{"id":1523,"date":"2024-07-24T10:48:27","date_gmt":"2024-07-24T07:48:27","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1523"},"modified":"2024-09-30T12:47:15","modified_gmt":"2024-09-30T09:47:15","slug":"how-to-find-and-probe-enco-plcs-on-the-internet-just-like-frostygoop-malware","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2024\/07\/24\/how-to-find-and-probe-enco-plcs-on-the-internet-just-like-frostygoop-malware\/","title":{"rendered":"How to Find and Probe ENCO PLCs on the Internet Just Like FrostyGoop malware"},"content":{"rendered":"\n

Welcome to the 17th installment of \u201cOT Hunt<\/a>\u201d where we delve into the world of ICS\/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS\/OT vendors to fortify their assets against potential cyber threats.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Today’s target is the ENCO Control<\/a>, a PLC made by Eco Therm Services, a Romanian company. Enco Control is designed as controller for process control in district heating \/ hot water and ventilation systems. This PLC was the target of the FrostyGoop<\/a> malware, which a group launched against a Ukrainian energy company in January 2024. The attackers gained access to the company network through a router.<\/p>\n\n\n\n

Naturally, I became curious to find out if these PLCs are present on the internet. It\u2019s a habit of mine to always dig into ICS devices online. This time, I used Shodan and Zoomeye to find ENCO Control.<\/p>\n\n\n\n

To find ENCO Control on Shodan, I used the following dork:<\/p>\n\n\n\n

ENCO port:23<\/code><\/pre>\n\n\n\n
There are 38 PLCs, most of them located in Romania, Ukraine, and Lithuania.<\/p>\n\n\n\n
Similarly, I used this filter in Zoomeye , 107 PLCs  exist:<\/p>\n\n\n\n
enco +port:23<\/code><\/pre>\n\n\n\n
These PLCs have Telnet (port 23) open, which is used for remote connection. I discovered an alarmingly weak configuration<\/strong>; some hosts allow instant access to the server without credentials. Not only that, but they also allow you to use the system commands that are used for administering the PLC.<\/p>\n\n\n\n
The display message has a screen with a title “ENCO Control Telnet Server v1.00” and a list of management commands. Here\u2019s a snapshot of the commands .<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Let’s explore some built-in commands that you can use through the Telnet console:<\/p>\n\n\n\n
To list TCP statistics, type tcpstat<\/code>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
To list Ethernet connections, type ethr<\/code>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
To list existing sensors and their temperatures, type owire.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
To get an idea of analogue inputs, type io<\/code>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And a few other commands. Attention! Some of the commands, I think, have administrative role permissions such as disconnect ip<\/code> and change output<\/code>. These, I believe, might have critical impacts, such as disconnecting a device or changing an output.<\/p>\n\n\n\n
Asset owners, if you are reading this article, please make sure to put access control for this Telnet service and\/or put a firewall. If you know organizations that use this PLC, please share this article with them. Stay safe.<\/p>\n\n\n\n
Conclusion:<\/strong><\/p>\n\n\n\n
In closing, I invite you to explore our project, ICSRank<\/a> \u2014 a unique tool tailored for the ICS\/OT domain, exemplifying our commitment to enhancing ICS\/OT cybersecurity. With its capabilities to Discover, Assess, and Secure, ICSRank stands as a vital resource in fortifying ICS\/OT environments against cyber threats.<\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome to the 17th installment of \u201cOT Hunt\u201d where we delve into the world of ICS\/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS\/OT vendors to fortify their assets against potential cyber […]<\/p>\n","protected":false},"author":2,"featured_media":1537,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,4,256,258,3,14,81,168,48,67,23,238],"tags":[7,257,13,6,12,169,47,20,259,27],"class_list":["post-1523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attack-surface","category-cyber-security","category-enco-control","category-frostygoop","category-ics-security","category-malware","category-osint","category-ot-hunt","category-ot-security","category-plc","category-shodan","category-zoomeye","tag-cyber-security","tag-frostygoop","tag-ics","tag-ics-security","tag-ot","tag-ot-hunt","tag-ot-security","tag-shodan","tag-ukraine","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1523"}],"version-history":[{"count":12,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1523\/revisions"}],"predecessor-version":[{"id":1542,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1523\/revisions\/1542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1537"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}