OT Hunt: Yokogawa MW100
I have always been thinking about other OT products that are exposed on the internet and have not been -yet- found or researched by the ICS security community. The type of OT products that haven’t been researched by existing tools such as Nmap , Wireshark , Metasploit , Shodan … etc. I didn’t mean vulnerability research, CVEs for many OT vendors surely exist , my focus is on tools. My goal for this research is to contribute in this direction.
This morning I was reading an article about Yokogawa and Open Process Automation, My curiosity immediately sparked up and I type “yokogawa” in Shodan search engine. It’s my favorite search engine for ICS so far and I have a long relationship with it. I got only 26 results , nothing much. There was a number of ports . I was interested only about ICS ports, or ports that expose ICS devices. I found out that Shodan labeled one of the results as “ICS” bingo !. I examined it and I found the following information:
You can see It looks like an OT device or a device that is used for OT operations. The product name is “MW100” . A google search gave the following: its full name is DAQMaster MW100. I found out its a data acquisition and data-logging software that is used for acquiring and monitoring data. It also connects remotely — for I/O purposes — to devices such as PLC, DCS, SCADA ! and support for various protocols such as Modbus RTU, Modubs TCP, WITS, Ethernet IP, and DNP 3 . Sounds interesting ?!
I checked its official website and its labeled as a discontinued product !It’s also labelled as “deprecated” under the “Device type” meta data in Shodan. MW100 uses port 44818 by default according to its document. Why it’s still online despite being deprecated ? Shodan search engine labelled the host that has “MW100” as “ICS” but I noticed that it didn’t label another host as “ICS” because MW100 used a UDP port:
When I typed the IP addresses for both hosts (TCP/UDP results ) I was taken to a web interface, that allows you to read and possibly write data (I did’t attempt it). The URL looks like http://ip-address/web/index.shtm or http://ip-address/web/mon_dg.shtm .
To sum up , OT devices that are not yet researched and also expired OT devices can be found online by search engines. Some of them have web interfaces that expose information or enable editing due to poor configurations. Sometimes Shodan doesn’t classify ICS devices as “ICS”. I hope that asset owners pay attention to their assets’ web presence. This is my first topic of “OT Hunt” project. Stay tuned for next topics.
