Chinese hackers breach ProxyLogon flaws across building automation systems in Asian organizations

Intelligent Buildings announced that Chinese-speaking hackers have targeted building automation systems across several Asian organizations to gain access to more secure areas of their networks. The hackers have been detected using Microsoft Exchange vulnerabilities known as ProxyLogon. 

“The ProxyLogon attack can be used against unpatched mail servers running Microsoft Exchange Server 2013, 2016, or 2019 that are set up to receive untrusted connections from the outside world,” Intelligent Buildings said in a post. “This enables threat actors to execute commands on unpatched, on-premises Exchange Servers. The threat actors used this to access even more secure areas of the network, allowing them to collect previously protected data and information that is likely damaging to the company,” it added.

ProxyLogon is a pre-authenticated vulnerability, meaning an attacker doesn’t need to log on or complete any authentication process to execute code remotely. Even though Microsoft released the patch, sources say that at least 46,000 servers are still unpatched and vulnerable to ProxyLogon flaws. 

Last year, ESET said that at least ten hacking groups were using ProxyLogon exploits way before Microsoft released patches last spring, so even if a system is updated now with the patch, it may have been compromised by threat actors using ProxyLogon prior to the update.

Pointing out that most building owners have an incomplete/inaccurate understanding of all the systems in their portfolios, Intelligent Buildings said that in its experience, “many building owners often underestimate the number of internet-connected devices and systems in their buildings. Internet connections are gateways for bad actors to access your network. This is why real-time, continual monitoring of your systems is critical,” it added.

Organizations must also use building system network traffic monitoring, analysis, and detection, update operating systems regularly, and apply security fixes and patches as soon as reasonably possible. Additionally, enterprises must conduct regular security audits to identify vulnerabilities and eliminate them. They must also carry out building cybersecurity training that includes threat awareness and familiarization with cybersecurity practices.

Last month, Nozomi Networks carried out a security analysis of the Siemens PXC4.E16, a building automation system of the Desigo/APOGEE family for HVAC and building service plants. Its researchers identified a vulnerability, which was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It also could have been abused to perform a Denial-of-Service (DoS) attack against the controller.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.