The Rise of Authentication Vulnerabilities in OT

There has been a noticeable rise in authentication vulnerabilities in Operational Technology (OT) systems. Recent reports and incidents highlight the increasing number of attacks targeting OT devices, often due to weak or default passwords, inadequate authentication methods, and insufficient access controls

For instance, Microsoft has observed an increase in attacks on internet-exposed OT devices, including those in water and wastewater systems, by various threat actors.

The OT:ICEFALL report by Forescout identified 56 vulnerabilities caused by insecure-by-design practices across multiple OT vendors, including issues with broken authentication schemes

According to Dragos, the number of Common Vulnerabilities and Exposures (CVEs) that require authentication to exploit has been increasing:

• 2020 vs 2023: In 2020, 25% of CVEs required authentication, while in 2023, 34% did.
• Public exploits: More than 400 of the over 3,000 CVEs that affect ICS/OT networks have a public exploit.

The attack path includes gaining initial access to the enterprise networks before pivoting to OT networks to compromise systems deep within the ICS network. In 2023, 20% of these vulnerabilities were remote access vulnerabilities bordering the enterprise, while 80% resided deep within the ICS network, 62% of those pertains to vulnerabilities found at level 0-3 of the Purdue Model. 

Authentication Vulnerabilities

• CVE-2022-30242 & CVE-2022-30245 is a vulnerability found in the Honeywell Alerton Ascent Control Module (ACM) through May 4, 2022. This vulnerability allows unauthenticated remote users to make configuration changes to the controller
  
  
• CVE-2022-46650 & CVE-2022-46649 is a vulnerability found in the Acemanager in ALEOS software before version 4.16. This vulnerability allows a user with valid credentials to reconfigure the device, exposing the ACEManager credentials on the pre-login status page. This means an attacker with access to the ACEManager interface could potentially view or manipulate these credentials, leading to unauthorized access
  
  
• CVE-2023-27394 is a vulnerability found in the Osprey Pump Controller version 1.01. This vulnerability is an unauthenticated OS command injection. Attackers can exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP GET parameter. This could allow an attacker to gain unauthorized access and control over the device
  
  
• CVE-2021-30116 is a vulnerability found in Kaseya VSA before version 9.5.7. This vulnerability allows credential disclosure and was exploited in the wild in July 2021. These credentials can be used to log in and authenticate the client, returning a session cookie that can be used in subsequent attacks to bypass authentication

Have any of these vulnerabilities been exploited?

The Kaseya VSA ransomware attack occurred on July 2, 2021, and was carried out by the REvil ransomware group. Here's a brief overview of what happened:

• Exploitation of Vulnerability: The attackers exploited a vulnerability (CVE-2021-30116) in Kaseya's VSA (Virtual System Administrator) software, which is used for remote monitoring and management. This vulnerability allowed them to gain access to Kaseya VSA servers.
• Ransomware Deployment: Once inside the system, the attackers deployed the REvil ransomware to endpoints managed by Kaseya VSA. This led to widespread downtime for over 1,000 companies, including managed service providers (MSPs) and their customers.
• Response and Impact: Kaseya responded by shutting down their VSA SaaS infrastructure and notifying on-premises customers to shut off their VSA servers to prevent the spread of the malware. The attack highlighted the significant threats posed by software supply chains and sophisticated ransomware groups.
• Aftermath: The incident underscored the importance of timely patching and robust security measures to protect against such attacks. It also led to increased scrutiny of supply chain security and the need for better incident response strategies.

Some other tips for managing OT vulnerabilities

• Apply Patches and Updates: Ensure that all software and firmware are up-to-date with the latest patches. This is crucial for fixing known vulnerabilities.
• Use Strong Authentication: Implement strong, unique passwords and consider using multifactor authentication (MFA) to add an extra layer of security.
• Network Segmentation: Segment your network to isolate critical systems and limit access to authorized personnel only.
• Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses.
• Disable Unnecessary Services: Disable any services or features that are not needed to reduce the attack surface.
• Monitor and Log Activity: Implement monitoring and logging to detect unusual activity and respond quickly to potential threats.
• Educate Employees: Train employees on security best practices and the importance of following security protocols.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.