Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Over 100 Building Controllers in Russia Vulnerable to Remote Hacker Attacks

A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.

A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller predominantly used by organizations in Russia.

The security flaws were discovered by researcher Jose Bertin in a controller made by Russian company Tekon Avtomatika, which specializes in equipment and software for elevators and other building systems.

A Shodan search shows more than 100 internet-exposed Tekon controllers that the vendor describes as “engineering equipment controllers.” Shodan currently shows 117 devices located in Russia and three in Ukraine.

Building controllers in Russia exposed to hacker attacks

In a blog post published last week, the researcher said the devices can be hacked due to the use of default credentials. The default credentials provide access with admin privileges to the Tekon controller’s user interface. However, the researcher claims to have found a way to execute code with root privileges by abusing a feature that allows users to add plugins.

These plugins are LUA scripts that can be added in a dedicated section of the user interface. Users can upload a plugin file and then click a “Save/Load” button to execute it.

The researcher created a proof-of-concept (PoC) script that allowed him to obtain root privileges and take complete control of the targeted device and potentially cause significant disruption.

“I got RCE and privilege escalation from an admin user to root. Now we can do whatever — more critically those [100] devices can be shut down at once, creating an impact in Russian SCADA systems, remotely,” the researcher said in his blog post.

He told SecurityWeek that an “attacker could execute dangerous actions, like shut down the device or implant a backdoor. There are like 100 available and, according to Tekon, those devices could be placed in building elevators and SCADA environments as well — the impact could be dangerous.”

Advertisement. Scroll to continue reading.

Many hackers have been trying to cause direct or indirect damage to Russia through DDoS attacks, data leaks and intrusions in response to its invasion of Ukraine. The timing of the research and the disclosure could be seen as an encouragement for hacktivists to take advantage of the flaws.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

However, Bertin’s blog post does not mention the Ukraine-Russia war and the researcher told SecurityWeek that the goal of his report is not to cause damage.

“The post is pretty much straightforward to the technicals and OSINT related to SCADA devices,” he explained. “I usually track down SCADA devices around the world, but this time something cool popped up in Russia, so I decided to share with the world. Trying to make a better world — a secure world — for everyone, as I’ve been doing the last 12 years of my cyber security career.”

Bertin admitted that he did not contact the vendor before making his findings public, but said that he will try to reach the company.

SecurityWeek sent a request for comment to the vendor two days before this article was published, but we have yet to receive a response.

Related: Many Critical Flaws Patched in Delta Electronics Energy Management System

Related: Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.