UPDATED Dec. 14 with CVE information from CISA.
Kinetic conflicts have often been accompanied by attacks online; hacktivists, for example, are often keen to spread their politically motivated messages and attach themselves to one side or another during a conflict. The ongoing war between Israel and Hamas is no exception with a group known as the CyberAv3ngers claiming to have infiltrated 10 water treatment plants in Israel.
Cybersecurity leaders in the U.S. took notice when the group’s activity spread to a relatively small water facility in Aliquippa, Pa., which on Nov. 25 reported a disruptive attack against one of its booster stations that forced officials to resort to manual processes to maintain safe delivery of water to its 6,600-plus customers.
Officials at the Municipal Water Authority of Aliquippa (MWAA) said public safety was never in jeopardy, and that law enforcement has been called in to investigate. Details are scarce on the initial intrusion, but the target was a PLC/HMI device manufactured by an Israeli company called Unitronics. Several security cameras were also compromised during the intrusion, which also seems to be a CyberAv3ngers calling card.
The attackers left behind a message, shown below: “Every equipment ‘Made in Israel’ is CyberAv3ngers legal target,” which is the first time the group has singled out Israeli technology in its messaging.
Here’s what we know about the attack on the MWAA.
The MWAA booster station—which are pumps that maintain water pressure and flow to the overall system—did trigger an alarm during the attack to officials who said they immediately shut down the station and began manual operations.
“They did not get access to anything in our actual water treatment plant or other parts of our system, other than a pump that regulates pressure to elevated areas of our system,” MWAA chairman Matthew Mottes told a local publication. “This pump was on its own computer network, separated from our primary network and is physically miles away.”
The compromised Unitronics V570 PLC/HMI was, at a minimum, defaced, indicating that the attackers at least had access to the device. It’s unclear whether they may have used that access to damage or interfered with operations by moving laterally elsewhere on the network.
There have been previous reports of remotely exploitable vulnerabilities in the Unitronics VisiLogic software, a development environment and engineering workstation used to program, upload, and download data from PLCs. Unitronics did remediate these issues, and no known public exploits were available at the time.
On Dec. 14, CISA published an advisory for CVE-2023-6448 and the use of default administrative passwords in Unitronics Vision Series PLCs and HMIs. Unitronics self-reported the vulnerability to CISA and recommends users update to VisiLogic version 9.9.00.
Security company Forescout also noted the availability of Metasploit modules and scripts for scanning and fingerprinting Unitronics devices. It’s unknown whether any of these tools were used in the attack against MWAA.
A Shodan search for Unitronics devices reveals close to 2,000 that are internet-facing, including almost 300 V570 series devices. Unitronics PLCs were also the center of a disruptive attack in Israel in April that impacted water delivery for a dozen farms in the Jordan Valley and a sewage company’s water treatment control systems. The PLC was internet-facing and guarded only by a default password that had not been changed by admins, according to a published report.
According to Unitronics documentation, some of its PLCs support VNC as a remote access technology. VNC is a desktop sharing application that is used for support and maintenance purposes for remote equipment. An attacker could, for example, create a specific Shodan search that identifies Unitronics devices with an open VNC port and determine whether authentication is disabled. Default, known, or easily guessable passwords also put these systems at risk to brute force attacks.
The Cybersecurity Infrastructure and Security Agency (CISA) also published an alert this week that it was responding to the MWAA incident along with law enforcement. It cautioned that other facilities may be targeted in similar opportunistic attacks such as the MWAA incident. CISA said in its alert “cybersecurity weaknesses” such as poor password security and unsecure connections to the internet were likely exploited.
CISA recommends to Unitronics users:
Change the default password (1111) on all PLCs and HMIs
Implement multifactor authentication for remote access from internal and external networks to OT systems
Remove PLCs from the internet
Secure remote connections with a firewall or VPN; multi factor authentication may be deployed on the firewall or VPN should the PLC or HMI not support it
Ensure PLC and HMI applications are backed up and available
Change default ports that may be targeted (20256 for Unitronics and 5900 for VNC)
Ensure PLC versions are current
Hacktivists are going to continue to inject and align their activities into military and political conflicts, and these incidents may not be confined to the regions where kinetic conflict is happening. Even trivial attacks can be disruptive, and organizations are urged to adhere to minimal security measures such as password security and secure remote access to blunt these attacks.
The water and wastewater critical infrastructure sector has as recently as two years ago identified major cybersecurity challenges it faces that span everything from human and financial resourcing to threat intelligence, and security tooling. Some of the areas ripe for improvement included the need to minimize exposure of control systems to the internet, identification and remediation of vulnerabilities, and secure remote access to OT systems.
This lines up with advice from the federal government, including CISA, that basic security hygiene is a minimal baseline for organizations across the 16 critical infrastructure sectors. The MWAA attack should also reinforce to security leaders that any organization is at risk for opportunistic attacks at scale that could quickly turn disruptive.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
