Team82’s research agenda in 2022 reflected our commitment to securing the software and firmware at the heart of connected cyber-physical systems.
Our work has evolved beyond a 100% focus on operational technology to include the breadth of the extended Internet of things (XIoT). In 2022, we privately disclosed and reported on 119 vulnerabilities affecting some of the biggest automation, healthcare, and IoT providers in the world. We worked hard to establish relationships with these companies, refine coordinated vulnerability disclosure and ensure the security of products central to the services critical to our way of life.
We’d like to recap Team82’s year and focus on some of our favorite research, interactions with the security community via conference talks, and open source tools.
Team82 prioritized in 2022 its understanding of exploitable weaknesses in programmable logic controllers (PLCs), the true hub of industrial automation processes across critical industries. The three research blogs linked below represent the spectrum of threats to PLCs, innovation in attack techniques that advanced hackers could use to disrupt processes, and also represent the possible consequences of attacks against these devices.
Hiding Code on Rockwell Automation PLCs:
Summary: Two vulnerabilities that could enable attackers to download modified code to a PLC, while an engineer at their workstation would see a process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.
The Race to Native Code Execution in PLCs:
Summary: Team 82 developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines. This research was presented at the S4x22 Conference.
EvilPLC Attack: Using a Controller as Predator Rather Than Prey:
Summary: Another novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks. Download the full report here (free PDF). This attack was also demonstrated at DEF CON.
Blinding Snort: Breaking the MODBUS OT Preprocessor: An integer-overflow vulnerability that can caused the Snort Modbus OT preprocessor to enter an infinite while-loop, blinding Snort to traffic and preventing it from generating alerts.
Securing OT Network Management Systems: Siemens SINEC NMS: We chained two of 15 vulnerabilities found in the NMS to ultimately allow an attacker to remotely execute code on the system.
An Oil and Gas Weak Spot: Flow Computers: A path-traversal vulnerability in ABB TotalFlow flow computers and controllers allowed attackers to inject and execute arbitrary code. This research was presented at BSides Tel Aviv.
Exploiting URL Parsing Confusion: A Team82-Snyk collaboration researching 16 URL parsing libraries
Splunk Patches Indexer Vulnerability: A Splunk indexer vulnerability could leak memory
With Management Comes Risk: Finding Flaws in Filewave MDM: Two remotely exploitable vulnerabilities were discovered in this popular mobile device management platform.
Jumping NAT to Shut Down Electric Devices: Multiple vulnerabilities were found in Dataprobe’s iBoot PDU power distribution unit, impacting datacenters worldwide.
JS-ON, Security-Off: Abusing JSON-based SQL to Bypass WAF: A unique, generic web application firewall bypass affecting five leading WAF vendors was disclosed. This research was also presented at Black Hat EU.
Team82 also took part in important hacking competitions across the globe. While there is notoriety associated with these events, the main objective of these contests is to find previously undiscovered vulnerabilities, enter into a coordinated disclosure process with the affected vendor, and get these bugs fixed. Here’s a review of our participation in 2022.
Team82 won the S4x22 Capture the Flag event, accumulating 2500 points over two days to best the competition. Team82 donated its prize money to charity.
Team82 finished in third place overall in the ICS version of the Pwn2Own event held in parallel with the S4x22 in Miami. We competed in a number of categories, including OPC UA, HMI/SCADA, Control Servers, and Data Gateways.
Team82 finished in first place at the CISA-sponsored ICS Joint Working Group competition. The JWG facilitates communication between critical infrastructure operators in the U.S.
Director of research Sharon Brizinov competed at Pwn2Own Toronto, an IoT-centric version of Pwn2Own. Team82 found and exploited zero-day vulnerabilities in two vendors’ NAS products and a popular small office and home router.
Team82 often develops its own research tools to aid in its dissection and observation of leading automation, IoT, and healthcare devices. Some of these tools have great value to the security and research community as a whole, and we happily and freely share them. Here are two we made available in 2022.
A custom, generic EtherNet/IP and CIP stack detection tool that fulfills a number of use cases for cybersecurity researchers, OT engineers, and asset owners by helping them to identify and classify commercial and homegrown products using the same third-party ENIP stack code.
This research was presented at the SANS ICS Conference.
Arya is a tailor-made EICAR that can be used to generate custom-made, pseudo-malware files to trigger antivirus and endpoint detection and response tools just like the good old EICAR test file. Arya has a number of use cases, including malware research, YARA rule QA testing, and pressure testing a network with code samples built from YARA rules.
Finally, Team82 was recognized for its work on numerous fronts. We’re humbled by these honors and would like to call attention to two in particular.
Sharon Brizinov was named the SANS Institute’s Researcher of the Year during its Difference Makers Awards ceremony. See the announcement here:
Team82 was ranked No. 1 in Israel’s Responsible Weakness Discovery Program, recognizing its efforts to protect the nation’s cyber presence.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
