Background & Context

Unitronics designs, manufactures, and markets advanced control and automation solutions including a complete
line of PLCs with integrated HMI, full line of VFDs, a broad array of I/Os and complementary devices, as well as programming software for all aspects of control, motion, HMI, and communications. Unitronics PLCs range from micro-PLC + HMI units for simple machine control, to complex controllers with advanced functions, a variety of onboard IOs and multiple communication options.

The Vision series of programmable controllers (PLC + HMI) ranges from palm-sized controllers with onboard I/O to large-screen controllers with snap-in I/O.

Vulnerability Summary

Unitronics Vision Series PLCs and HMIs use default administrative passwords of “1111”.

It is common practice for products to be designed to use default passwords for authentication. The rationale is to simplify the manufacturing process or the system administrator’s task of installation and deployment into an enterprise. However, if admins do not change the defaults, then it makes it easier for attackers to quickly bypass authentication across multiple organizations. There are many lists of default passwords and default-password scanning tools that are easily available from the World Wide Web.

Impact If Exploited

Exploit permits an unauthenticated attacker with network access to a PLC or HMI to take administrative control of the system.

NOTE: On November 28 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported a series of cyber attacks targeting Water and Wastewater Systems (WWS) facilities by an Iranian-backed cyber group known as CyberAv3ngers. One such attack is reported as involving the active exploitation of Unitronics programmable logic controllers (PLCs) that operated in a vital water authority in western Pennsylvania, posing a threat to public safety. The authority reported the actors were able to gain control of a remote booster station serving two townships, but stressed there is no known risk to the drinking water or water supply.

Prioritisation should be given to remediation in any impacted environment

Affected Product Versions

• Unitronics Vision Series (all versions)

Remediation

Official Fix & Remediation Guidance

To secure facilities against this threat, CISA urges organizations to:

• Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password “1111” is not in use.
• Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
• Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.
• Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based long-haul transport device that is secure to their cloud services.
• Use an allowlist of authorised IPs for access.
• Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
• If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
• Update PLC/HMI to the latest version provided by Unitronics. Instructions are available at https://forum.unitronics.com/topic/667-how-do-i-update-an-os/

References:

• https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems
• https://www.waterisac.org/portal/tlpclear-water-utility-control-system-cyber-incident-advisory-icsscada-incident-municipal

Category: Credential Management

Visual:

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).