Positive Technologies has identified the presence of ten vulnerabilities in CODESYS automation software for industrial control systems, which as a result can be remotely exploited by a hacker using low skills. CODESYS has fixed the vulnerabilities and released security advisories. To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough.
CODESYS (controller development system) is a development environment for PLC (programmable logic controllers) applications used by global manufacturers. The PLC devices fully automate the operation of various industrial equipment, mechanisms, machines, and tools.
Positive researchers, Anton Dorfman, Ivan Kurnakov, Sergey Fedonin, Vyacheslav Moskvin and Denis Goryushev, identified that the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with secure development recommendations.
Of the CODESYS’ vulnerabilities, the most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser. Multiple vulnerabilities discovered in this component received CVSS 3.0 scores of 10, and identifiers CVE-2021-30189, CVE-2021-30190, CVE-2021-30191, CVE-2021-30192, CVE-2021-30193, and CVE-2021-30194 were assigned to these vulnerabilities.
Other vulnerabilities rated 8.8 were found in the CODESYS Control V2 communication runtime system, which enables embedded PC systems into a programmable industrial controller. Identifiers of CVE-2021-30186, CVE-2021-30188, and CVE-2021-30195 were assigned to these security weaknesses.
Vulnerability CVE-2021-30187 discovered in CODESYS Control V2 Linux SysFile library was rated 5.3. The vulnerability can be used to call additional PLC functions utilizing the SysFile system library. Attackers can, for example, delete some files and potentially disrupt particular technological processes.
Positive also released last week its report, Cybersecurity Threatscape 2020, which revealed that the number of industrial incidents increased by 91 percent compared to 2019, with the cyber attackers in most instances adopting ransomware techniques. The share of hacking as an attack method grew by 2.6 times in comparison to 2019. The report also detected attacks against critical infrastructure that led to power outage, as well as attempts to disrupt water supply systems.
The number of malware attacks grows every year. 2020 saw an increase in such attacks by 54 percent compared to 2019. Malware developers devised elaborate methods for concealing their malicious actions and refined malware delivery techniques, turning their attention to vulnerabilities on the network perimeter.
Attacks against individuals were mainly executed using spyware and banking trojans, whereas organizations were increasingly attacked by ransomware. For the last two years, ransomware has remained the leader among all malicious software used in attacks against organizations. In attacks against individuals, spyware and banking trojans were the primary culprits.
Ransomware was used in 45 percent of all malware-related attacks on organizations. Instead of performing mass attacks, ransomware operators started to deliberately choose their targets. They also increased the ransom amounts, created new websites for publishing stolen data for sale, and started using DDoS attacks to blackmail victims.
In most cases, industrial companies were attacked by ransomware variants such as RansomExx, Netwalker, Clop, Maze, Ragnar Locker, LockBit, DoppelPaymer, and Snake (which deletes shadow copies before starting the encryption process, and has the ability to stop ICS-related processes).
Medical institutions were the most affected by the ransomware attacks, and third by total number of attacks in 2020. As a result of some attacks, medical systems went down and patients were denied emergency care.