-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
20231204002 - CISA Joint CSA CyberAv3ngers (#426)
* 20231122001 - Juniper * 20231122002 - GNU C LIbrary + typo correction * 20231123002 + Table template * 20231129001 * 20231204002 - CyberAv3ngers
- Loading branch information
Showing
1 changed file
with
34 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
docs/advisories/20231204002-PLC-Exploitation-CISA-Cybersecurity-Advisory.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # CISA Publish Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs - 20231204002 | ||
|
|
||
| ## Overview | ||
|
|
||
| Since the publication of [Advisory #20231129001](https://soc.cyber.wa.gov.au//advisories/20231129001-CISA-OT-Advisories/), CISA have released a joint Cybersecurity Advisory (CSA) [IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a) in response to the **active exploitation** of Unitronics programmable logic controllers (PLCs) in multiple sectors, including U.S. Water and Wastewater Systems (WWS) facilities, by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated advanced persistent threat (APT) cyber actors using the persona “CyberAv3ngers”. | ||
|
|
||
| ## Cyber Actor Information | ||
|
|
||
| CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations. | ||
|
|
||
| CyberAv3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other **industries including, but not limited to, energy, food and beverage manufacturing, and healthcare**. The PLCs may be rebranded and appear as different manufacturers and companies. | ||
|
|
||
| Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate **Unitronics PLCs**. The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. | ||
|
|
||
|
|
||
| ## Indicators of Compromise (IOCs) | ||
|
|
||
| | Indicator | Type | Fidelity | Description | | ||
| | --- | --- | --- | --- | | ||
| | BA284A4B508A7ABD8070A427386E93E0 | MD5 | Suspected | MD5 hash associated with Crucio Ransomware | | ||
| | 66AE21571FAEE1E258549078144325DC9DD60303 | SHA1 | Suspected | SHA1 hash associated with Crucio Ransomware | | ||
| | 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 | SHA256 | Suspected | SHA256 hash associated with Crucio Ransomware | | ||
| | 178.162.227[.]180 | IP address | | | | ||
| | 185.162.235[.]206 | IP address | | | | ||
|
|
||
|
|
||
| ## Recommendations | ||
|
|
||
| The WA SOC encourages OT/ICS organizations to review this guidance and implement its mitigations and recommendations. Additionally, it is highly recommended to perform validation of PLC configurations in recent backups. | ||
|
|
||
|
|
||
| ## References | ||
|
|
||
| - [**IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities**](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a) |