{"id":1013,"date":"2022-11-10T12:53:09","date_gmt":"2022-11-10T09:53:09","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1013"},"modified":"2022-11-10T18:01:08","modified_gmt":"2022-11-10T15:01:08","slug":"ot-hunt-moxa-nport","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2022\/11\/10\/ot-hunt-moxa-nport\/","title":{"rendered":"OT Hunt: Moxa Nport"},"content":{"rendered":"\n<p>This is the second topic of &#8220;<a rel=\"noreferrer noopener\" href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\">OT Hunt<\/a>&#8221; . These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT  vendors to secure their their assets&#8217; attack surfaces. <\/p>\n\n\n\n<p>The following keywords\/dorks  I used to search for Moxa on Shodan search engine, please check out my <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/selmux\/ICS-Security\/blob\/main\/dorks\/moxa-shodan\" target=\"_blank\">ICS dorks project<\/a> at GitHub: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>moxa product:\"Moxa Nport\"  <\/code><\/pre>\n\n\n\n<p>This search yielded  6,164 online Moxa devices. The results also showed &#8220;ICS&#8221; tag for each device (based on Shodan). In this research I focused on &#8220;Moxa Nport&#8221; and to be precise &#8220;MOXA NPort 5110&#8221;, becuase its used heavily in ICS\/OT. The common port for this device is:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> 4800\/UDP<\/code><\/pre>\n\n\n\n<p>Moxa Nport 5110 version is vulnerable and is listed on <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/uscert\/ics\/advisories\/icsa-22-207-04\" target=\"_blank\">US-Cert ICS advisory<\/a>. There are 2  risky vulnerabilities with a CVSS v3 score of 8.2 and 7.5 respectively. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ICSA-22-207-04<\/code><\/pre>\n\n\n\n<p>Moxa Nport is a server that is used to connect serial  devices in an ICS\/OT environment. There is an admin web interface and I found it online . See the image. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;ip-address\/moxa\/Login.htm<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"885\" height=\"343\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/11\/moxa.jpg\" alt=\"\" class=\"wp-image-1019\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/11\/moxa.jpg 885w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/11\/moxa-300x116.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/11\/moxa-768x298.jpg 768w\" sizes=\"auto, (max-width: 885px) 100vw, 885px\" \/><\/figure>\n\n\n\n<p>That&#8217;s it for this for today&#8217;s topic. Stay safe. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Reference:<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.moxa.com\/en\/products\/industrial-edge-connectivity\/serial-device-servers\/general-device-servers\/nport-5100-series\/nport-5110\">https:\/\/www.moxa.com\/en\/products\/industrial-edge-connectivity\/serial-device-servers\/general-device-servers\/nport-5100-series\/nport-5110<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the second topic of &#8220;OT Hunt&#8221; . These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets&#8217; attack surfaces. The following [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,4,3,76,172,81,168,48,23,5],"tags":[7,13,6,75,173,12,169,47,20],"class_list":["post-1013","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-cyber-security","category-ics-security","category-icsrank","category-moxa","category-osint","category-ot-hunt","category-ot-security","category-shodan","category-vendors","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-moxa-nport","tag-ot","tag-ot-hunt","tag-ot-security","tag-shodan"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1013"}],"version-history":[{"count":13,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1013\/revisions"}],"predecessor-version":[{"id":1027,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1013\/revisions\/1027"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}