Vedere Labs details deep lateral movement in OT networks, provides mitigation strategies

Forescout Technologies’ Vedere Labs rolled out Monday research on deep lateral movement, looking into how attackers can move between devices and access OT (operational technology) networks at the controller or L1 level. It details how attackers can cross security perimeters in interfaced Basic Process Control Systems (BPCS)/Safety Instrumented Systems (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs (Programmable Logic Controllers). The move bypasses functional and safety constraints that would otherwise prohibit cyber-physical attacks with the most serious consequences. 

The research uses two new vulnerabilities that “we are publicly disclosing for the first time: CVE-2022-45788 and CVE-2022-45789 allowing for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon PLCs,” Jos Wetzels, security researcher at Forescout, wrote in the report. “These issues were found as part of the OT:ICEFALL research in 2022 but were not disclosed at the time at the request of the vendor,” he added.

The research team in November identified three new vulnerabilities affecting OT products from two German vendors – Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. These security loopholes add to the earlier 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

In the past few years, security researchers have demonstrated various approaches to obtaining low-level remote code execution (RCE) on L1 devices from various vendors. Malware such as TRITON and INCONTROLLER have shown that real-world threat actors are both capable of and interested in developing such capabilities as well. 

“When it comes to subsequent post-exploitation of L1 devices however, prior work has primarily focused on stealth, persistence, and demonstrating impact, while lateral movement has received little attention,” Wetzels said. “The focus for lateral movement in the past has been on moving between L1 devices in the same network segment or moving upstream to SCADA systems at level 2 and above but has not considered moving deeper into nested devices networks or across perimeters at level 1.”

As a result, asset owners frequently overlook security perimeters at level 1 and consider the kind of granular control required to bypass functional and safety limitations enforced by controllers and field devices as infeasible, the report added. This is despite the fact that L1 devices that sit at the intersection of multiple, mixed networks should be treated as security perimeters and ought to have the corresponding hardening and risk profiles that would be accorded to workstations in a similar position.

The data is ‘the first’ systematic study into how attackers can move laterally between different network segments and types of networks at the controller level – Purdue level 1 (L1) – of OT networks. The report also provided “an overview of lateral movement on level 1, including different real-world BPCS/SIS architectures and third-party package unit setups, relevant lateral movement options and related attacker use-cases. A realistic attack scenario on critical infrastructure where lateral movement on level 1 allows an attacker to cause physical damage to a movable bridge.”

Deep lateral movement lets attackers gain deep access to industrial control systems (ICS) and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations, and override functional and safety limitations. 

The report said that downstream or arbitrary east/west movement from and through L1 devices to reach the kind of links, “something we will refer to as deep lateral movement in this research, has received almost no public attention. The limited related work has focused on conventional protocol routing and proxy forwarding in order to reach nested networks. The reported ability of the INCONTROLLER malware to route Modbus and EtherCAT traffic makes this subject even more interesting,” it added.

In the research, Forescout focused on two main reasons for deep lateral movement at level 1 – perimeter crossing and granular control. “The main reason for including this kind of lateral movement in your attacker calculus is to reevaluate how one looks at perimeters.” 

Firstly, the researchers hope to draw attention to the common fallacy of 1st order connectivity analysis, where risk assessments only take impact on directly reachable systems or components into consideration. “Secondly, we hope to similarly draw attention to the fact that many OT system architects and integrators, as well as some vendor and regulatory guidance, continue to evaluate link security in terms of native routability and explicitly present capabilities and thus consider certain links (serial, point-to-point, non-routable) more robust than they are,” it added.

Identifying that attackers may need to move around hardened or across unacknowledged perimeters at level 1 to cross into different network segments, the report pointed to an example of zone-crossing at level 1 is the interaction between the BPCS and the SIS. Another, commonly underestimated, level 1 perimeter in OT is connections to third-party control systems (such as PUs or inter-utility interfacing) regulated by fieldbus couplers, it added.

The researchers also assessed that increasingly these devices have turned smart, and have complicated protocol conversion capabilities and in-band firmware updates. “We have encountered several real-world cases of asset owners who had designed security architectures based on assumptions about the ‘dumb’ nature of fieldbus couplers which turned out to actually be ‘smart’ device with a far larger attack surface and potential for lateral movement than expected,” they added.

On granular control, the Forescout researchers revealed that an attacker might want to move deeply into level 1 systems because they need a very granular kind of control over nested devices or bypass functional and safety constraints. 

Vedere Labs assesses that an attacker seeking to achieve a more damaging scenario will need to obtain code execution on the responsible digital signals processor (DSP) of the solar inverter or UPS main module. In order to obtain this access, the attacker will first need to move laterally through the communication module and possibly through the main module’s Application Processor (AP). “This kind of deep lateral movement has implications for evaluating the potential impact of individual vulnerabilities,” it added.

