Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Over 100 Building Controllers in Russia Vulnerable to Remote Hacker Attacks

A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.

A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.

The security flaws were discovered by researcher Jose Bertin in a controller made by Russian company Tekon Avtomatika, which specializes in equipment and software for elevators and other building systems.

A Shodan search shows more than 100 internet-exposed Tekon controllers that the vendor describes as “engineering equipment controllers.” Shodan currently shows 117 devices located in Russia and three in Ukraine.

Building controllers in Russia exposed to hacker attacks

In a blog post published last week, the researcher said the devices can be hacked due to the use of default credentials. The default credentials provide access with admin privileges to the Tekon controller’s user interface. However, the researcher claims to have found a way to execute code with root privileges by abusing a feature that allows users to add plugins.

These plugins are LUA scripts that can be added in a dedicated section of the user interface. Users can upload a plugin file and then click a “Save/Load” button to execute it.

The researcher created a proof-of-concept (PoC) script that allowed him to obtain root privileges and take complete control of the targeted device and potentially cause significant disruption.

“I got RCE and privilege escalation from an admin user to root. Now we can do whatever — more critically those [100] devices can be shut down at once, creating an impact in Russian SCADA systems, remotely,” the researcher said in his blog post.

He told SecurityWeek that an “attacker could execute dangerous actions, like shut down the device or implant a backdoor. There are like 100 available and, according to Tekon, those devices could be placed in building elevators and SCADA environments as well — the impact could be dangerous.”

Many hackers have been trying to cause direct or indirect damage to Russia through DDoS attacks, data leaks and intrusions in response to its invasion of Ukraine. The timing of the research and the disclosure could be seen as an encouragement for hacktivists to take advantage of the flaws.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

However, Bertin’s blog post does not mention the Ukraine-Russia war and the researcher told SecurityWeek that the goal of his report is not to cause damage.

“The post is pretty much straightforward to the technicals and OSINT related to SCADA devices,” he explained. “I usually track down SCADA devices around the world, but this time something cool popped up in Russia, so I decided to share with the world. Trying to make a better world — a secure world — for everyone, as I’ve been doing the last 12 years of my cyber security career.”

Bertin admitted that he did not contact the vendor before making his findings public, but said that he will try to reach the company.

SecurityWeek sent a request for comment to the vendor two days before this article was published, but we have yet to receive a response.

Related: Many Critical Flaws Patched in Delta Electronics Energy Management System

Related: Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.