The cybersecurity agency CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with an old ‘OpenPLC ScadaBR’ flaw that was recently leveraged by hackers to deface what they believed to be an industrial control system (ICS).
OpenPLC is an open source programmable logic controller (PLC) designed to provide a low-cost industrial automation solution. ScadaBR is an open source solution that provides human-machine interfaces (HMIs), supporting connections to various PLCs, including OpenPLC.
The ScadaBR vulnerability, tracked as CVE-2021-26829 and classified as ‘medium severity’, was patched in June 2021. It has been described as a cross-site scripting (XSS) bug that can be exploited for arbitrary code execution.
CISA added CVE-2021-26829 to its KEV catalog on Friday and instructed government agencies to address it by December 19.
Security firm Forescout reported in October that a pro-Russia hacktivist group named TwoNet had attacked one of its ICS/OT honeypots, which had been set up to mimic a water treatment plant.
The hackers defaced the associated HMI, disrupted processes, and manipulated other ICS, later boasting about the ‘achievement’ on their Telegram channel.
According to Forescout, TwoNet exploited CVE-2021-26829 to change the HMI login page’s description to ‘Hacked by Barlati’, a message that would be displayed in a pop-up window every time the page is visited by a user.
Since the HMI was fake, the attack did not have any real-world impact, but the incident showed that hackers may be targeting CVE-2021-26829 in their attacks.
A video published back in 2021 shows how easy it would be for an attacker to exploit CVE-2021-26829 to display an arbitrary message whenever an HMI page is visited, by adding HTML/JavaScript code to a specific field on the ‘System settings’ page.
The same video also showed how the XSS vulnerability can be exploited for session hijacking, but TwoNet only leveraged it for a simple defacement, which indicates that the hackers do not possess advanced hacking skills.
This is not surprising. Hacktivists — and state-sponsored threat groups working under the guise of hacktivism — often target ICS/OT in the water sector. Attacks on OT are often preferred by hacktivists because the potential impact can be significant, and they can achieve their goal by leveraging easy-to-exploit vulnerabilities such as default or hardcoded credentials.
There do not appear to be any other reports describing in-the-wild exploitation of CVE-2021-26829. It’s unclear if the vulnerability has been exploited by other threat actors.
However, sophisticated threat actors, operating outside of the noisy hacktivist sphere, would likely exploit such vulnerabilities in highly targeted attacks that are either never discovered or remain confidential between the victim and incident response firms.
UPDATE, December 4:
CISA has also added CVE-2021-26828 to its KEV catalog. Exploitation of this flaw, which allows arbitrary file uploads, was described in the same Forescout report.
Related: Over 370 Organizations Take Part in GridEx VIII Grid Security Exercise
Related: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Rockwell, Aveva, Schneider
Related: Japan Issues OT Security Guidance for Semiconductor Factories
