Global Impact (at time of dissemination)
• 580 publicly-exposed Unitronics PLCs
Top affected countries:
1. US
2. Belgium
3. Australia
4. Netherlands
5. Israel
Summary
In light of escalating tensions amid Iran’s recent retaliation on Israel on Saturday April 11, 2024, Censys strongly advises organizations to take proactive measures to prepare for potential cyber repercussions. This is especially crucial for Industrial Control Systems devices, like Unitronics Programmable Logic Controllers (PLCs), which have been previously targeted in the US by Iranian threat actor groups.
Last November, CISA issued an alert regarding the exploitation of publicly exposed Israeli-manufactured Unitronics PLCs in U.S. Water Systems networks by the Iranian APT group “CyberAv3ngers.” The threat group leveraged weak and default passwords to gain control over the Aliquippa Water Authority’ devices and interfere with operations.
On March 18, 2024, Unitronics patched eight new vulnerabilities in Unistream PLCs affecting all versions prior to 1.35.227, ranging from high to critical severity.
Asset Description
PLCs are network interfaces to operational technology (OT) and physical operations that can control when operations begin or end. As was evidenced in the Aliquippa water hack, critical infrastructure’s reliance on OT often means relying on PLCs. These physical operations and OT are often used to control and monitor large-scale industrial processes that support communities. It is generally-accepted security practice to ensure these PLCs are not directly accessible on the public internet and organizations should prioritize security measures to prevent this and other PLC interferences.
Impact
Potential Consequences of Successful Exploitation
Locating exposed PLCs on the internet is straightforward for threat actors, and exploiting default passwords is equally easy.
Regarding the recently disclosed March vulnerabilities, according to the team that discovered them, the eight vulnerabilities “could allow an attacker to bypass native authentication and authorization features in the product, and can be chained to gain remote code execution.” In other words, these vulnerabilities may have been sufficient for attackers to overtake Unitronics PLCs yet again.
In the water and waste water sector attacks, the potential consequences of interrupted operations due to compromises in the facilities’ reliance on PLCs, could have jeopardized the ability of water facilities to deliver clean water and manage waste, thereby disrupting lives.
Affected Assets
According to the discoverer, Claroty, these vulnerabilities affect all Unitronics PLCs earlier than version 1.35.227.
Censys’ Rapid Response Team was able to identify exposed Unitronics Unistream PLCs. Below are methods for Censys ASM customers to locate any exposed Unitronics PLCs in their environments; for specific versions, Censys recommends owners investigate these assets directly. However, it should be noted that it is advisable that any publicly-facing PLC be removed from the public-facing internet.
Censys ASM Risk Name for Potentially Vulnerable Devices
“Exposed Unitronics UniStream PLC”
The query above will find exposed Unitronics Unistream PLCs associated with your organization in your ASM workspace within approximately 24 hours.
Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.
Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
Recommendations for remediation
If you need assistance in positively identifying these assets, please let us know.
