[CDP-development] TLP:GREEN - (Vulnerability Alert Notification) - Unitronics Vision PLC and HMI Insecure Default Password

Tue Dec 12 14:16:53 PST 2023

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-6448: Unitronics Vision PLC and HMI Insecure Default Password. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On December 12, 2023, CISA added CVE-2023-6448 to the Known Exploited Vulnerabilities Catalog.

Unitronics has not provided additional details about the vulnerability, so no vendor provided information is available at this time.

Intelligence: On November 27, 2023, Municipal Water Authority of Aliquippa in Pennsylvania was attacked by an Iranian back cyber group called CyberAv3ngers. The actors were able to gain control of a remote booster station serving two townships. On November 28, 2023, CISA stated they were responding to the incident and that there was no known risk to the municipality's drinking water or water supply.

Workarounds: There are no workarounds at this time, please see Recommended Actions.

How it works: CISA had this to say about the exploitation of the vulnerability in Pennsylvania, "The cyber threat actors likely accessed the affected device-a Unitronics Vision Series PLC with a Human Machine Interface (HMI)-by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.".

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could gain control of Unitronics Vision Series PLC devices.

As of December 12, 2023, there are no available Tenable plugins and no plugins in the pipeline.
Recommended Actions:

  *   Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password "1111" is not in use.
  *   Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
  *   Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.

     *   Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
     *   Use an allowlist of IPs for access.

  *   Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
  *   If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
  *   Update PLC/HMI to the latest version provided by Unitronics.

[cid:image001.png at 01DA2CFB.4AC5EE70]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231212/61a89aa3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231212/61a89aa3/attachment-0001.png>