Posted on August 6, 2021 at 5:42 PM
Nozomi Network Labs reported that they found five bugs affecting Mitsubishi safely PLCs. According to the researchers, the vulnerability relates to MELSOFT’s communication protocol.
According to the report, the first sets of bugs were disclosed in January 2021 via ICS-CERT. However, the next set was revealed through the same process only recently. However, Mitsubishi has issued advisories for users who want to keep their systems safe. The vendor has advised the users to apply the proposed mitigations as soon as possible.
Patches not yet available for the bugs
The most worrying issue is the fact that patches have not been made available to any of the vulnerabilities. The researchers have also stated that the patches for the vulnerabilities usually take too long and users should not wait for the updates before protecting their systems from possible attacks. Additionally, vendors are required to pass through certain certification processes before they can release patches for the bugs.
And each software update could need a different certification method, depending on the type of regulatory framework and device employed.
The researchers also noted that in their threat intelligence service, they used detection logic for users while waiting for the deployment process and the patch development.
Also, they started exploring more widely known detection methods to share with the ICS security community and asset owners.
Vulnerabilities could infect more than one vendor
The security researchers also noted that the bugs they discovered can be more potent as they can impact more than one vendor.
Although Mitsubishi has provided some mitigation procedures to the vulnerabilities, the researcher has also asked customers to be more vigilant and deploy additional security protocols to protect their systems.
However, the report did not mention all the details of the vulnerability. The action was deliberate for the protection of systems that are still safe and not exploited. The researchers believe that full disclosure of the vulnerability details could arm threat actors with the information they need to exploit customers’ systems.
The research team tried several methods that allowed them to have access to the systems. They discovered that there were some situations where the threat actors carry out a successful authentication and reuse the generated session tokens.
They added that a threat actor with the ability to read a privileged command can reuse the token using a different IP. According to their findings, this instance is possible even if the attackers have a few hours to operate.
Strong protection to the PLC Network required
Several attack scenarios can be possible if some of the identified vulnerabilities are chained together. As a result, it’s important to understand some of these scenarios since a majority of the attacks are carried out by exploiting several bugs to reach the final goal.
After a threat actor succeeds in gaining access to a system, their next move is usually to keep other users out. The idea is to keep the user from using the next available option to shut down the system to prevent further system exposure.
As a suggestion, Nozomi Network Labs stated that the asset owners need to secure the link between the PLC and the engineering workstation. Once that security is guaranteed, it will be difficult for a threat actor to have access to the authenticated packets or MELSOFT authentication in cleartexts. This will go a long way to secure the systems and protect them from exploitation, according to the researchers.
The researchers also advised that customers should provide strong protection to the PLC to prevent a threat actor from having access to actively exchange the authentication packets with the PLC.
Nozomi Networks has also told customers that its threat intelligence unit will keep them informed about any development regarding the vulnerabilities. They said they have to inform customers and users when any new attack is taking place. Even for non-customers, the information will also provide information about the general activities of the threat actors. It will help them adjust their security positions and provide more robust protection for their systems, Nozomi Networks reiterated.