{"id":1565,"date":"2024-09-30T10:07:56","date_gmt":"2024-09-30T07:07:56","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1565"},"modified":"2024-09-30T12:46:49","modified_gmt":"2024-09-30T09:46:49","slug":"how-to-find-water-systems-on-the-internet-a-guide-to-ics-ot-osint","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2024\/09\/30\/how-to-find-water-systems-on-the-internet-a-guide-to-ics-ot-osint\/","title":{"rendered":"How to Find Water Systems on the Internet: A Guide to ICS\/OT OSINT"},"content":{"rendered":"\n<p><strong>Welcome to the 19th installment of \u201c<a href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\" rel=\"noreferrer noopener\">OT Hunt<\/a>\u201d<\/strong> where we delve into the world of ICS\/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS\/OT vendors to fortify their assets against potential cyber threats.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">OT OSINT Research: Behind the Devices<\/h3>\n\n\n\n<p>Today, I will show you how I perform OT OSINT research and utilize different search engines and techniques to discover internet-connected ICS devices. As promised in previous articles, this time I\u2019ll attempt to uncover what lies behind these devices. Please note, this is my personal effort and could be flawed\u2014but I\u2019ve provided some proofs to back up my findings.<\/p>\n\n\n\n<p>For today\u2019s experiment, we\u2019ll focus on VTScada, a SCADA and HMI software developed by a Canadian company, Trihedral. You can check them out at <a href=\"https:\/\/www.vtscada.com\" target=\"_blank\" rel=\"noreferrer noopener\">vtscada.com<\/a>. VTScada\u2019s \u201cAnywhere Client\u201d is primarily used in the water industry and has a global footprint. This type of research directly feeds into our platform, <a href=\"https:\/\/www.icsrank.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">ICSRank.com<\/a>, an ongoing project that updates regularly with more information, aiming to automate the defense efforts for ICS defenders, pentesters, and researchers.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"659\" height=\"328\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada.jpg\" alt=\"\" class=\"wp-image-1569\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada.jpg 659w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada-300x149.jpg 300w\" sizes=\"auto, (max-width: 659px) 100vw, 659px\" \/><figcaption class=\"wp-element-caption\">Source: <a href=\"https:\/\/www.vtscada.com\/\">https:\/\/www.vtscada.com\/<\/a><\/figcaption><\/figure>\n\n\n\n<p>Let\u2019s jump in and see if we can find VTScada online using a variety of search engines and techniques. Below, I will walk you through how I craft and use specific filters (dorks) to track these systems.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Shodan:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Filter 1:<\/strong> <code>vtscada<\/code><\/li>\n\n\n\n<li><strong>Filter 2:<\/strong> <code>http.favicon.hash:1796018699<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Censys:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Filter 1:<\/strong> <code>vtscada<\/code><\/li>\n\n\n\n<li><strong>Filter 2:<\/strong> <code>services.software.product=VTScada<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">ZoomEye:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Filter 1:<\/strong> <code>app:\"VTScada\"<\/code><\/li>\n\n\n\n<li><strong>Filter 2:<\/strong> <code>iconhash:\"8b0a996f749fd47307057a543a2389ab\"<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Google:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Filter 1:<\/strong> <code>intitle:\"VTScada Anywhere login\"<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Web Interface and Exposed Technology<\/h3>\n\n\n\n<p>VTScada exposes its web interface to the internet. As shown in the image, I found port 102, which is commonly used for the Siemens S7 protocol. The protocol banner information revealed a model number\u2014&#8221;6ES7 214-1HG40-0XB0.&#8221; A quick Google search confirmed it as a Siemens Simatic S7-1200 PLC. Could VTScada be managing this Siemens PLC, or are they just connected?<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1016\" height=\"696\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada-web.jpg\" alt=\"\" class=\"wp-image-1572\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada-web.jpg 1016w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada-web-300x206.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/vtscada-web-768x526.jpg 768w\" sizes=\"auto, (max-width: 1016px) 100vw, 1016px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"894\" height=\"828\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/s7-1200.jpg\" alt=\"\" class=\"wp-image-1573\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/s7-1200.jpg 894w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/s7-1200-300x278.