{"id":1480,"date":"2024-04-22T18:13:57","date_gmt":"2024-04-22T15:13:57","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1480"},"modified":"2024-04-22T18:13:57","modified_gmt":"2024-04-22T15:13:57","slug":"ot-hunt-analyzing-codesys-security-with-mitre-t0886","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2024\/04\/22\/ot-hunt-analyzing-codesys-security-with-mitre-t0886\/","title":{"rendered":"OT Hunt: Analyzing CODESYS Security with MITRE T0886"},"content":{"rendered":"\n

Welcome to the 15th installment of “OT Hunt<\/a><\/strong>” where we delve into the world of ICS\/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS\/OT vendors to fortify their assets against potential cyber threats.<\/p>\n\n\n\n

Today, we’ll be focusing our attention on assessing the security posture of CODESYS using MITRE ATT&CK for ICS, with a specific emphasis on the remote services technique T0886<\/a><\/strong>.<\/p>\n\n\n\n

Why is this investigation crucial? Remote services play a pivotal role in enabling operators to interact with systems such as RDP, Telnet, SSH, and FTP. Notably, certain services like RDP and VNC facilitate GUI execution on devices like HMIs.<\/p>\n\n\n\n

To kick off our exploration, I turned to Censys <\/a>as my search engine of choice and initiated the process with a targeted dork: <\/p>\n\n\n\n

services.service_name='CODESYS'<\/code><\/pre>\n\n\n\n
For additional dorks tailored for identifying ICS\/OT devices on Censys, you can refer to my GitHub<\/a> repository or utilize my tool, ICSRank, available at icsrank.com<\/a>.<\/p>\n\n\n\n
The initial search yielded approximately 3,000 hosts. To narrow down our investigation and identify the specific remote services running on CODESYS hosts, I employed a series of filters. First up was the FTP service, for which the query was <\/p>\n\n\n\n
(services.service_name=CODESYS) and services.service_name='FTP'<\/code><\/pre>\n\n\n\n

Alarmingly, several hosts had open FTP ports, with many configured to accept admin credentials without requiring a password.<\/p>\n\n\n\n
Next, I turned my attention to Telnet, using the filter:<\/p>\n\n\n\n
 (services.service_name=CODESYS) and services.service_name='TELNET'<\/code><\/pre>\n\n\n\n
  Once again, I discovered open Telnet ports, leaving these hosts vulnerable to unauthorized connections without any firewall protections.<\/p>\n\n\n\n
Lastly, I investigated SSH with the filter: <\/p>\n\n\n\n
(services.service_name=CODESYS) and services.service_name='SSH'<\/code><\/pre>\n\n\n\n
To my dismay, SSH ports were also accessible without adequate security measures in place, and to exacerbate matters, the root user was enabled, leaving the system susceptible to brute-force attacks.<\/p>\n\n\n\n
It’s important to note that FTP, Telnet and SSH are  just one of the types of remote services utilized in ICS\/OT environments. Others, such as VNC, SMB, and more, warrant exploration in future articles.<\/p>\n\n\n\n
The importance of assessing the attack surface of ICS\/OT environments using the Mitre ICS Matrix cannot be overstated. Asset owners are encouraged to adhere to the mitigations outlined on the Mitre website (https:\/\/attack.mitre.org\/techniques\/T0886\/<\/a>) to bolster their defenses against potential threats.<\/p>\n\n\n\n
In closing, I invite you to explore our project, ICSRank<\/a>\u2014a unique tool tailored for the ICS\/OT domain, exemplifying our commitment to enhancing ICS\/OT cybersecurity. With its capabilities to Discover, Assess, and Secure, ICSRank stands as a vital resource in fortifying ICS\/OT environments against cyber threats.<\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome to the 15th installment of “OT Hunt” where we delve into the world of ICS\/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS\/OT vendors to fortify their assets against potential cyber […]<\/p>\n","protected":false},"author":2,"featured_media":1495,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[246,198,3,138,81,168,48],"tags":[247,254,7,13,6,75,80,12,169,47],"class_list":["post-1480","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-censys","category-codesys","category-ics-security","category-mitre-ics","category-osint","category-ot-hunt","category-ot-security","tag-censys","tag-codesys","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-osint","tag-ot","tag-ot-hunt","tag-ot-security"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1480"}],"version-history":[{"count":15,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1480\/revisions"}],"predecessor-version":[{"id":1496,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1480\/revisions\/1496"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1495"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}