Iranian IRGC-affiliated CyberAv3ngers have targeted Unitronics Vision Series PLCs used in water and wastewater facilities in the U.S. and other sectors, leveraging exposed internet-facing devices with default passwords to deface interfaces and potentially disrupt operations; the advisory provides IOCs, MITRE mappings, and mitigations to defend OT environments. #CyberAv3ngers #Unitronics #WaterWastewater #IRGC #CVE-2023-6448 #Crucio
Keypoints
- IRGC-affiliated CyberAv3ngers are actively targeting Unitronics Vision Series PLCs across critical infrastructure, including U.S. water and wastewater facilities.
- Attacks have exploited default credentials on internet-facing PLCs, enabling unauthorized access and device defacement.
- Defacement messages explicitly state anti-Israel sentiment, signaling broader cyber-physical impact potential beyond mere access.
- CVE-2023-6448 was assigned to address default passwords, with Unitronics releasing a patch in VisiLogic 9.9.00.
- The campaign spans multiple states and exemplifies compromises of OT devices exposed to the internet, not limited to the water sector.
- Mitigations emphasize MFA, VPN/firewall in front of PLCs, secure backups, regular updates, and secure-by-design practices by manufacturers.
MITRE Techniques
- [T1110] Brute Force Techniques β Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access. (βThreat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.β)
Indicators of Compromise
- [MD5] hash β BA284A4B508A7ABD8070A427386E93E0
- [SHA1] hash β 66AE21571FAEE1E258549078144325DC9DD60303
- [SHA256] hash β 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
- [IP Address] β 178.162.227[.]180
- [IP Address] β 185.162.235[.]206
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a