Rockwell Automation says a new remote code execution (RCE) exploit tied to an unnamed Advanced Persistent Threat (APT) group could be used to target unpatched ControlLogix communication modules commonly used in manufacturing industries , electricity, oil and gas and liquefied natural gas.
The company has partnered with the US Cybersecurity and Infrastructure Security Agency (CISA) to analyze the exploit linked to APT threat actors, but they have yet to share how they obtained it.
“Rockwell Automation, in coordination with the U.S. government, has analyzed a new exploit capability assigned to Advanced Persistent Threat (APT) actors affecting certain communications modules,” the company said. says in a security advisory accessible only after login.
“We are not aware of any current exploitation leveraging this capability, and the projected victimization remains unclear.”
The targeted vulnerability (identified CVE-2023-3595) is caused by an out-of-bounds write weakness that may allow attackers to achieve remote code execution or trigger denial of service states via crafted CIP messages maliciously.
After successful exploitation, malicious actors could also manipulate module firmware, erase module memory, alter data traffic to and from the module, establish persistent control, and potentially impact the industrial process it takes in charge.
“This could result in destructive actions where vulnerable modules are installed, including critical infrastructure,” Rockwell added.
Customers are encouraged to patch all affected products
Rockwell strongly advises applying the security patches it has released for all affected products (including those no longer supported). It also provides detection rules to help defenders detect exploit attempts within their networks.
CISA too posted a review warning Rockwell customers to patch the critical RCE vulnerability to thwart potential inbound attacks.
“Knowing about a vulnerability belonging to APT before it is exploited is a rare proactive defense opportunity for critical industry sectors” said the industrial cybersecurity company Dragos which also analyzed the APT exploit.
“We know there is an exploit belonging to an unknown APT and we have not seen or are aware of any exploit in the wild,” Kevin Woolf, senior threat analyst at Dragos, told BleepingComputer.
According to Dragos, the level of access facilitated by the CVE-2023-3595 vulnerability is similar to zero-day exploited by the Russian-linked company. XENOTIME threat group, which used TRISIS (aka TRITON) destructive malware against Schneider Electric Triconex ICS equipment during the 2017 attacks.
“Previous cyber activity by threat actors involving industrial systems suggests a high likelihood that these capabilities were developed for the purpose of targeting critical infrastructure and that the reach of victims may include international customers,” Rockwell also warned.
“Threat activity is subject to change and customers using the affected products could face serious risks if exposed.”