Recent updates from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have highlighted significant vulnerabilities in OpenPLC ScadaBR, a widely used industrial control system software. Two vulnerabilities, CVE-2021-26829 and CVE-2021-26828, have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities are actively being exploited, with CVE-2021-26829 involving a cross-site scripting flaw and CVE-2021-26828 allowing for the upload and execution of arbitrary files. The exploitation of these vulnerabilities has been linked to a pro-Russian hacktivist group, TwoNet, which has been targeting industrial systems.
In parallel, VulnCheck has reported a long-running exploit operation utilizing Out-of-Band Application Security Testing (OAST) services hosted on Google Cloud. This operation has been regionally focused on Brazil and involves exploiting over 200 CVEs. The attackers are leveraging legitimate internet services to evade detection, highlighting the evolving tactics of cybercriminals in blending malicious activities with normal network traffic.
These developments underscore the increasing sophistication of cyber threats targeting industrial control systems and the use of cloud services to facilitate exploit operations. Organizations are urged to prioritize patching efforts and enhance monitoring capabilities to detect and respond to such threats effectively.
CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR versions up to 1.12.4 on Windows and 0.9.1 on Linux. This flaw allows attackers to inject malicious scripts via the system_settings.shtm page, potentially leading to unauthorized actions such as defacing web interfaces or disabling critical system logs and alarms. The vulnerability has been actively exploited by the TwoNet group, which has used it to compromise honeypot systems simulating industrial environments.
CVE-2021-26828 is another critical vulnerability in OpenPLC ScadaBR, with a CVSS score of 8.8. It permits remote authenticated users to upload and execute arbitrary JSP files through the view_edit.shtm page. This vulnerability was exploited by attackers using default credentials to gain access and deploy web shells for further system enumeration. The exploitation of this flaw poses significant risks to industrial systems, potentially allowing attackers to execute arbitrary code and compromise system integrity.
The OAST exploit operation observed by VulnCheck involves the use of Google Cloud infrastructure to conduct a sustained scanning effort targeting Brazilian assets. The operation exploits a wide range of vulnerabilities, including a Fastjson remote code execution flaw, to execute commands and make outbound HTTP requests. This approach demonstrates the attackers' ability to leverage cloud services for malicious purposes while evading traditional detection mechanisms.
The identified vulnerabilities in OpenPLC ScadaBR could lead to severe operational disruptions for clients relying on this software for industrial control systems. Successful exploitation may result in unauthorized access, data breaches, and potential manipulation of critical system functions. The financial impact could be substantial, including costs associated with system downtime, incident response, and remediation efforts.
Reputation damage is another significant concern, particularly for organizations in critical infrastructure sectors where trust and reliability are paramount. Additionally, regulatory compliance issues may arise if exploited vulnerabilities lead to data breaches or operational failures that violate industry standards or legal requirements.
Compliance Implications: Organizations must be aware of the regulatory challenges posed by these vulnerabilities. Failure to address them promptly could result in audits or penalties from regulatory bodies overseeing critical infrastructure protection. Ensuring timely patching and adherence to vendor instructions is crucial for maintaining compliance with relevant laws and regulations.
To mitigate the risks associated with these vulnerabilities, clients should consider the following actions:
By taking these steps, organizations can significantly reduce their exposure to these threats. Continuous vigilance and proactive security measures are essential in safeguarding industrial control systems against evolving cyber threats.
1898 & Co. is actively addressing these emerging threats by offering specialized services tailored to industrial control systems security. Our team provides comprehensive vulnerability assessments and patch management solutions to help clients mitigate risks associated with known exploits like those affecting OpenPLC ScadaBR.
We have updated our security protocols to incorporate advanced threat detection techniques that leverage machine learning and behavioral analysis. These enhancements enable us to identify anomalous activities indicative of exploitation attempts more effectively.
In collaboration with industry allies and government agencies, we are engaged in ongoing research and threat intelligence gathering activities. This collaborative effort ensures that we remain at the forefront of cybersecurity developments, providing our clients with timely insights and actionable recommendations.
Our case studies demonstrate successful mitigations against similar threats, showcasing our ability to protect critical infrastructure from sophisticated cyberattacks. Clients can rely on our expertise to navigate the complex threat landscape and enhance their overall security posture.