

Pennsylvania Water Utility Compromise
Booster stations that regulates and monitors water pressure for two towns in Pennsylvania was breached by a state-sponsored threat actor. The utility was alerted the utility to the intrusion, and took the affected system
offline.
Splice shields vulnerable equipment inside and encrypted overlay network, disrupting the kill-chain for would-be attackers.


Permanent Vulnerabilities
Vendor failure and abandoned firmware are becoming more prevalent, leaving permanent vulnerabilities in their wake.
Splice shields vulnerable equipment inside and encrypted overlay network, disrupting the kill-chain for would-be attackers.


KNX protocol vulnerability could lock out Building Automation Systems
CISA published details of a KNX protocol vulnerability that could be used to change device passwords, locking devices from legitimate access.
Splice shields vulnerable equipment inside and encrypted overlay network, disrupting the kill-chain for would-be attackers.


CODESYS Vulnerabilities affecting wide range of products
Microsoft Threat Intelligence detected a number of vulnerabilities in Codesys SDK which affect a large number of products. Codesys is compatible with 1000 different PLCs from 500 different manufacturers.
The issues that can result in Remote Code Execution and Denial of Service were reported to Codesys in September 2022 and patches are available. The importance of the vulnerabilities is tempered somewhat as it requires authentication. If an adversary is able to authenticate, other lower complexity attacks would most likely be in play.
Splice shields vulnerable equipment inside and encrypted overlay network, disrupting the kill-chain for would-be attackers.


Dead Man’s PLC attack
Researchers have described a novel “dead man’s PLC attack” where a compromise can detect recovery attempts and “lock-up” the entire environment.
Splice detects the lateral movement attempts and anomalous inter-PLC communications as part of the attack design during dwell time, providing advanced notice in the early stages of such an attack.


Schneider EcoStruxure, Modicon vulnerabilities
CISA advised that Schneider has released patches for CVE-2022-45788 affecting various models of EcoStruxure Process Expert, EcoStruxure Control Expert, Modicon M580, Modicon Momentum Unity M1E Processor, Modicon M340 CPUs and Modicon MC80 CPUs.
Splice shields vulnerable OT equipment inside an encrypted overlay network.


ScadaFlex II, JTEKT, Korenix, MicroSCADA, mySCADA and FactoryTalk Advisories
CISA has published a number of low complexity, high impact advisories for Industrial Control Links ScadaFlex II SCADA Controllers, JTEKT Screen Creator Advance 2, JTEKT Kostac PLC, Korenix Jetwave, Hitachi Energy MicroSCADA System Data Manager SDM600, mySCADA myPRO, and Rockwell Automation FactoryTalk Diagnostics (Update A).
Patches are available, except for the Industrial Control Links vulnerabilities which are end-of-life as they are closing their business. Mitigations are required.
Splice shields vulnerable OT equipment inside an encrypted overlay network.


Authentication bypass in Wago PLC web management console
Wago has released patches for a number of vulnerabilities affecting several products. Two critical vulnerabilities allow for authentication bypass in the web based management interface in affected components. These were independently discovered through research conducted at the Georgia Institute of Technology’s Cyber-Physical Security Lab.
Splice shields vulnerable OT equipment inside an encrypted overlay network.


CISA Notifies Hitachi Energy Customers of High-Severity Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) published advisories last week to inform organizations using Hitachi Energy products about several recently addressed critical and high-severity vulnerabilities.
Cybersecurity Advisory – Incomplete Access Control Vulnerability in User Asset Group Feature of Hitachi Energy’s Lumada APM Product [CVE-2022-2155]
Cybersecurity Advisory – OpenSSL and Zlib Related Vulnerabilities in Hitachi Energy’s Lumada Asset Performance Management (APM) Product [CVE-2022-3602, CVE-2022-3786, CVE-2022-37434]
Cybersecurity Advisory – Multiple Vulnerabilities in Hitachi Energy FOXMAN-UN Product [CVE-2021-40341, CVE-2021-40342, CVE-2022-3927, CVE-2022-3928, CVE-2022-3929 ]
Cybersecurity Advisory – Multiple Vulnerabilities in Hitachi Energy’s UNEM Product [ CVE-2021-40341, CVE-2021-40342, CVE-2022-3927, CVE-2022-3928, CVE-2022-3929 ]
Cybersecurity Advisory – OpenSSL v3.x Related Vulnerabilities in Hitachi Energy’s Network Manager Process Communication Unit PCU400 Product [ CVE-2022-3602, CVE-2022-3786 ]
CISA has published various advisories describing flaws in Hitachi Energy’s products varying from UNEM, a component of their Network Management system (NMS), Foxman-UN, another product in the NMS suite to OpenSSL and Zlib components.
The exploits relate to the encryption of user credentials and how they can be exploited to obtain sensitive information and modify the systems through Network access. The OpenSSL vulnerability can be exploited to cause DoS (Denial-of-Service) attacks and has been classified as ‘High Severity’, while the Zlib is a ‘Critical’ classification and can allow for arbitrary code execution.
- The UNEM vulnerability stems from the use of DES Encryption, which is no longer deemed secure due to its short 56-bit key, this could allow the cypher to be decrypted in a very short time. Default key encryption with DES could also be exploited to obtain sensitive information. Hard-coded credentials in the message queue are also vulnerable to exploitation.
- The same issues for UNEM also exist in the FOXMAN-UN products.
The OpenSSL and Zlib vulnerabilities affect versions of the Lumada APM. OpenSSL’s buffer overflow vulnerabilities can trigger an X.509 certificate verification that can be used to force APM to connect to malicious servers. The Zlib library contains an out-of-bounds write vulnerability and exploitation can cause DoS or execution of arbitrary code.
Splice shields vulnerable OT equipment such as this inside an encrypted overlay network, reducing the cyber attack surface.