Security Experts:

Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity

Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). SecurityWeek has talked to several experts to find out what this data means and determine the threat posed by these security holes.

Last week, IBM Security’s X-Force research and intelligence unit published a report describing the OT threat landscape in the first half of 2022. The findings from the report are not surprising: manufacturing continues to be the most targeted industry, phishing remains the main initial infection vector, and spam, RATs and ransomware are the most commonly seen attack types.

IBM has also looked at vulnerability scanning activity and found that the top two methods, accounting for more than 80% of scanning, are port scanning and Shodan scanning.

Much of the scanning appeared to be indiscriminate and did not seem to be specifically aimed at organizations with OT environments. However, an analysis of the attack alerts from OT-related industries showed that the most commonly targeted vulnerability was CVE-2016-4510, a flaw in the WAP interface of the Trihedral VTScada SCADA software that allows remote attackers to bypass authentication and read arbitrary files.

Other vulnerabilities that attackers commonly scan for include CVE-2021-21801, CVE-2021-21802, and CVE-2021-21803, which are cross-site scripting (XSS) issues affecting Advantech’s R-SeeNet router monitoring software, as well as CVE-2018-12634, a credential disclosure flaw affecting Circontrol’s CirCarLife SCADA software for electric vehicle charging stations.

OT vulnerability scanning data from IBM

While these vulnerabilities are commonly targeted in scanning activity, they haven’t drawn attention and there do not appear to be any public reports describing their exploitation in the wild.

Mike Worley, strategic cyber threat analyst at IBM Security X-Force, clarified for SecurityWeek that its network attack data does not indicate that these vulnerabilities have been exploited in the wild and reiterated that they appear to be part of broad vulnerability scanning efforts that do not necessarily target OT environments.

While IBM has not seen any successful exploitation of the vulnerabilities in customer environments, Worley warned that they could end up being exploited if the targeted environment has these security holes.

SecurityWeek has reached out to several cybersecurity companies — including ones specializing in securing industrial control systems (ICS) and other OT systems — to see if they have seen exploitation of these flaws and to learn about the risks they pose.

Kaspersky’s Kirill Kruglov said that, according to the company’s threat intelligence and incident response data, none of the aforementioned vulnerabilities has been exploited in the wild, but he could not rule out that they will be leveraged in attacks in the future.

Claroty’s VP of research, Amir Preminger, said the company is not aware of any active exploitation either, but noted that “the main common theme of the mentioned vulnerabilities is that they are easy to implement and are web based vulnerabilities which also make it easy to scan.”

Roman Faithfull, cyber threat intelligence analyst at Digital Shadows, said that some attackers may use vulnerability scanning tools and Metasploit modules to scan for a large list of flaws, rather than scanning for these vulnerabilities specifically. However, he believes that while it’s realistically possible that attackers might find those vulnerabilities during a scan, they could have no wish or capability to exploit them.

2022 ICS Cyber Security Conference

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, has looked at the vulnerabilities mentioned in the IBM report and pointed out their limitations.

The Trihedral flaw, for instance, affects a legacy feature that had only been used by a ‘small fraction’ of VTScada users at the time of its disclosure in 2016. In the case of the Advantech vulnerabilities, attackers can scan for their presence, but actual exploitation of the XSS flaws requires several steps, including users clicking on a link. As for the CirCarLife issue, there is no impact to integrity and availability, Jablanski noted.

“We know that OT-specific attacks can sometimes be opportunistic to try to target ‘low hanging fruit’ or copy and paste repeatable tactics, techniques, and code to produce any impact at a low cost,” Jablanski said. “However, there are fewer opportunities to reuse or automate attacks in OT networks. Highly tailored techniques that are more custom and less repeatable require more resources and reconnaissance, and are less likely to be used in widespread scanning and probing.”

Ilan Barda, the CEO of Radiflow, noted that IBM’s data showing an increase in OT attack attempts is in line with what the company is seeing in the field.

Barda has also confirmed that these specific vulnerabilities do not appear to have been successfully exploited, but pointed out that he is aware of similar products being targeted and exploited.

For instance, while he is not aware of attacks specifically targeting the Advantech R-SeeNet Gateway, he said this is a very popular gateway for remote industrial sites and Radiflow has seen multiple attack attempts on such sites via these types of gateways.

In regards to the CirCarLife SCADA product used in electric car charging systems, Barda said they have seen attacks on charging system networks, which “are being rapidly deployed and in many cases not with the proper security design in place”.

While the Trihedral vulnerability may not be exploited in actual attacks right now, SecurityWeek has noticed that a different Trihedral VTScada flaw discovered in 2016, CVE-2016-4523, which can be used to download arbitrary files or crash the server, is listed in CISA’s Known Exploited Vulnerabilities Catalog.

“The fact that these CVEs are rather old is in line with what we see in OT networks — patching is not done very frequently due to the operational constraints. This is the main concern that we hear from customers — we get reports on many vulnerabilities but we can't patch everything due to the objection of the operations teams,” Barda said.

Related: Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022

Related: ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.