OT Hunt: Moxa Nport

This is the second topic of “OT Hunt” . These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.

The following keywords/dorks I used to search for Moxa on Shodan search engine, please check out my ICS dorks project at GitHub:

moxa product:"Moxa Nport"

This search yielded 6,164 online Moxa devices. The results also showed “ICS” tag for each device (based on Shodan). In this research I focused on “Moxa Nport” and to be precise “MOXA NPort 5110”, becuase its used heavily in ICS/OT. The common port for this device is:

4800/UDP

Moxa Nport 5110 version is vulnerable and is listed on US-Cert ICS advisory. There are 2 risky vulnerabilities with a CVSS v3 score of 8.2 and 7.5 respectively.

ICSA-22-207-04

Moxa Nport is a server that is used to connect serial devices in an ICS/OT environment. There is an admin web interface and I found it online . See the image.

http://ip-address/moxa/Login.htm

That’s it for this for today’s topic. Stay safe.

Reference:

https://www.moxa.com/en/products/industrial-edge-connectivity/serial-device-servers/general-device-servers/nport-5100-series/nport-5110

https://zerontek.com/zt/2022/11/10/ot-hunt-moxa-nport/