OT Hunt: Moxa Nport
This is the second topic of “OT Hunt” . These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
The following keywords/dorks I used to search for Moxa on Shodan search engine, please check out my ICS dorks project at GitHub:
moxa product:"Moxa Nport"
This search yielded 6,164 online Moxa devices. The results also showed “ICS” tag for each device (based on Shodan). In this research I focused on “Moxa Nport” and to be precise “MOXA NPort 5110”, becuase its used heavily in ICS/OT. The common port for this device is:
4800/UDP
Moxa Nport 5110 version is vulnerable and is listed on US-Cert ICS advisory. There are 2 risky vulnerabilities with a CVSS v3 score of 8.2 and 7.5 respectively.
ICSA-22-207-04
Moxa Nport is a server that is used to connect serial devices in an ICS/OT environment. There is an admin web interface and I found it online . See the image.
http://ip-address/moxa/Login.htm
That’s it for this for today’s topic. Stay safe.