Leading cloud-management platforms can be used to attack critical ICS vulnerabilities.
The advantages of employing a cloud-based management platform to monitor and configure industrial control systems (ICS) equipment are clear – efficiency, cost-savings, and improved diagnostics. However, new research has shown critical flaws in these platforms that, if left unaddressed, might cripple operations.
Claroty’s newly branded Team82 research team discovered significant flaws in the CODESYS and WAGO industrial systems, which leverage cloud-based automation for operational technology (OT) – a segment known as “Industry 4.0”
CODESYS has created Automation Server, a cloud-based platform for remotely operating programmable logic controllers (PLCs), which are computers that operate actual industrial equipment. OT engineers utilizing Automation Server can use the cloud-based Automation Server management panel to download logic and configure their PLCs.
Meanwhile, the WAGO PFC100/200 is a series of PLCs that heavily rely on the CODESYS runtime, with the CODESYS platform handling the PLCs communication, setup, and programming. The CODESYS Automation Server platform can also manage these devices, and engineers can remotely download logic to them.
CODESYS and WAGO Vulnerabilities
Analysts discovered three flaws in the CODESYS products:
- Gateway V3 (CVE-2021-29241)
- Package Manager (CVE-2021-29240)
- Automation Server (CVE-2021-29240)
Four bugs were also found in two WAGO systems:
- WAGO PFC iocheckd (CVE-2021-34566, CVE-2021-34567 and CVE-2021-34568)
- WAGO PFC diagnostic tools (CVE-2021-34569)
There are several possible exploits, but Claroty noted a couple of the exploits. They were able to modify a CODESYS Package Designer package to retrieve a user’s cloud credentials in one proof-of-concepts attack.
According to the study, “the vulnerability we exploited derives from a lack of verification of the package source and its contents.” “A legitimate-looking CODESYS package is easily created to execute malicious code.”
The attack would grant adversaries access to the CODESYS cloud-based management console, from which they could further exploit any managed PLCs connected to it.
Researchers were able to obtain pre-authenticated remote code execution on the WAGO device by exploiting two iocheckd protocol vulnerabilities: CVE-2021-34566 and CVE-2021-34567. According to the investigation, chaining the flaws together allowed them to remotely attack the device and implant a webshell for further interaction and command execution.
WAGO and CODESYS quickly responded with mitigations and patches for all the reported vulnerabilities.
As operational technology (OT) becomes targeted more by threat actors, it’s important for organizations to be aware of the real world implications these attacks can have. The Colonial Pipeline attack proves exactly how the OT sector of business has direct impact on anyone utilizing the business on a day to day basis.
Our endpoint detection and response tool, ShadowSpear, can detect and block any threats from accessing your network. The ShadowSpear platform working together with our 24/7/365 Security Operations Center is the advanced security stack your company needs to protect networks from constant cyber threats.
If you’re experiencing a breach, call our response hotline at 833.997.7327.