At the end of 2023, a nation-state affiliated threat actor, CyberAveng3rs, targeted an Israeli made PLC & HMI controller used in water facilities world-wide, spreading propaganda and fear. The attackers chose to deface and shut down Unitronics Vision series devices, sabotaging and rendering them unusable.
We embarked on our research journey, dissecting the attackers' path, with the collaboration of government agencies and CERT teams. We started analyzing the Unitronics Vision PLC, reverse engineering its EWS and its communication protocols. Soon enough, we built a simple client, allowing us to perform raw READ/WRITE operations directly to the PLC memory.
Using our client, we managed to build tools allowing us to perform forensic analysis on compromised PLCs. Using these tools, we were able to find a vulnerability that allowed us to bypass the password lock put in place by the attackers and extract a "history log" containing forensic artifacts about the attackers.
In addition, we took a look at Unitronics Unistream, the new series of controllers meant to replace the old Vision PLC product line, and managed to identify and disclose critical vulnerabilities that could have been used by attackers to gain pre-auth RCE.
In our presentation, we'll follow the footsteps of the attackers, showcasing how they attacked the vulnerable PLCs. We'll then showcase our research process and methodologies for developing forensics tools that helped us retrieve artifacts from infected devices, as well as restore their previous configurations. We will open-source these tools for the first time. Lastly, we will delve into the new vulnerabilities we identified, allowing attackers to achieve pre-auth RCE on newer devices.
By:
Noam Moshe | Vulnerability Researcher, Claroty Team82
Full Abstract and Presentation Materials:
www.blackhat.c...