Four new zero-days attacks were observed hitting an Industrial Control Systems honeypot, which was set up by security researchers to identify threat actors attacks. Industrial Control Systems (ICS) are used to manage a wide range of critical devices, such as chemical processing , power generation, and building automation. Vulnerabilities in these systems are rarely patched by vendors or users, and few of the industrial protocols use authentication or encryption. To examine the security threats to industrial systems, security researchers used a network of 120 high-interaction honeypots – fake industrial infrastructure – across 22 countries to impersonate programmable logic controllers (PLC) and remote terminal units.
In the past 13 months, security researchers identified 80,000 interactions with the honeypots, of which nine made malicious use of an industrial protocol. These protocols include IEC-104, S7comm, and Modbus. Four of the nine interactions used previously unknown attacks, or zero-days, against devices running common ICS protocols, such as S7comm, and Modbus. These attack types include denial-of-service and command-replay attacks. For most of the attacks, the source Internet Protocol (IP) address were only active for the attack itself and the honeypot network had no record of other interactions from that IP address. However, for three of the attacks, consistent activity was observed from the source IP address. These IP addresses used for the attacks were observed to originate in Vietnam, Ukraine, and Seychelles.
According to security researchers at the Department of Computer Science and Technology at the University of Cambridge, if the attacks were used against a real device, it would have either shut down the system completely during the attack or render it unable to communicate over the network. Additionally, the command-replay attack, identified by researchers, was successful against a device for which the manufacturer claimed replay protection. According to the published report, the vulnerabilities and exploits associated with the protocols were disclosed to the device manufacturers, and public disclosure is currently being negotiated.