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/s7-1200-768x711.jpg 768w\" sizes=\"auto, (max-width: 894px) 100vw, 894px\" \/><\/figure>\n\n\n\n<p>In addition to this, many hosts running VTScada have open ports such as FTP (port 21), SSH (port 22), and RDP (port 3389), which are used for remote management.<\/p>\n\n\n\n<p>One interesting find was a host with router port 8080 open, identified as &#8220;NetCloud&#8221; by <a href=\"https:\/\/cradlepoint.com\">Cradlepoint<\/a>. Does this router manage a cloud service? The details remain unclear.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"282\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/netcloud-1024x282.jpg\" alt=\"\" class=\"wp-image-1575\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/netcloud-1024x282.jpg 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/netcloud-300x83.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/netcloud-768x211.jpg 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/netcloud-1536x423.jpg 1536w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/09\/netcloud-2048x564.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">What Industry or Process is Running Behind this Software?<\/h3>\n\n\n\n<p>By analyzing the URL paths of the web interfaces, you can often deduce key details. For example, URLs may contain terms like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>\/wastewater<\/code><\/li>\n\n\n\n<li><code>\/BaddWater<\/code><\/li>\n\n\n\n<li><code>\/Grandlake<\/code><\/li>\n\n\n\n<li><code>\/lakewod<\/code><\/li>\n\n\n\n<li><code>\/scada<\/code><\/li>\n\n\n\n<li><code>\/water<\/code><\/li>\n\n\n\n<li><code>\/CCityWater<\/code><\/li>\n<\/ul>\n\n\n\n<p>From these, we can extract useful information such as:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>ICS Device Type<\/strong>: SCADA or similar systems.<\/li>\n\n\n\n<li><strong>Location<\/strong>: Potential city or state names, often around lakes or water bodies.<\/li>\n\n\n\n<li><strong>Industry<\/strong>: Most of these instances are related to water or wastewater facilities.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Vulnerabilities<\/h3>\n\n\n\n<p>VTScada, like any other ICS software, is not immune to vulnerabilities. During my research, I found several existing vulnerabilities listed by CISA, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ICSA-14-343-02<\/li>\n\n\n\n<li>ICSA-17-164-01<\/li>\n\n\n\n<li>ICSA-22-300-04<\/li>\n\n\n\n<li>ICSA-17-304-02<\/li>\n\n\n\n<li>ICSA-16-159-01<\/li>\n<\/ul>\n\n\n\n<p>These vulnerabilities highlight the persistent risk associated with improperly secured systems.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis<\/h3>\n\n\n\n<p>It\u2019s no surprise that the water industry has become a frequent target of cyberattacks. As demonstrated in this article, water systems are exposed on the internet with numerous open ports, accessible web interfaces, and misconfigurations. Hundreds of these systems, which manage water facilities, are vulnerable to attack.<\/p>\n\n\n\n<p>What I\u2019ve shown here is just a surface-level analysis\u2014I haven\u2019t even covered all hosts or vendors. The scale of the problem is likely much larger.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p>In closing, I encourage you to explore ICSRank, our unique tool designed for the ICS\/OT domain. ICSRank exemplifies our commitment to enhancing ICS\/OT cybersecurity. With its ability to Discover, Assess, and Secure, ICSRank is a vital resource for fortifying ICS\/OT environments against cyber threats.<\/p>\n\n\n\n<p>Stay tuned for more insights in future installments of OT Hunt, and remember\u2014our shared vigilance is key to defending critical infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the 19th installment of \u201cOT Hunt\u201d where we delve into the world of ICS\/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS\/OT vendors to fortify their assets against potential cyber [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1577,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,246,4,212,245,45,3,252,81,168,48,67,260,23,263,57,238],"tags":[7,13,6,75,12,169,47,100,27],"class_list":["post-1565","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attack-surface","category-censys","category-cyber-security","category-google-dorks","category-hmi","category-ics-protocols","category-ics-security","category-ics-ot-osint","category-osint","category-ot-hunt","category-ot-security","category-plc","category-scada","category-shodan","category-vtscada","category-water","category-zoomeye","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-ot","tag-ot-hunt","tag-ot-security","tag-sulaiman-alhasawi","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1565"}],"version-history":[{"count":8,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1565\/revisions"}],"predecessor-version":[{"id":1578,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1565\/revisions\/1578"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1577"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}