OT Hunt: Analyzing CODESYS Security with MITRE T0886

Welcome to the 15th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS/OT vendors to fortify their assets against potential cyber threats.

Today, we’ll be focusing our attention on assessing the security posture of CODESYS using MITRE ATT&CK for ICS, with a specific emphasis on the remote services technique T0886.

Why is this investigation crucial? Remote services play a pivotal role in enabling operators to interact with systems such as RDP, Telnet, SSH, and FTP. Notably, certain services like RDP and VNC facilitate GUI execution on devices like HMIs.

To kick off our exploration, I turned to Censys as my search engine of choice and initiated the process with a targeted dork:

services.service_name='CODESYS'

For additional dorks tailored for identifying ICS/OT devices on Censys, you can refer to my GitHub repository or utilize my tool, ICSRank, available at icsrank.com.

The initial search yielded approximately 3,000 hosts. To narrow down our investigation and identify the specific remote services running on CODESYS hosts, I employed a series of filters. First up was the FTP service, for which the query was

(services.service_name=CODESYS) and services.service_name='FTP'

Alarmingly, several hosts had open FTP ports, with many configured to accept admin credentials without requiring a password.

Next, I turned my attention to Telnet, using the filter:

(services.service_name=CODESYS) and services.service_name='TELNET'

Once again, I discovered open Telnet ports, leaving these hosts vulnerable to unauthorized connections without any firewall protections.

Lastly, I investigated SSH with the filter:

(services.service_name=CODESYS) and services.service_name='SSH'

To my dismay, SSH ports were also accessible without adequate security measures in place, and to exacerbate matters, the root user was enabled, leaving the system susceptible to brute-force attacks.

It’s important to note that FTP, Telnet and SSH are just one of the types of remote services utilized in ICS/OT environments. Others, such as VNC, SMB, and more, warrant exploration in future articles.

The importance of assessing the attack surface of ICS/OT environments using the Mitre ICS Matrix cannot be overstated. Asset owners are encouraged to adhere to the mitigations outlined on the Mitre website (https://attack.mitre.org/techniques/T0886/) to bolster their defenses against potential threats.

In closing, I invite you to explore our project, ICSRank — a unique tool tailored for the ICS/OT domain, exemplifying our commitment to enhancing ICS/OT cybersecurity. With its capabilities to Discover, Assess, and Secure, ICSRank stands as a vital resource in fortifying ICS/OT environments against cyber threats.