How to Find and Probe ENCO PLCs on the Internet Just Like FrostyGoop malware

Sulaiman Alhasawi
3 min readJul 24, 2024

--

Welcome to the 17th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS/OT vendors to fortify their assets against potential cyber threats.

Today’s target is the ENCO Control, a PLC made by Eco Therm Services, a Romanian company. Enco Control is designed as controller for process control in district heating / hot water and ventilation systems. This PLC was the target of the FrostyGoop malware, which a group launched against a Ukrainian energy company in January 2024. The attackers gained access to the company network through a router.

Naturally, I became curious to find out if these PLCs are present on the internet. It’s a habit of mine to always dig into ICS devices online. This time, I used Shodan and Zoomeye to find ENCO Control.

To find ENCO Control on Shodan, I used the following dork:

ENCO port:23

There are 38 PLCs, most of them located in Romania, Ukraine, and Lithuania.

Similarly, I used this filter in Zoomeye , 107 PLCs exist:

enco +port:23

These PLCs have Telnet (port 23) open, which is used for remote connection. I discovered an alarmingly weak configuration; some hosts allow instant access to the server without credentials. Not only that, but they also allow you to use the system commands that are used for administering the PLC.

The display message has a screen with a title “ENCO Control Telnet Server v1.00” and a list of management commands. Here’s a snapshot of the commands .

Let’s explore some built-in commands that you can use through the Telnet console:

To list TCP statistics, type tcpstat.

To list Ethernet connections, type ethr.

To list existing sensors and their temperatures, type owire.

To get an idea of analogue inputs, type io.

And a few other commands. Attention! Some of the commands, I think, have administrative role permissions such as disconnect ip and change output. These, I believe, might have critical impacts, such as disconnecting a device or changing an output.

Asset owners, if you are reading this article, please make sure to put access control for this Telnet service and/or put a firewall. If you know organizations that use this PLC, please share this article with them. Stay safe.

Conclusion:

In closing, I invite you to explore our project, ICSRank — a unique tool tailored for the ICS/OT domain, exemplifying our commitment to enhancing ICS/OT cybersecurity. With its capabilities to Discover, Assess, and Secure, ICSRank stands as a vital resource in fortifying ICS/OT environments against cyber threats.

--

--

Sulaiman Alhasawi
Sulaiman Alhasawi

Written by Sulaiman Alhasawi

ICS/OT Cybersecurity Researcher | Founder of ICSrank.com. If you are not a Medium member, you can still read all my blog posts at https://zerontek.com/zt/blog

No responses yet