Nozomi detects security flaw in Hitachi Relion 650/670 IEDs update mechanism, provides mitigation action 

Industrial cybersecurity vendor Nozomi Networks Labs revealed on Tuesday the presence of a flaw in the update mechanism of the Hitachi Relion 650/670 series substation devices. The vulnerability could allow attackers to install implants that grant them persistence within victim environments. Upon gaining basic understanding of some of the features present in the firmware, the researchers started experimenting with attack paths on the provided devices. 

The Nozomi researchers participated in the Swiss Cyber Defence Campus’ ICS Hackathon last September. During the event, the team spent three days researching vulnerabilities and reverse engineering firmware, with a focus on the Hitachi Relion 650/670 series, a protection and control IED. 

“When trying our exploit, we noticed the Hitachi Relion’s screen turning off, symptomatic of a system crash, so we did some more investigating,” Nozomi researchers wrote in a company blog post. “One of the testing racks on which the vulnerability was developed. The task was no small feat, as firmware often are exceptionally large executable files, in which dependencies are usually statically linked.” 

They added that the Relion firmware is no exception, with several services and features built into the firmware itself, including two different FTP servers. “This means that to gain an understanding of the firmware features, plenty of time is spent researching and making sense of the functions used by the firmware. First, we show a firmware function FTP HELP before analysis, followed by the same function post-analysis.”

As the reverse engineering progressed, and the team gained more understanding of the features present in the firmware, we started to build some attack paths, the post revealed. “While we investigated other aspects of the device, we focused our analysis on the firmware update mechanism, speculating that there was a complex attack surface beneath. Eventually, the investigation paid off.”

The Relion 670 series protection and control IEDs provide improved functionality, with maximum flexibility and performance to meet the requirements of any application in generation, transmission, and sub-transmission protection systems. 

While analyzing the Hitachi Relion 650/670 firmware, Nozomi detected an update package validation vulnerability that affects Relion 670/650 series version 2.2.0 all revisions, Relion 670/650/SAM600-IO series version 2.2.1 all revisions, Relion 670 series version 2.2.2 all revisions, Relion 670 series version 2.2.3 all revisions, Relion 670/650 series version 2.2.4 all revisions, and Relion 670/650 series version 2.2.5 all revisions.

As the development of a patch is still in progress, technical details on the PoC request used have voluntarily been omitted from this article, the post added.

“The specific vulnerability found by our team exploits the firmware update mechanism on the Relion 650/670 series,” the researchers said. “Notably, a malicious update package can be sent to device during the update procedure, crashing the device. However, for the vulnerability to work, the device must have the FSTAccess parameter enabled.”

Unfortunately, Nozomi did not manage to fully trace the vulnerability back to the affected code in the firmware before the Hackathon concluded. “Our speculation is that the vulnerability causes a heap overflow, which might be leveraged to allow remote code execution on the device, but we cannot be certain, as we did not have the time to build an exploit nor set up a debugging environment,” they added.

Although the vulnerability is triggered when updating the Hitachi Relion firmware using a malicious update package, there are some major preconditions to the exploitation of the vulnerability: first, the FSTAccess mode must be enabled on the device, and second, the threat actor must know a set of credentials to initiate the update procedure.

Nozomi identifies two ways of exploiting the vulnerability. In the first instance, a hacker with remote access to the Relion device where FSTAccess is enabled and a valid set of credentials to access the device can initiate the update procedure and supply the malicious update package.

Secondly, the hacker might perform a watering hole attack to supply the malicious update package to the Relion’s operator. For instance, by running a spear-phishing campaign targeting the operators and promoting new firmware for the Relion 650/670 series. An alternative could also be if the hacker has already compromised some systems within the victim environment, to tamper with the victim knowledge center and file shares hosting the firmware packages, at which point, operators could use this malicious update package when updating the device.

While waiting for a patch from Hitachi (which is in progress), Nozomi calls upon organizations using the Hitachi Relion 650/670 series to ensure that the FSTAccess mode is disabled on the affected devices. If needed, only turn it on during the update procedure and turn it back off once done. It also suggests ensuring the update packages are always downloaded directly from Hitachi and over a secure channel, and to avoid storing the update package on untrusted file shares and other mediums, always download fresh versions until the vulnerability is fixed.

In December, Nozomi Labs researchers announced that the Glupteba trojan is an example of a hacker leveraging blockchain-based technologies to carry out their malicious activity. The backdoor trojan is downloaded using ‘Pay-Per-Install’ networks – online ad campaigns that prompt software or application downloads – in infected installers or software cracks.

Data disclosed by Nozomi in its latest OT/IoT security report for the second half of 2022 In January showed that disruptive and malicious cyberattacks on vital infrastructures like energy, hospitals, rail, and manufacturing were still observed and remain a significant issue. The firm reports that it also tracked hacktivists causing disruptive attacks, thefts of technology source code, and use of wiper malware.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.