Security Experts:

Connect with us

Hi, what are you looking for?



Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity

Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). SecurityWeek has talked to several experts to find out what this data means and determine the threat posed by these security holes.

Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). SecurityWeek has talked to several experts to find out what this data means and determine the threat posed by these security holes.

Last week, IBM Security’s X-Force research and intelligence unit published a report describing the OT threat landscape in the first half of 2022. The findings from the report are not surprising: manufacturing continues to be the most targeted industry, phishing remains the main initial infection vector, and spam, RATs and ransomware are the most commonly seen attack types.

IBM has also looked at vulnerability scanning activity and found that the top two methods, accounting for more than 80% of scanning, are port scanning and Shodan scanning.

Much of the scanning appeared to be indiscriminate and did not seem to be specifically aimed at organizations with OT environments. However, an analysis of the attack alerts from OT-related industries showed that the most commonly targeted vulnerability was CVE-2016-4510, a flaw in the WAP interface of the Trihedral VTScada SCADA software that allows remote attackers to bypass authentication and read arbitrary files.

Other vulnerabilities that attackers commonly scan for include CVE-2021-21801, CVE-2021-21802, and CVE-2021-21803, which are cross-site scripting (XSS) issues affecting Advantech’s R-SeeNet router monitoring software, as well as CVE-2018-12634, a credential disclosure flaw affecting Circontrol’s CirCarLife SCADA software for electric vehicle charging stations.

OT vulnerability scanning data from IBM

While these vulnerabilities are commonly targeted in scanning activity, they haven’t drawn attention and there do not appear to be any public reports describing their exploitation in the wild.

Mike Worley, strategic cyber threat analyst at IBM Security X-Force, clarified for SecurityWeek that its network attack data does not indicate that these vulnerabilities have been exploited in the wild and reiterated that they appear to be part of broad vulnerability scanning efforts that do not necessarily target OT environments.

While IBM has not seen any successful exploitation of the vulnerabilities in customer environments, Worley warned that they could end up being exploited if the targeted environment has these security holes.

SecurityWeek has reached out to several cybersecurity companies — including ones specializing in securing industrial control systems (ICS) and other OT systems — to see if they have seen exploitation of these flaws and to learn about the risks they pose.

Kaspersky’s Kirill Kruglov said that, according to the company’s threat intelligence and incident response data, none of the aforementioned vulnerabilities has been exploited in the wild, but he could not rule out that they will be leveraged in attacks in the future.

Claroty’s VP of research, Amir Preminger, said the company is not aware of any active exploitation either, but noted that “the main common theme of the mentioned vulnerabilities is that they are easy to implement and are web based vulnerabilities which also make it easy to scan.”

Roman Faithfull, cyber threat intelligence analyst at Digital Shadows, said that some attackers may use vulnerability scanning tools and Metasploit modules to scan for a large list of flaws, rather than scanning for these vulnerabilities specifically. However, he believes that while it’s realistically possible that attackers might find those vulnerabilities during a scan, they could have no wish or capability to exploit them.

2022 ICS Cyber Security Conference

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, has looked at the vulnerabilities mentioned in the IBM report and pointed out their limitations.

The Trihedral flaw, for instance, affects a legacy feature that had only been used by a ‘small fraction’ of VTScada users at the time of its disclosure in 2016. In the case of the Advantech vulnerabilities, attackers can scan for their presence, but actual exploitation of the XSS flaws requires several steps, including users clicking on a link. As for the CirCarLife issue, there is no impact to integrity and availability, Jablanski noted.

“We know that OT-specific attacks can sometimes be opportunistic to try to target ‘low hanging fruit’ or copy and paste repeatable tactics, techniques, and code to produce any impact at a low cost,” Jablanski said. “However, there are fewer opportunities to reuse or automate attacks in OT networks. Highly tailored techniques that are more custom and less repeatable require more resources and reconnaissance, and are less likely to be used in widespread scanning and probing.”

Ilan Barda, the CEO of Radiflow, noted that IBM’s data showing an increase in OT attack attempts is in line with what the company is seeing in the field.

Barda has also confirmed that these specific vulnerabilities do not appear to have been successfully exploited, but pointed out that he is aware of similar products being targeted and exploited.

For instance, while he is not aware of attacks specifically targeting the Advantech R-SeeNet Gateway, he said this is a very popular gateway for remote industrial sites and Radiflow has seen multiple attack attempts on such sites via these types of gateways.

In regards to the CirCarLife SCADA product used in electric car charging systems, Barda said they have seen attacks on charging system networks, which “are being rapidly deployed and in many cases not with the proper security design in place”.

While the Trihedral vulnerability may not be exploited in actual attacks right now, SecurityWeek has noticed that a different Trihedral VTScada flaw discovered in 2016, CVE-2016-4523, which can be used to download arbitrary files or crash the server, is listed in CISA’s Known Exploited Vulnerabilities Catalog.

“The fact that these CVEs are rather old is in line with what we see in OT networks — patching is not done very frequently due to the operational constraints. This is the main concern that we hear from customers — we get reports on many vulnerabilities but we can’t patch everything due to the objection of the operations teams,” Barda said.

Related: Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022

Related: ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.