific type of cyber-attack (Reflective DLL) on industrial controllers under certain conditions, such as when an attacker has already compromised the engineering workstation or has had unauthorized access to the targeted controller. The aim of the research was to help Airbus Cybersecurity protect its operations technology and industrial assets in general,” a Schneider Electric representative told SecurityWeek.
“Through our collaboration with them, our mutual findings demonstrate that while the discovered vulnerability affects Schneider Electric offers, it equally impacts many other vendors and the global industrial automation market in general, especially when the baseline assumption of the attack technique Airbus Cybersecurity demonstrated is considered. Given certain conditions, and assuming an attacker has access to the network, many devices available from several different industrial control vendors are likewise vulnerable to this type of cyber-attack,” they added.
Schneider Electric and Airbus say they encourage all industrial companies to ensure that they have implemented cybersecurity best practices across their operations and supply chains in an effort to reduce the risk of attacks.
“Where appropriate this includes locating industrial systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; systematically applying security patches and activating antivirus software; and applying whitelisting solutions,” Schneider said.