This is the 9th topic of “OT Hunt”. These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
In this article, my targets are SCADAPack and SCADAPack RemoteConnect. SCADAPack is an industrial controller (RTU) used for monitoring and controlling industrial processes in SCADA systems. SCADAPack RemoteConnect provides secure and reliable remote access and communication capabilities.
The following keywords/dorks I used to search for SCADAPack and SCADAPack RemoteConnect on Shodan search engine simultaneously , please check out my ICS-OT-iIoT dorks project at GitHub:
SCADAPackRemoteConnect RTUThe search for SCADAPack yielded 21 devices. Shodan didn’t tagged them as “ICS”. While SCADAPack RemoteConnect yielded 3 devices and tagged as “ICS”. The common port for SCADAPack RTU is:
17185 / UDPSCADAPack RemoteConnect has a web server for configuration and system control, accessible on the following port:
10443 TCP
http://ip-address/cgi-bin/webif/system-info.sh
Many SCADApack hosts have 2 industrial ports Modbus 502 and/or Dnp3 20000. The OS of SCADApack RTU is VxWorks. VxWorks is an embedded real-time operating system (RTOS) , used in SCADApack controllers and other industrial devices. However there are issues with previous VxWorks versions – which run on a UDP port: 17185 – such as: debug service enabled by Default, which could result in information disclosure or denial-of-service attack.
ICSA-10-214-01SCADAPack RemoteConnect also has some issues for previous versions such as buffer overflow and path traversal.
ICSA-22-223-03
ICSA-21-259-02That’s it for today’s topic. Happy hacking !