Physical Threats from Darkweb Marketplaces: A New Frontier in Cybercrime
Physical security is a set of measures designed to prevent unauthorized access to a facility, building, or location and protect against damage or harm to people and assets within that location. It involves the use of various techniques and technologies to secure the perimeter of a location, as well as to protect against intrusions and attacks.
One common form of physical security is the use of fences, gates, and barriers to control access to a location. It includes using walls, gates, and other structures to create a perimeter around the facility and using security personnel to monitor and control access.
Other measures that may be used to enhance physical security include cameras and other surveillance technologies, as well as security lighting, smart sensors, physical access controls, alarms, and other warning systems.
Adequate physical security requires a combination of various techniques and technologies, as well as careful planning and coordination.
The recent physical attacks on multiple substations in the United States included substations in Moore County, substations operated by Duke Energy, Graham and Elk Plain substations operated by Tacoma Power, and the Kapowsin and Hemlock substations operated by Puget Sound Energy were vandalized, highlighting the importance of physical security of Critical Infrastructures (Cls).
Earlier FBI released Lookout Notice seeking information about the culprits involved in the incident.
The Physical Attacks on US substations halted daily operations across several counties and led to significant monetary losses due to repairs. In light of a recent series of physical attacks on electric infrastructure that resulted in thousands of customer interruptions, Federal Energy Regulatory Commission (FERC) issued an order on December 15, 2022, asking the North American Electric Reliability Corporation (“NERC”) to investigate the efficacy of its physical security reliability standard.
This event can be considered an example of-
How physical attacks on CI can lead to disruption of National Services within a state or country, and at the same time, assets being used for protecting CI, such as CCTV cameras, boom barriers, biometric and PAC systems, etc., might be exploited to gain access, maintain persistence for surveillance, perform lateral movement towards OT network and gain physical access to critical facilities by anti-state entities, hacktivist groups, hackers, state-sponsored attackers.
The substation attackers, after their apprehension, reasoned their intention of this attack for monetary gains. Such instances also lead us to contemplate situations wherein, due to economic downturns and unemployment, financially motivated goons can always fall into the trap of psyops and related underground campaigns run by state-sponsored threat actors on the dark web.
By coaxing such felons, the cybercriminals can launch even more catastrophic attacks on Critical Infrastructure by first gaining physical access and then launching a cyber-attack. Such a scenario would lead to an even more precarious situation for law enforcement agencies due to extended turnaround for restoring critical services.
Darkweb abetting attacks on Critical Infrastructure
While performing daily threat hunting and monitoring various underground forums, Cyble Research & Intelligence Labs (CRIL) foresees the following scenarios as a precursor to a more synchronized and orchestrated attack on National Critical Infrastructures.
- Threat Actors (TAs) to gain a foothold within the target organizations were Selling Zero Day exploit for Mercury-based Physical Access Controls (PACs) devices on December 14, 2022, on one of the prominent Cybercrime forums”.
The Mercury-based Physical Access Control (PAC) systems are security systems that use Mercury controllers to manage access to physical locations. They typically consist of a network of door controllers connected to doors or other access points and a central management system used to configure and monitor the controllers.
In a PAC system, users are typically issued credentials such as keycards, fobs, or biometric scanners, which they use to access the controlled areas. When a user presents their credential to a door controller, the controller verifies it and either grants or denies access based on the user’s permissions. The central management system configures each user’s permissions and monitors the controllers’ activity in real time.
PAC systems are commonly used in various settings, including critical facilities dealing with military research and development projects, biochemical facilities, power generation, and distribution facilities, office buildings, hospitals, etc.
They can help improve security, reduce the risk of unauthorized access, and simplify the process of managing access for many people.
It is important to note that researchers on June 2022 talked about Critical Flaws in Widely used Building Access Control Systems and stated that the research was performed on HID Mercury access control panels used by organizations across healthcare, education, transportation, and government for physical security. More than 20 OEM partners provide access control solutions with Mercury boards. Carrier LenelS2 is one of these vendors and worked closely with us to facilitate the disclosure to HID Mercury.
This research led to the disclosure of the following 4 Zero-day vulnerabilities and 4 previously patched vulnerabilities.
While analyzing the claim made by TA (figure 2) and the vulnerabilities found in research, it might be possible that TA is selling an exploit for any of the below-discussed vulnerabilities, which have been thoroughly investigated earlier. The post made by TA recently disappeared from the cybercrime forum. Thus implying that the exploit might have been sold to the buyer.
An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions before 1.302 for the LP series and 1.296 for the EP series.
An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during start-up or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and make their persistence permanent by modifying the filesystem.
An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a Denial-of-Service (DoS). This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The attacker needs to have a properly signed and encrypted binary and loading the firmware to the device ultimately triggers a reboot.
An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series.
The overflowed data can allow the attacker to manipulate the “normal” code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.
An authenticated attacker can send a specially crafted route to the “edit_route.cgi” binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series.
