We can’t protect what we can’t see
On February 09, 2023, Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about High Severity vulnerabilities affecting Web Enabled Industrial Input/Output (I/O) Controllers.
An industrial I/O controller typically has several inputs and outputs that can be connected to various sensors and actuators, such as switches, buttons, lights, motors, and temperature sensors. They are designed to handle the harsh environment and conditions typically found in industrial settings, such as extreme temperatures, vibration, electrical noise, etc.
The details of the vulnerability as per the advisory release are given in the table below.
|Vendor||Control by Web|
|Affected Product||X-400 (All firmware versions prior to 2.8), X-600M (All firmware versions prior to 1.16.00)|
|Vulnerabilities||Cross-Site Scripting, Code Injection|
|Patch Link||Patch Link released by the vendor for X-400 – Link |
Patch Link released by the vendor for X-600M – Link
Industrial I/O controllers are essential components in many industrial automation and control systems, as they provide a convenient way to manage communication and interaction between various devices. They play a crucial role in increasing efficiency, reducing downtime, and improving the overall performance of industrial processes.
Being web-enabled, the affected products do not require additional software or hardware and can be easily programmed and configured by writing BASIC Script. Hence, they do not require special programming skills, unlike programming Programmable Logic Controllers (PLC). This feature makes it convenient for programmers and operators to create logics that can be utilized to control various operations within the factory/plant/site depending upon the product and desired output.
At the same time, if a malicious TA can exploit or gain access to I/O controllers, they could allow the manipulation of the BASIC Script and other key parameters that are essential for smooth operations and safety within the ICS environment.
Both products are intended for use in a wide variety of commercial and industrial applications. These modules can be programmed to function as standalone devices or as components of a larger system.
These controllers have the ability to control.
- Alarm sensors
- Fluid level switches
- Battery voltage
- Monitoring server room
- Handling Security automation
- Automatic Reboots
Which demonstrates their wide range of uses inside the ICS ecosystem.
The features, including scheduling, logging, input status monitoring, and the ability to share I/O amongst devices, make the X4xx Series controllers extremely powerful while remaining simple.
The image below shows X-400 used to control a series of lights.
The X-600M can be configured using simple menus and drop-down lists. Its features include scheduling, logging, input state monitoring, and the ability to control external relays on other devices, etc.
As the vulnerabilities in Web-based Industrial Input/Output controllers can be exploited remotely, Cyble Research and Intelligence (CRIL) team further investigated the exposure and impact of attacks on I/O controllers.
In Critical Infrastructure (CI) sectors, the I/O controllers are responsible for multiple critical tasks to maintain the desired operational parameters.
In the Energy sector, I/O controllers can be used to monitor and control power generation, transmission, and distribution systems.
In the Transportation sector, they can be used to manage traffic signals, railway signaling, and airport ground control systems.
In the Manufacturing sector, I/O controllers are used to control assembly lines, material handling systems, and robotic automation.
These critical devices and the interfaces used to manage these devices play an important role in safeguarding National Services. However, due to the lack of network segmentation, misconfigurations, lack of visibility into assets, and lack of cybersecurity awareness among operators, I/O controllers can be exposed over the internet. This makes them an easy target for Threat Actors (TAs) looking to disrupt the CI sector of the target organization/country.
CRIL team observed that there are multiple instances of web-enabled I/O controllers that are exposed over the internet. Given below are product-wise details for the same.
WebRelay is an electro-mechanical relay that has a built-in web server that can be controlled via the internet or intranet. It has an optically isolated input that can monitor the state of devices, control the local relay, or even control a remote relay somewhere else on the network.
The figure below shows a WebRelay instance controlling a motor.
Exposure of WebRelay
One online scanner indicates that there are around 908 exposed instances of web relays globally. The geographical representation of exposed WebRelay is shown in the figure below. The majority of instances are from Sweden, the United States, and Canada.
During the investigation, it was found that most of the exposed WebRelays are still being operated on Factory Default Credentials. Below is a screenshot from one such instance.
WebRelay-Dual offers two optically separated inputs for simple monitoring of discrete (digital) signals, such as machine alarm outputs, security sensors, switches, etc.
The optically separated inputs can also be utilized to operate relays (on/off, pulse, toggle, latch) or at a remote location.
The figure below shows a Programmable Logic Controller (PLC) controlling the motor.
