UPDATED Dec. 14 with CVE information from CISA.
Kinetic conflicts have often been accompanied by attacks online; hacktivists, for example, are often keen to spread their politically motivated messages and attach themselves to one side or another during a conflict. The ongoing war between Israel and Hamas is no exception with a group known as the CyberAv3ngers claiming to have infiltrated 10 water treatment plants in Israel.
Cybersecurity leaders in the U.S. took notice when the group’s activity spread to a relatively small water facility in Aliquippa, Pa., which on Nov. 25 reported a disruptive attack against one of its booster stations that forced officials to resort to manual processes to maintain safe delivery of water to its 6,600-plus customers.
Officials at the Municipal Water Authority of Aliquippa (MWAA) said public safety was never in jeopardy, and that law enforcement has been called in to investigate. Details are scarce on the initial intrusion, but the target was a PLC/HMI device manufactured by an Israeli company called Unitronics. Several security cameras were also compromised during the intrusion, which also seems to be a CyberAv3ngers calling card.
The attackers left behind a message, shown below: “Every equipment ‘Made in Israel’ is CyberAv3ngers legal target,” which is the first time the group has singled out Israeli technology in its messaging.
Here’s what we know about the attack on the MWAA.
The MWAA booster station—which are pumps that maintain water pressure and flow to the overall system—did trigger an alarm during the attack to officials who said they immediately shut down the station and began manual operations.
“They did not get access to anything in our actual water treatment plant or other parts of our system, other than a pump that regulates pressure to elevated areas of our system,” MWAA chairman Matthew Mottes told a local publication. “This pump was on its own computer network, separated from our primary network and is physically miles away.”
The compromised Unitronics V570 PLC/HMI was, at a minimum, defaced, indicating that the attackers at least had access to the device. It’s unclear whether they may have used that access to damage or interfered with operations by moving laterally elsewhere on the network.
There have been previous reports of remotely exploitable vulnerabilities in the Unitronics VisiLogic software, a development environment and engineering workstation used to program, upload, and download data from PLCs. Unitronics did remediate these issues, and no known public exploits were available at the time.
On Dec. 14, CISA published an advisory for CVE-2023-6448 and the use of default administrative passwords in Unitronics Vision Series PLCs and HMIs. Unitronics self-reported the vulnerability to CISA and recommends users update to VisiLogic version 9.9.00.
Security company Forescout also noted the availability of Metasploit modules and scripts for scanning and fingerprinting Unitronics devices. It’s unknown whether any of these tools were used in the attack against MWAA.
A Shodan search for Unitronics devices reveals close to 2,000 that are internet-facing, including almost 300 V570 series devices. Unitronics PLCs were also the center of a disruptive attack in Israel in April that impacted water delivery for a dozen farms in the Jordan Valley and a sewage company’s water treatment control systems. The PLC was internet-facing and guarded only by a default password that had not been changed by admins, according to a published report.
According to Unitronics documentation, some of its PLCs support VNC as a remote access technology. VNC is a desktop sharing application that is used for support and maintenance purposes for remote equipment. An attacker could, for example, create a specific Shodan search that identifies Unitronics devices with an open VNC port and determine whether authentication is disabled. Default, known, or easily guessable passwords also put these systems at risk to brute force attacks.
The Cybersecurity Infrastructure and Security Agency (CISA) also published an alert this week that it was responding to the MWAA incident along with law enforcement. It cautioned that other facilities may be targeted in similar opportunistic attacks such as the MWAA incident. CISA said in its alert “cybersecurity weaknesses” such as poor password security and unsecure connections to the internet were likely exploited.
CISA recommends to Unitronics users:
Change the default password (1111) on all PLCs and HMIs
Implement multifactor authentication for remote access from internal and external networks to OT systems
Remove PLCs from the internet
Secure remote connections with a firewall or VPN; multi factor authentication may be deployed on the firewall or VPN should the PLC or HMI not support it
Ensure PLC and HMI applications are backed up and available
Change default ports that may be targeted (20256 for Unitronics and 5900 for VNC)
Ensure PLC versions are current
Hacktivists are going to continue to inject and align their activities into military and political conflicts, and these incidents may not be confined to the regions where kinetic conflict is happening. Even trivial attacks can be disruptive, and organizations are urged to adhere to minimal security measures such as password security and secure remote access to blunt these attacks.
The water and wastewater critical infrastructure sector has as recently as two years ago identified major cybersecurity challenges it faces that span everything from human and financial resourcing to threat intelligence, and security tooling. Some of the areas ripe for improvement included the need to minimize exposure of control systems to the internet, identification and remediation of vulnerabilities, and secure remote access to OT systems.
This lines up with advice from the federal government, including CISA, that basic security hygiene is a minimal baseline for organizations across the 16 critical infrastructure sectors. The MWAA attack should also reinforce to security leaders that any organization is at risk for opportunistic attacks at scale that could quickly turn disruptive.
CWE-290: AUTHENTICATION BYPASS BY SPOOFING
Snap One OVRC cloud uses the MAC address as an identifier to provide information when requested. An attacker can impersonate other devices by supplying enumerated MAC addresses and receive sensitive information about the device.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 7.5
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaimed devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.
OvrC Pro: All versions prior to 7.3 are affected.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 9.1
CWE-284: Improper access control
A network-adjacent authenticated attacker may perform unintended operations
CVSS v3: 5.5
CWE-321: Use of hard-coded cryptographic key
A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files
CVSS v3: 5.4
CWE-522: Insufficiently protected credentials
A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book
CVSS v3: 6.5
