{"id":817,"date":"2022-06-30T17:48:49","date_gmt":"2022-06-30T14:48:49","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=817"},"modified":"2022-07-03T08:58:07","modified_gmt":"2022-07-03T05:58:07","slug":"hacking-building-automation-systems","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2022\/06\/30\/hacking-building-automation-systems\/","title":{"rendered":"Hacking building automation systems"},"content":{"rendered":"\n<p>In my previous post <a rel=\"noreferrer noopener\" href=\"https:\/\/zerontek.com\/zt\/2021\/05\/25\/wireshark-bacnet-security-analysis\/\" target=\"_blank\">Wireshark: BACnet security analysis<\/a>, I explained how to filter out Bacnet packets in Wireshark and I  mentioned how to discover  protocol-internet-connected machines in <a href=\"https:\/\/www.shodan.io\" target=\"_blank\" rel=\"noreferrer noopener\">Shodan<\/a>. Few days ago we heard about the &#8220;ShadowPad&#8221; backdoor and its attack on a telecommunications company in Pakistan. The attackers exploited a vulnerability <a rel=\"noreferrer noopener\" href=\"https:\/\/ics-cert.kaspersky.com\/away?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2021-26855\" target=\"_blank\">CVE-2021-26855<\/a> in Microsoft Exchange to get an initial access. The attack affected engineering computers which are part of building automation systems in the Pakistani company . <\/p>\n\n\n\n<p>My observation is the attack happened last year on October 2021. Why so late to disclose it? Also there aren&#8217;t any details about OT devices or protocols , except mentioning &#8220;ICS&#8221; and &#8220;building automation systems&#8221; ! So i have the following guesses or questions ?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Did the attackers find this company from Shodan ? Most building automation systems that appear in Shodan are connected through telecommunications companies. <\/li><li>Was Bacnet protocol available in the company systems ? If yes did the attackers manage to exploit its weaknesses ? or did they just abuse the  IT systems (MS windows) to conduct the attacks ? <\/li><\/ul>\n\n\n\n<p>My point is we don&#8217;t have enough details about OT systems that were affected except the engineering computers. To me this seems like an IT attack . Furthermore,  there weren&#8217;t any physical impact and the attackers&#8217; goal was speculated to be data harvesting (See source 1)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>References:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><a href=\"https:\/\/ics-cert.kaspersky.com\/publications\/reports\/2022\/06\/27\/attacks-on-industrial-control-systems-using-shadowpad\/\">https:\/\/ics-cert.kaspersky.com\/publications\/reports\/2022\/06\/27\/attacks-on-industrial-control-systems-using-shadowpad\/<\/a><\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"<p>In my previous post Wireshark: BACnet security analysis, I explained how to filter out Bacnet packets in Wireshark and I mentioned how to discover protocol-internet-connected machines in Shodan. Few days ago we heard about the &#8220;ShadowPad&#8221; backdoor and its attack on a telecommunications company in Pakistan. The attackers exploited a vulnerability CVE-2021-26855 in Microsoft Exchange [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[161,157,4,45,3,48,23,49],"tags":[50,55,158,7,13,6,159,12,47,160,20],"class_list":["post-817","post","type-post","status-publish","format-standard","hentry","category-bacnet","category-building-automation-systems","category-cyber-security","category-ics-protocols","category-ics-security","category-ot-security","category-shodan","category-wireshark","tag-bacnet","tag-bacnet-filters","tag-building-automation-systems","tag-cyber-security","tag-ics","tag-ics-security","tag-microsoft-exchange","tag-ot","tag-ot-security","tag-shadowpad","tag-shodan"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=817"}],"version-history":[{"count":11,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/817\/revisions"}],"predecessor-version":[{"id":833,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/817\/revisions\/833"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}