The unsecured PCOM protocol has opened the door for digital saboteurs.
A team of Team82 researchers recently published the results of their research on attacks on integrated programmable logic controllers (PLCs) and human-machine interfaces (HMI) from Unitronics.
These attacks, which took place in November last year, targeted critical infrastructure, including water treatment plants in the United States and Israel. Behind them, according to experts, was a group of hackers associated with Iran, known as CyberAv3ngers.
It is noteworthy that just yesterday, representatives of the US special services finally revealed the identities of six CyberAv3ngers hackers and announced a generous reward for their capture.
Returning to the attack on water treatment plants, Team82 researchers claim that the attackers exploited vulnerabilities in the Vision and Samba series of products from Unitronics, which at that time did not have password protection for the PCOM communication protocol. This allowed hackers to connect to the devices remotely and upload malicious projects to them, changing the operation of the PLC and leaving threatening messages.
In response to these threats, the Team82 team has developed two tools that are now available for free use. The first of them, PCOM2TCP, allows you to convert PCOM protocol messages from a serial format to TCP and back, which helps analyze traffic and detect suspicious activity. The second tool, PCOMClient, allows you to connect to the Unitronics PLC, extract data for forensic analysis, and analyze the device's functions.
The Team82 study also revealed two new vulnerabilities, designated CVE-2024-38434 and CVE-2024-38435. Experts strongly recommend that all users update their device software to version 9.9.1 to minimize the risk of attacks.
One of the difficulties that the researchers encountered was the need to create their own connection to Unitronics devices, since the standard versions do not come with an Ethernet port. The team created their own cable and was able to establish communication with the device, which allowed them to conduct a full-fledged study of the PCOM protocol.
Thanks to the developed tools, Team82 was able to investigate the protocol in detail and identify functions that can be used to collect digital evidence in the event of an attack. For example, you can use PCOMClient to extract information about device connections, find out user names, and other data that can be useful for investigating incidents.
These tools not only help you gain a deeper understanding of the inner workings of Unitronics devices, but can also significantly improve the security of critical infrastructure, enabling you to quickly respond to cyber attacks. Experts emphasize the importance of using these tools to protect and analyze potential threats in the future.
Source
A team of Team82 researchers recently published the results of their research on attacks on integrated programmable logic controllers (PLCs) and human-machine interfaces (HMI) from Unitronics.
These attacks, which took place in November last year, targeted critical infrastructure, including water treatment plants in the United States and Israel. Behind them, according to experts, was a group of hackers associated with Iran, known as CyberAv3ngers.
It is noteworthy that just yesterday, representatives of the US special services finally revealed the identities of six CyberAv3ngers hackers and announced a generous reward for their capture.
Returning to the attack on water treatment plants, Team82 researchers claim that the attackers exploited vulnerabilities in the Vision and Samba series of products from Unitronics, which at that time did not have password protection for the PCOM communication protocol. This allowed hackers to connect to the devices remotely and upload malicious projects to them, changing the operation of the PLC and leaving threatening messages.
In response to these threats, the Team82 team has developed two tools that are now available for free use. The first of them, PCOM2TCP, allows you to convert PCOM protocol messages from a serial format to TCP and back, which helps analyze traffic and detect suspicious activity. The second tool, PCOMClient, allows you to connect to the Unitronics PLC, extract data for forensic analysis, and analyze the device's functions.
The Team82 study also revealed two new vulnerabilities, designated CVE-2024-38434 and CVE-2024-38435. Experts strongly recommend that all users update their device software to version 9.9.1 to minimize the risk of attacks.
One of the difficulties that the researchers encountered was the need to create their own connection to Unitronics devices, since the standard versions do not come with an Ethernet port. The team created their own cable and was able to establish communication with the device, which allowed them to conduct a full-fledged study of the PCOM protocol.
Thanks to the developed tools, Team82 was able to investigate the protocol in detail and identify functions that can be used to collect digital evidence in the event of an attack. For example, you can use PCOMClient to extract information about device connections, find out user names, and other data that can be useful for investigating incidents.
These tools not only help you gain a deeper understanding of the inner workings of Unitronics devices, but can also significantly improve the security of critical infrastructure, enabling you to quickly respond to cyber attacks. Experts emphasize the importance of using these tools to protect and analyze potential threats in the future.
Source