As a part of the recent wave of hacktivist attacks targeting OT, the GhostSec group targeted an exposed M340 belonging to the Nicaraguan ISP UFINET by writing the value 0 to all its Modbus registers, Forescout revealed. “The newly uncovered issues, summarized below, only affect the Modicon PLC Unity line. CVE-2022-45788 is an example of RCE via an undocumented memory write operation, while CVE-2022-45788 exemplifies a broken authentication scheme,” it added. 

Additionally, while Schneider Electric describes CVE-2022-45788 as relating to downloading malicious project files, this vulnerability actually operates on a completely different – undocumented – set of functionality that allows for modifying internal PLC memory without affecting the PLC run state or requiring a project download.

“As noted, Modicon PLCs are extremely popular and widely used around the world. Estimating the number of affected devices based on public data is difficult because these devices are not supposed to be accessible via the internet,” the report said. “However, we are still able to see close to a thousand PLCs exposed online via Shodan, predominantly in the power industry (44%), followed by manufacturing (19%) and agriculture (15%). We found multiple instances of public subnets, likely used by system integrators or contractors, exposing Modicon PLCs for different power generation projects,” it added. 

To demonstrate the feasibility of deep lateral movement, Vedere Labs developed a proof-of-concept exploit chain against a nested device setup consisting of several popular PLCs: Schneider Electric Modicon M350, Allen-Bradley GuardLogix and WAGO 750 series. The setup was designed to disallow direct or routed access to crucial controllers and safety systems, demonstrating the techniques that advanced adversaries might employ to circumvent such restrictions.

“The scenario we built represents an attacker attempting to gain control over movable bridge infrastructure, with the intent of carrying out a cyber-physical attack to close the bridge at full speed, with safety systems disabled to either hit the bearings with the lock-bar driven or trigger an emergency stop at full velocity causing large inertial forces to damage the bridge,” the report said. “This scenario is typically very difficult or even impossible to carry out with simple control over a central SCADA interface.”

Vedere Labs identifies that the all-too-common habit of treating certain links – such as serial, point-to-point, radio frequency, and couplers – as “if they’re immune to many of the same issues that we see on regular Ethernet LAN networks is something that needs to be critically reevaluated.” 

The impact of a compromised device is not limited to the explicit capabilities of a link or its first-order connectivity, it added. “Just because it only exposes a few Modbus registers or is hooked up to an uninteresting device does not mean that an attacker cannot turn that link into something else and use that uninteresting device as a staging point for moving towards more interesting targets.”

“With the access attackers achieve through deep lateral movement, things might become possible which magnify the impact of an attack,” the report disclosed. “Mitigating the risks of deep lateral movement requires a careful blend of network monitoring to detect adversaries as early as possible, visibility into often overlooked security perimeters at the lower Purdue levels, and hardening the most interconnected and exposed devices.”

To assess the potential risk of a protocol stack vulnerability, one should take the ease of this kind of deep lateral movement into account, Vedere Labs said. “Consider, for example, a vulnerability in a CIP parser. If the vulnerability can only be used to cause a denial-of-service, it matters greatly where the parsing happens. After all, the difference between a DoS on an Ethernet module and a CPU module is the difference between loss of communications and loss of protection or control. But if the vulnerability can be used to achieve code execution, there still is a risk of loss of protection or control even if the parsing happens on the communication module simply because of the potential for the attacker to use that module as a pivot to the CPU module,” it added.

The research provided mitigation strategies for hardening L1 devices and networks by disabling unused services on devices. “For instance, if UMAS over Ethernet is not required on a PLC, disable it. Even if the PLC is nested, since we showed in this report how attackers can leverage vulnerabilities on nested devices.”

It also suggested using deep packet inspection (DPI) firewalls and IP-based access control lists to restrict sensitive flows between engineering workstations and PLCs. In cases where only subsets of protocols are required, use DPI to restrict this further. From a forensics perspective, ingest level 1 event logs that contain indicators of malicious activity of this kind, and enforce segmentation through OT-DPI firewalls and/or conformance-checking gateways, including for point-to-point links. 

The report added that depending on the risk, certain point-to-point links that cross highly sensitive segments might warrant dedicated drop-in DPI firewalls for Ethernet. “For serial links with similar profiles, you might want to consider inline taps that collect data out-of-band.”

Vedere Labs also described last June details of a new attack approach called Ransomware for IoT or R4IoT. The proof of concept covers next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT security practices to cause physical disruption to business operations. By compromising IoT, IT, and OT assets, R4IoT goes beyond the usual encryption and data exfiltration to cause physical disruption of business operations.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.