Welcome to the 20th installment of “OT Hunt<\/a>\u201d<\/strong> where we dive into the challenges and opportunities within the realm of ICS\/OT devices connected to the internet. This series aims to raise awareness among asset owners and ICS vendors to proactively secure their infrastructures.<\/p>\n\n\n\n This exploration came about by chance. I was researching SpiderControl<\/strong>, an OT vendor, as part of my usual work on ICSRank<\/a>. According to their product page, the SpiderControl Easy Web-HMI<\/strong> uses HTML5<\/strong> to develop HMIs directly on PLCs<\/strong> such as Siemens, Beckhoff, and Raspberry Pi<\/strong>, without additional runtime or hardware requirements. Here\u2019s a quick summary:<\/p>\n\n\n\n “The SpiderControl Easy Web-HMI allows users to build and deploy HTML5-based HMIs directly on various PLCs. It supports SCADA integration, remote PLC management via OPC UA and ADS protocols, and allows retrofitting legacy systems by converting outdated interfaces to HTML5.”<\/em><\/p>\n\n\n\n The platform supports multiple vendors including:<\/p>\n\n\n\n They offer HMI editors that generate HTML5-based web interfaces, which eliminates the need for older, now-deprecated Java applets. However, I noticed that some SpiderControl interfaces still use applets<\/strong>, which generate browser errors, indicating they are still running \u201cin the wild.\u201d<\/p>\n\n\n\n This technology is moving toward cloud-based deployment<\/strong>, with SpiderControl’s SCADA server available as a cloud app, Docker component, or in OT marketplaces like Phoenix PLCnext and Bosch ctrlX<\/strong>. This allows for remote monitoring and control of multiple PLCs from the cloud, demonstrating a shift in OT toward modern, flexible web technologies.<\/p>\n\n\n\n Using Shodan<\/strong> and ZoomEye<\/strong>, I searched for devices running SpiderControl.<\/p>\n\n\n\n A key observation was that most devices found through ZoomEye were deployed on Phoenix Contact PLCs<\/strong>, revealing the platform’s popularity with that vendor.<\/p>\n\n\n\n SpiderControl\u2019s shift to HTML5<\/strong> comes with certain risks. One significant threat is HTML smuggling<\/strong>, classified under MITRE ATT&CK’s T1027.006<\/strong><\/a> as a Defense Evasion<\/strong> technique .<\/p>\n\n\n\n This technique involves injecting malicious JavaScript into HTML5 files, using elements such as:<\/p>\n\n\n\nThe Topic at Hand<\/strong><\/h4>\n\n\n\n
\n
\n\n\n\n![\"\"](\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/10\/spider-web-1024x313.png\")
<\/figure>\n\n\n\nFinding SpiderControl Devices in the Wild<\/strong><\/h3>\n\n\n\n
\n
SpiderControl<\/code> \u2192 100 results<\/strong><\/li>\n\n\n\nspidercontrol +app:\"Phoenix Contact httpd\"<\/code> \u2192 2,800 results<\/strong><\/li>\n<\/ul>\n\n\n\n![\"\"](\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/10\/pcworx-1.jpg\")
<\/figure>\n\n\n\n
\n\n\n\nCommon Findings from SpiderControl Deployments<\/strong><\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2024\/10\/snmp.png\")
<\/figure>\n\n\n\n
\n\n\n\nRisks of HTML5: HTML Smuggling and MITRE Technique T1027.006<\/strong><\/h3>\n\n\n\n
<a download=\"malicious.zip\" href=\"data:application\/zip;base64,<base64_payload>\"> \n Download the Safe Report \n<\/a><\/code><\/pre>\n\n\n\n