An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.
An unauthenticated attacker can send a specially crafted unauthenticated HTTP request to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.29.
The overflowed data leads to segmentation fault and, ultimately a denial-of-service condition, causing the device to reboot. The impact of this vulnerability is that an unauthenticated attacker could leverage this flaw to cause the target device to become unresponsive. An attacker could automate this attack to achieve persistent DoS, effectively rendering the target controller useless.
As the claim made by TA matches with the research, it is quite likely that the TA is selling exploits for the same vulnerabilities targeting the product of vendors using affected products.
An authenticated attacker can upload a file with a filename including “..” and “/” to upload the desired file anywhere on the filesystem successfully. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a start-up service to gain remote access to the underlying Linux operating system with root privileges.
An unauthenticated attacker can send a specially crafted network packet to delete a user from the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.29. The impact of this vulnerability is that an unauthenticated attacker could restrict access to the web interface to legitimate users and potentially require them to use the default user dip switch procedure to gain access back.
An unauthenticated attacker can send specially crafted packets to update the “notes” section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502, which contain firmware versions prior to 1.29.
2. Smart Cameras
Cameras play a vital role in the physical security of CI. CRIL has observed several vulnerabilities in IoT devices, such as smart cameras and guarding critical facilities, and hence are a lucrative target for TAs and ransomware groups.
CVE-2021-36260 is a command injection vulnerability in the web server of the Hikvision product. An attacker only needs access to HTTP (s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. Due to insufficient input validation, attackers can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
As multiple POCs and scripts are available for the exploit, the affected products have been targeted actively for surveillance, lateral moment towards Operational Technology (OT) network, crypto mining activities, botnet activities, etc.
CRIL observed multiple instances in one of the main cybercrime forums, where Threat Actors (TA) explicitly exploited Hikvision-based IoT cameras from the United States, United Kingdom, Asian countries, etc., as shown in the figure below.
It is important to note that on November 25, 2022, the Federal Communications Commission (FCC) placed bans on Equipment Authorizations for Chinese Telecommunication and Video Surveillance Equipment which deem to pose a threat to National Security.
The Covered List (which lists both equipment and services) currently includes communications equipment produced by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology (their subsidiaries and affiliates).
3. Hacking Tools for bypassing Access Control Systems
The cybersecurity community and pen testers from across the globe have shown practical demonstrations of how multifunctional tools like Flipper Zero, Hack-RF, Proxmark3, etc., can be utilized to bypass wireless devices and access control systems, such as garage door remotes, boom barriers, IoT sensors and remote keyless systems which are widely used in multiple CI sectors.
Hacking tools have been widely adopted within the security and hacking communities. These tools have helped numerous researchers and vendors fix flaws within their products and assets. At the same time, one should understand that the risk of bypassing Physical Access Controls has become a lot easier and feasible.
Authorities dealing with the security of Critical Infrastructure facilities must consider various scenarios while designing and implementing security measures within the facility. With the adoption of the Industrial Internet of Things (IIoT), the attack vector for attackers has increased multifold.
While investigating the claim made by TA (figure 2), Cyble researchers observed that there are over 612 exposed LenelS2 assets that are widely used for advanced physical security solutions and also utilize HID Mercury PACs.
As these portals are web-based and internet-exposed, TAs might exploit them to gain access to critical facilities or disrupt day-to-day operations.
The figure below shows the geographical representation of exposed assets.
Note:- Exposed assets do not indicate vulnerable instances.
Physical and cyber assets are targeted by TAs, hacktivist groups, extremist groups, and State-sponsored attackers to compromise systems and infrastructure. Therefore, they are a significant risk to both physical security and cybersecurity.
However, physical security and cybersecurity are often treated as separate entities. When security leaders do not have a holistic view of security threats, it increases the likelihood of attacks. It can lead to severe consequences such as the exposure of sensitive information, economic damage, loss of life, and disruption of essential functions.
In light of recent events, physical security vulnerabilities, and loopholes, patch management of physical security assets should be considered a high priority among the security teams dealing in Critical Infrastructure sectors.
Researchers at Cyble believe that in coming years the exploits, scripts, blueprints of CI, and other hacking tools will be actively sold by TAs over the dark web and cybercrime forums and will significantly increase the attack vector for cybercriminals.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by official vendors is necessary to prevent attackers from exploiting vulnerabilities.
- Utilize Software Bill of Materials (SBOM) to gain more visibility into assets.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Install physical controls so no unauthorized personnel can access your devices, components, peripheral equipment, and networks
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Continuous monitoring and logging can help in detecting network anomalies early.
- Implement access control measures, such as security gates, ID cards, and biometric scanners, to restrict access to critical infrastructure assets.
- Establish and maintain physical security policies and procedures to safeguard critical infrastructure assets.
- Collaborate with law enforcement and other government agencies to share information and intelligence about potential threats to critical infrastructure assets.