New Vulnerability Identified in ScadaBR by CISA
Overview of the Vulnerability
The U.S. Cybersecurity and Infrastructure Agency (CISA) has recently added a significant vulnerability, CVE-2021-26828, to its catalog of known exploited vulnerabilities. This new entry highlights a security flaw present in OpenPLC’s ScadaBR version 0.9.1 for Linux and version 1.12.4 for Windows. The vulnerability allows authenticated remote users to upload arbitrary code via .jsp files, potentially leading to unauthorized remote code execution.
Severity and Implications
CVE-2021-26828 has been assessed with a Common Vulnerability Scoring System (CVSS) score of 8.7, categorizing it as a high-severity issue. This rating indicates a significant risk, emphasizing that organizations utilizing ScadaBR should take immediate action to mitigate potential threats associated with this vulnerability.
Historical Context
This vulnerability was initially revealed in June 2021, alongside another vulnerability labeled CVE-2021-26829. Just this week, CISA included CVE-2021-26829 in its Known Exploited Vulnerabilities (KEV) catalog, bringing renewed attention to these related security weaknesses.
Targeted Exploits by Hacktivist Groups
Cybersecurity firm Forescout has recently issued a report detailing the exploitation of both CVE-2021-26828 and CVE-2021-26829 by the Russian hacktivist group, TwoNet. Their observations indicate that the group targeted an environment set up to mimic a water treatment facility—a critical infrastructure component, making it a prime target for cyber-attackers.
Forescout identified two IP addresses linked to Russian entities actively exploiting this vulnerability. Both were traced back to a Moldovan hosting provider that is associated with Stark Industries Solutions, known for its involvement in numerous cyber threats, including distributed denial-of-service (DDoS) attacks and malware linked to Russia-supported hacking efforts.
Investigation Findings
According to Forescout, the activity from these IP addresses was well-coordinated. The evidence suggests a methodical approach, with initial access followed by the deployment of a web shell, leading to further manipulation at the Human Machine Interface (HMI) level. The researchers stated, “We assess with moderate confidence that the actions from these two IPs were coordinated, evidenced by tight sequencing and complementary roles.”
Understanding the Exploitation Path
The exploitation pathway begins with default credentials, leading to CVE-2021-26828 and subsequently facilitating the placement of a web shell. This sequence allows operators with relatively low-to-moderate capabilities to exploit the vulnerability using publicly available tools, which heightens the urgency for organizations relying on ScadaBR to review their security measures.
Conclusion
As cybersecurity threats continue to evolve, the identification of vulnerabilities like CVE-2021-26828 shows the critical need for organizations to stay informed and proactive. The ongoing monitoring and patching of these vulnerabilities can significantly reduce the risk of potential attacks on vital infrastructure components.
For organizations that utilize ScadaBR, assessing and mitigating the risks associated with CVE-2021-26828 should be prioritized to protect their systems effectively against increasing cyber threats.
