Rewterz Threat Advisory – Rockwell Warns Of APT’s Critical Infrastructure RCE Exploit

Severity

High

Analysis Summary

Rockwell Automation has recently discovered a new remote code execution (RCE) exploit linked to an undisclosed Advanced Persistent Threat (APT) group, which poses a significant threat to critical industries. The exploit targets unpatched ControlLogix communications modules widely utilized in manufacturing, electric, oil and gas, and liquefied natural gas sectors.

The vulnerability, CVE-2023-3595, stems from an out-of-bounds write weakness in the affected ControlLogix modules. The APT group capitalizes on this vulnerability by sending maliciously crafted Common Industrial Protocol (CIP) messages. Through successful exploitation, the attackers can execute arbitrary code remotely, leading to complete control over the targeted systems.

Aside from remote code execution, the exploit can also trigger denial-of-service (DoS) conditions, causing disruptions in normal operations. Furthermore, attackers can manipulate the module’s firmware, potentially leaving backdoors or malicious code for future access. They could also wipe the module’s memory, leading to data loss and system instability. Altering data traffic to and from the modules enables the APT group to steal or manipulate sensitive information.

The consequences of an attack extend beyond immediate impact; the APT group can establish persistent control, allowing for continued exploitation and potential long-term damage to the industrial processes supported by these modules. Critical infrastructure in various sectors is at risk, and a successful attack could have devastating effects on public safety and the economy.

Rockwell Automation, in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is taking swift action to address the issue. They have released security patches for all affected products, even those that are no longer officially supported, and provided detection rules to help identify potential exploitation attempts.

As of the time of analysis, there have been no known instances of active exploitation. However, the seriousness of the vulnerability and the APT group’s possession of the exploit raise concerns about potential future attacks. Customers using the vulnerable ControlLogix communications modules are strongly advised to apply the patches and remain vigilant to safeguard their systems.

Given the high likelihood that these capabilities were developed with the intent to target critical infrastructure, both Rockwell Automation and CISA emphasize the need for proactive defense measures. Early detection and mitigation are crucial to preventing successful attacks and mitigating potential damage to essential industrial operations.

Impact

• Denial of Service
• Code Execution

Indicators Of Compromise

CVE

• CVE-2023-3595

Affected Vendors

Rockwell Automation

Affected Products

• Rockwell Automation 1756-EN2F Series C 11.003
• Rockwell Automation 1756-EN3TR Series B 11.003

Remediation

• Refer to Rockwell Automation Web site for patch, upgrade or suggested workaround information.
• Implement robust network monitoring and intrusion detection to detect suspicious CIP messages.
• Isolate critical systems to limit potential attacks.
• Back up firmware and critical data regularly for quick recovery.
• Restrict access to authorized personnel and use strong authentication.
• Educate employees about cybersecurity risks.
• Collaborate with industry peers and government agencies for insights.
• Adhere to industry security guidelines and update protocols.
• Regularly test for weaknesses and address them proactively.