Exposure of WebRelay-Dual
An online scanner shows that there are around 264 exposed instances of WebRelay-Dual globally. The geographical representation of exposed WebRelay is shown in the figure below.
The majority of instances are from the United States, Australia, and Canada.
During our investigation, it was found that most of the exposed WebRelay-Dual are still being operated on Factory Default Credentials.
Below we have shown a screenshot from one such instance.
Many industries in the CI sector utilize WebRelay-Quad for hundreds of applications such as industrial control, security, remote control, remote reset, and many other applications that require remote relay control.
It contains four low-signal relays, and each relay may be remotely activated, deactivated, or pulsed by utilizing the built-in web pages or by executing custom scripts from a computer or specialized controller.
Exposure of WebRelay-Quad
An online scanner shows around 155 exposed instances of WebRelay-Quad globally. The geographical representation of exposed WebRelay is shown in the figure below.
The majority of instances are from the United States, Australia, and Canada.
During the investigation, it was found that most of the exposed WebRelay-Quad are still being operated on Factory Default Credentials. Given below a screenshot from one such instance.
The WebRelay Wireless is appropriate for situations where electrical equipment must be controlled and temperature or switch-closure sensors must be monitored, but the Ethernet cable is inaccessible or impractical to install.
The figure below depicts the use of WebRelay wireless to control physical barriers such as gates installed at CI.
Exposure of WebRelay-Wireless
An online scanner indicates around 34 exposed instances of WebRelay-Wireless globally. The geographical representation of exposed WebRelay is shown in the figure below.
The majority of instances are from United States & Greece.
During the investigation, it was found that most of the exposed WebRelay-Wireless are still being operated on Factory Default Credentials.
Given below is the screenshot from one such instance.
Impact of Exploiting Web-Enabled Industrial I/O Controllers and Relays
An authenticated malicious attacker can change the logic responsible for operating various devices connected to the relay by uploading corrupt Basic Script (figure below). This creates a major safety concern for Engineers working near heavy machinery and critical facilities.
With access to web enabled I/O controllers, an attacker can gain further insight into facility processes, assets, firmware, etc. This reconnaissance activity can help TA to launch further attacks on the victim organization.
TA targeting ICS operations of the target organization can manipulate and retrieve details about the network settings (as shown in the figure), which might halt controller operations. For example, a Denial of Service (DOS) attack via CVE-2018-18881.
TAs might manipulate log settings (figure), which might hinder the forensic investigations in case of a successful cyber-attack, as the devices can be configured to record data such as sensor data and changes in the I/O state.
TAs might manipulate the configuration, such as status color, status text, pulse duration, relay state, alarm parameters, etc. (shown below), done by site operators to understand the status of operations and devices. This can create confusion among the site engineers while operating devices.
With the sheer volume of exposed assets belonging to Operation Technology (OT) that are still being operated on default credentials, Hacktivist groups and TAs with minimum resources and skillsets might disrupt the supply chain of major industries.
With web-enabled I/O controllers being exposed over the internet, organizations overlooking National Services might face operational, monetary, and reputational losses.
As exposed instances are also deployed for physical security, exploiting these devices can bypass security measures at multiple levels.
The internet-exposed instances found during the investigation might be distributed/sold over the Darkweb and Cybercrime forums, which increases the possibility of cyber-attacks multi-fold.
Vendors and state authorities have been continuously recommending that ICS asset owners change default passwords and minimize the exposure of assets via proper network segmentation.
But due to a lack of cybersecurity awareness, lack of visibility into assets, misconfigurations, improper network segmentation, etc., assets such as Web Enabled I/O controllers get exposed over the internet and might be a critical vector in terms of attacks on the ICS sector.
CRIL team observes extensive scanning and exploitation attempts via its Global Sensor Intelligence networks daily, indicating that TAs are actively scanning internet-exposed ICS assets/protocols/vendors.
The smooth operation of National Services and CI sectors is critical for the security, economy, and safety of the public within a country. If owners of ICS assets continue to ignore the alerts by official vendors and state authorities – this may create chaos in regions and put the safety of ground staff at high risk.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keep critical assets behind properly configured and updated firewalls.
- Utilize Software Bill of Materials (SBOM) to gain more visibility into assets.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Organizations should always follow a strong password policy.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Keep track of advisories and alerts issued by vendors and state authorities.
- Cyber security awareness training programs for employees within the organization.
All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.
This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.
It is an amalgamation of our collective research on this subject and is not a direct promotion of our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.