Potential Attack Vectors on Critical National Infrastructure

Introduction

Serial to Ethernet Converters/Gateways and Serial Device Servers are extensively used technology in Industrial Control Systems (ICS) to enable remote communications and monitor equipment that supports serial interfaces such as RS-232, RS-485, and so on.

One of the major functionalities of Serial to Ethernet connectors is to provide data that continuously updates plant operators on machine status, thereby allowing them to minimize downtime. Serial to Ethernet converters have played a crucial role in a high-profile cyberattack launched in Ukraine, as reported by Cybersecurity and Infrastructure Security Agency report.

With rising global political instability, it is reasonable to assume that hackers will continue to take advantage of Serial to Ethernet converters and cause severe damage to Industrial Control Systems (ICS).

Findings

While investigating Serial to Ethernet converters, Cyble Research Labs found over 2000 connectors exposed over the Internet from vendors such as Moxa, Lantronix, Allied Telesys, etc. The majority of these vulnerable connectors found were from Moxa which led us to investigate the vulnerabilities in these devices. According to the ICS-CERT advisory, the following versions of Nport devices are vulnerable to Injection, Information Exposure, and Resource Exhaustion.

• NPort 5110 Version 2.2
• NPort 5110 Version 2.4
• NPort 5110 Version 2.6
• NPort 5110 Version 2.7
• NPort 5130 Version 3.7 and prior
• NPort 5150 Version 3.7 and prior

Figure 2 represents the number of NPort 5110 devices exposed over the internet found via an online scanner. Apart from Moxa NPort 5110, several other products of the same segment from different companies are currently exposed over the internet.

Successful exploitation of these devices might cause a severe impact on national infrastructure as these products are often installed in critical infrastructure apparatus such as power plants, wastewater treatment plants, chemical plants, etc.

Using tools such as Metasploit, a malicious attacker can gain access to sensitive details like passwords and SNMP strings.

An attacker who gains access to the admin password of the Moxa device can further login to the Web Console, which can provide sensitive information of the device.

An attacker can also fetch and manipulate network details, as shown below.

Having access to the web console allows an attacker to alter serial connection settings such as Baud Rates, Software Flow Control, Parity, etc. as shown in Figure 5.

Baud Rates: Baud Rate indicates the speed at which data is sent over the serial line. It is usually expressed in Bits per Second (BPS). By inverting the baud rate, one can determine how long it takes to transfer one bit.

Software Flow Control: Software Flow Control is the function of coordinating the flow of data from one device to another so that the receiving device can process all received data. This is especially important if the sending device can send data much faster than the receiving device can receive.

Parity: Parity is a method of detecting errors in transmission.

The functionality to reboot the serial device via a web console can be exploited by malicious entities to cause data loss as shown in Figure 6. As these devices are installed in critical environments, rebooting functions can significantly impact the operations of the plant.

In previous attacks on the Ukrainian ICS sector, the attackers corrupted the firmware of the serial ethernet devices at substations in a well-orchestrated cyber-attack.

The update firmware functionality also allows malicious entities to upload customized firmware that might be used for malicious purposes, as shown below.

Impact

• Potential malicious interference of the operation of sites such as power plants, wastewater treatment plants, chemical plants, etc., that use unsecured serial to ethernet devices can result in ransomware attacks.
• Altering baud rates to higher Bits Per Second (BPS) can result in errors on the receiver end.
• Operations in critical infrastructure apparatus can be temporarily or permanently stopped, which can cause trouble in the entire supply chain.
• Physical damage at the site due to a cyber-attack can result in loss of life.
• Organizations would bear huge maintenance costs if attackers could successfully exploit the vulnerabilities in the serial devices.
• Cyber-attacks on serial devices can benefit state-sponsored hackers by diverting the focus of government departments from territorial borders to the countries’ internal issues. For example, blackouts caused due cyberattack can create chaos amongst the public. A situation like this can be leveraged by adversarial military forces making it a national security concern.
• There is a also a significant loss of national prestige and morale impact if such critical infrastructure at the national level is compromised.

Conclusion

The exposed serial devices pose a significant risk to various countries and can be used by state-sponsored hackers to create geopolitical instability. Serial communication has been extensively used in industrial automation since the 1960s. Despite the development of new digital protocols, it is still extensively implemented in critical infrastructures due to its ease and efficiency.

With access to serial devices, hackers can also obtain absolute control over the connected devices. Hence, site operators should ensure the serial devices used at the site are updated with the latest firmware and appropriately secured.

Recommendations

• Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
• A strong password policy should be followed while configuring devices.
• Update devices to the latest available firmware.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). It is important to note that VPNs may have their own vulnerabilities and should be updated to the most current version available. Also, a VPN is only as secure as its connected devices.
• Remember to backup and restore processes and procedures in place for disaster recovery and incident response.
• Monitor and maintain account provisioning and access control based on the principle of least privilege.
• Include a threat intelligence model in the security posture to protect against cyber threats.
• Conduct regular audits and penetration testing to remove vulnerabilities from critical infrastructure.

References

• Serial to Ethernet Converter | Ethernet to Serial Adapter | Perle
• https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/
• https://securityledger.com/2016/04/serial-to-ethernet-converters-the-giant-infrastructure-risk-nobody-talks-about/
• https://www.rapid7.com/db/modules/auxiliary/scanner/telnet/lantronix_telnet_password/
• https://blog.talosintelligence.com/2020/12/vuln-spotlight-landtronix-xport-edge-dec-2020.html
• https://www.cvedetails.com/vulnerability-list.php?vendor_id=877&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=6&sha=1aa5ede524798d508cf175746e65c1fddd9912c8
• https://www.cisa.gov/uscert/ics/advisories/icsa-20-042-13
• Serial to Ethernet Converters: How Widely Used Industrial Devices are Providing Malicious Threat Actors with a Gateway to Cyber-Physical Assets – Cynalytica