Cyber threat researchers have identified a set of 38 security vulnerabilities in the wireless industrial internet of things (IIoT) devices from four different vendors that could pose a significant attack surface for threat actors looking to exploit operational technology (OT) environments. Threat actors can exploit vulnerabilities in Wireless IIoT devices to gain initial access to internal OT networks. They can use these vulnerabilities to bypass security layers and infiltrate target networks, putting critical infrastructure at risk or interrupting manufacturing.[1]
The flaws can offer a remote entry point for attack, enabling unauthenticated adversaries to gain a foothold and use it as leverage to spread to other hosts, thereby causing serious damage. Some identified shortcomings could be chained to give an external actor direct access to thousands of internal OT networks over the internet.
Three of the 38 defects affect ETIC Telecom's Remote Access Server (RAS) CVE-2022-3703, CVE-2022-41607, and CVE-2022-40981 and could be abused to seize control of susceptible devices completely. Five other vulnerabilities concern InHand Networks InRouter 302 and InRouter 615 that, if exploited, could result in command injection, information disclosure, and code execution.
Specifically, it entails taking advantage of issues in the "Device Manager" cloud platform, which permits operators to perform remote actions like configuration changes and firmware upgrades to compromise every cloud-managed InRouter device with root privileges.
Also identified are two weaknesses in the Sierra Wireless AirLink Router (CVE-2022-46649 and CVE-2022-46650) that could allow a loss of sensitive information and remote code execution. The remaining flaws are still under responsible disclosure. The findings underscore how OT networks could be put at risk by making IIoT devices directly accessible on the internet, effectively creating a "single point of failure" that can bypass all security protections.
Alternatively, local attackers can break into industrial Wi-Fi access points and cellular gateways by targeting on-site Wi-Fi or cellular channels, leading to Adversary-in-the-Middle (AitM) scenarios with major potential impact. The assaults can range from targeting weak encryption schemes to coexistence attacks aimed at combo chips used widely in electronic devices.
To add to their success, threat actors can utilize platforms like WiGLE, a database of different wireless hotspots worldwide, to identify high-value industrial environments, physically locate them, and exploit the access points from proximity.
As for countermeasures, it is recommended to disable insecure encryption schemes, hide Wi-Fi network names, disable unused cloud management services, and take steps to prevent devices from being publicly accessible. The low complexity of the exploit, combined with the broad potential impact, makes wireless IIoT devices and their cloud-based management platforms an enticing target for attackers looking to breach industrial environments.
The development also comes as researchers disclosed details of two high-severity flaws in Siemens Automation License Manager (CVE-2022-43513 and CVE-2022-43514) that could be combined to gain remote code execution and privilege escalation. The bugs were patched by Siemens in January 2023, but did you?
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/02/critical-infrastructure-at-risk-from.html
Comments