By Gregory Hale
With an increase of phishing attacks during the pandemic, along with little-known vulnerabilities within ICS project files, and it is possible for attackers to gain the ability to execute remote code on a system’s network.

Phishing attacks are nothing new as they have been occurring for years, but what is different about this is hackers using vulnerable ICS project files to gain access to a network.

“These vulnerabilities will allow an attacker to direct access to critical segments of the network because you are guaranteed the vulnerability will exploit an engineering computer, and you will get access to most critical points of the network,” said Nadav Erez, research team lead at industrial cybersecurity company Claroty prior to his presentation at the DEF CON ICS Village last Friday discussing the details of an ICS vulnerability disclosed late last month.

“Project files are any thing or entity in which the ICS engineering software takes its information,” Erez said. “If you are programming a PLC in specific software and you click the save button because you want to protect the progress you have made, the entity you save is a project file. It may be a file or a directory. It may be ICS project data or ICS project information that is saved in some type of manner and represents all the information.”

Schneider Bold

Accidental Discovery
Erez said they didn’t start off looking for vulnerabilities in project files, but rather they were looking at adding in visibility for asset owners and the project files represented very interesting component.

“Having looked at project files for years, we started to realize these files resemble some traits in ICS protocols because they are very complex, and they contain some interesting information that is proprietary. These traits that are similar to ICS protocols got us thinking maybe these project files were not designed with security in mind because ICS protocols are not the greatest in terms of security.”

As it turns out, he was right.

Erez and his team discovered, and reported to VDE Cert, an improper path sanitation vulnerability in the import of project files in Phoenix Contacts its PLCnext Engineer version 2020.3.1.

Before Phoenix Contact fixed the vulnerability, the build settings of a PLCnext Engineer project (.pcwex) could end up manipulated in a way that could result in the execution of remote code. The attacker needed to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.

Project File Vulnerability
Erez equated this project file issue to a vulnerability in a Microsoft Word file, which have been around for decades.

“An attacker can send a malicious doc file and when a victim double clicks, malicious code will be executed. Can we do the same with a project file? Can we make it when you double click on a malicious project file you execute malicious code? What we found is you can,” he said.

Yes, it is possible to create code to hack into project files, but Erez said there is an easier way to get into a network that doesn’t involve the tedious and time-consuming effort of developing malware.

“What is interesting is using the same approach a hacker would use in a malicious doc file is by sending a phishing campaign to millions of email addresses,” Erez said. “They may send a phishing campaign to engineers and they may not be security minded and to not open a project file is not trivial. An engineer who loves his job and is curious about what the project file may contain; it is not a big leap to open the project file. It is not that big a leap because they are not security minded when it comes to opening a project file. We took the original project file and changed it to point to our own malicious project file. We could send it to the engineer and say, ‘Mr. Engineer can you open this project file’ and it would point to our own target file.”

So, how would an attacker get into a system to start a potential attack? Erez said social engineering works just fine.

“You send an email to an engineer saying ‘I see on LinkedIn you are using this technology and I am wondering if you could you help me out’ and when you send the mail, the attachment is loaded with the malicious code,” Erez said. “Engineers will willingly download an ICS project file from people they don’t know.”

Open the Door
Once the project file is open, the hacker can execute whatever code they want to on the engineer’s computer.

“It is a great vector to be used by the hacker, because the hacker sending over the phishing campaign knows because when someone is opening a project file you know the engineer is opening it on a work computer because that is where the software is installed. You know when someone opens the malicious project file it will be on a computer that has access to critical segments of the network and so when you have done that you have gained access to whatever physical devices on the network, and then it is game over.”


Pin It on Pinterest

Share This