OT Hunt: Unitronics PCOM/PLC
Refrain from connecting (all) PLCs to the internet . WaterISAC
This is the 10th topic of “OT Hunt”. These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
In this article, my targets are Unitronics PLC and PCOM protocol. Unitronics is a company that specializes in the design and manufacturing of programmable logic controllers (PLCs) and human-machine interface (HMI) solutions. A Unitronics PLC is a type of industrial automation controller used in various industrial and manufacturing applications to control and automate processes. Whereas PCOM is a protocol used by Unitronics PLC for communication purposes.
The following keywords/dorks I used to search for Unitronics PLC and PCOM protocol in Shodan search engine simultaneously , please check out my ICS-OT-iIoT dorks project at GitHub:
UnitronicsUnitronics PCOMThe search for Unitronics yielded 1782 devices, which is a significant number for a PLC to be online. Just a few days ago, the count was 1765. Shodan has tagged them as ‘ICS.’ Additionally, the PCOM protocol is online among the above results. The default port for the Unitronics PCOM protocol is:
20256 / TCPThe search for these PLCs became popular among the ICS Cybersecurity community became popular following the Municipal Water Authority of Aliquippa incident. The PLC device has a default password according to CISA Alert:
password: 1111The CISA alert stated that the breach happened because those PLCs are connected to the internet and have weak passwords. CISA and WaterISAC gave recommendations for asset owners who have Unitronics PLCs.
Luckily I found an Nmap script that is designed to collect device information for Unitronics PLCs via PCOM protocol. It was written by Luis Rosa. I have uploaded it in my ICS-Security project in GitHub.
Let me demonstrate how I used it.
nmap --script pcom-discover.nse --script-args='pcom-discover.aggressive=true' -p 20256 <host>I noticed that it takes a long time to get result when I use — script-args . So I decided to remove it and executed the following command:
nmap --script pcom-discover.nse -p 20256 <host>This gave an immediate result like this:
That’s it for today’s topic. Happy hacking !
https://zerontek.com/zt/2023/12/03/ot-hunt-unitronics-pcom-plc/
