{"id":1029,"date":"2022-12-20T11:09:10","date_gmt":"2022-12-20T08:09:10","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1029"},"modified":"2022-12-21T18:58:09","modified_gmt":"2022-12-21T15:58:09","slug":"ot-hunt-wago-plc-750-88x","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2022\/12\/20\/ot-hunt-wago-plc-750-88x\/","title":{"rendered":"OT Hunt: WAGO PLC 750-88x"},"content":{"rendered":"\n<p>This is the 3rd topic of \u201c<a rel=\"noreferrer noopener\" href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\">OT Hunt<\/a>\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces.<\/p>\n\n\n\n<p>The following keywords\/dorks I used to search for WAGO on Shodan search engine, please check out my <a href=\"https:\/\/github.com\/selmux\/ICS-Security\/blob\/main\/dorks\/wago-shodan\" target=\"_blank\" rel=\"noreferrer noopener\">ICS dorks project<\/a> at GitHub:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Product name: WAGO<\/code><\/pre>\n\n\n\n<p>This search yielded 41 online WAGO devices. The results also showed \u201cICS\u201d tag for each device (based on Shodan). In this research I focused on WAGO 750-88x . There are other WAGO products  that are tagged as &#8220;ICS&#8221; in Shodan. I will cover them in the future. The common port for this WAGO PLC is:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>44818 TCP\/UDP<\/code><\/pre>\n\n\n\n<p>WAGO PLC 750-88x and 750-87x  is vulnerable and is listed on <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/uscert\/ics\/advisories\/ICSA-19-106-02\" target=\"_blank\">US-Cert ICS advisory<\/a>. There is a risky vulnerability (hard-coded credentials) with a CVSS v3 score of 9.8. This vulnerability allows an attacker to change device settings , lock device access  and get an ftp access. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ICSA-19-106-02<\/code><\/pre>\n\n\n\n<p>I found web servers (interfaces) for some of these devices , the interfaces are used for managing WAGO PLC settings and viewing status information. I also found an web interface &#8220;StruxureWare&#8221; by Schneider Electric that is used for power management. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;ip-address\/wbm\/index.php\nhttp:\/\/ip-address\/plc\/webvisu.htm\nhttp:\/\/ip-address\/login\/login.html <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"562\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/wago-1024x562.jpg\" alt=\"\" class=\"wp-image-1039\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/wago-1024x562.jpg 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/wago-300x165.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/wago-768x421.jpg 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/wago-1536x842.jpg 1536w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/wago-2048x1123.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"718\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/str-se-1024x718.jpg\" alt=\"\" class=\"wp-image-1040\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/str-se-1024x718.jpg 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/str-se-300x210.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/str-se-768x538.jpg 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/str-se-1536x1077.jpg 1536w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2022\/12\/str-se.jpg 1789w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>That\u2019s it for this for today\u2019s topic. Stay safe.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Reference:<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.wago.com\/global\/plcs-%E2%80%93-controllers\/controller-modbus-tcp\/p\/750-890\">https:\/\/www.wago.com\/global\/plcs-%E2%80%93-controllers\/controller-modbus-tcp\/p\/750-890<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.se.com\/us\/en\/product-range\/61280-struxureware-power-monitoring-expert\/#overview\">https:\/\/www.se.com\/us\/en\/product-range\/61280-struxureware-power-monitoring-expert\/#overview<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This is the 3rd topic of \u201cOT Hunt\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces. The following keywords\/dorks [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,4,3,76,81,168,48,67,23,5,174],"tags":[7,13,6,75,12,47,20,175,27],"class_list":["post-1029","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-cyber-security","category-ics-security","category-icsrank","category-osint","category-ot-hunt","category-ot-security","category-plc","category-shodan","category-vendors","category-wago","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-ot","tag-ot-security","tag-shodan","tag-wago-plc","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1029","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1029"}],"version-history":[{"count":13,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1029\/revisions"}],"predecessor-version":[{"id":1046,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1029\/revisions\/1046"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}