Hackers attacked US water facility via CVE-2023-6448 vulnerability

On November 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) unraveled a cyber attack that not only breached technological defenses but also posed a threat to public safety. This incident involved the active exploitation of Unitronics programmable logic controllers (PLCs) and targeted a vital water authority in western Pennsylvania.

What happened?

The Municipal Water Authority of Aliquippa found itself in the crosshairs of a sophisticated cyber offensive, orchestrated by the Iranian-backed hacktivist collective known as Cyber Av3ngers. This group, characterized by its political motives and technical prowess, exploited a critical vulnerability within the publicly exposed Unitronics Vision Series PLCs.

Cyber Av3ngers allegedly gained control of the booster station that regulates water pressure for two Pennsylvania townships, putting the safety and well-being of countless residents at risk. This attack was made possible by a combination of two factors:

• Lax password security: The affected PLC was still using the default password, “1111,” making it easy for hackers to gain access.
• Public Internet exposure: The PLC was directly connected to the Internet, offering a readily available target for malicious actors.

The CVE-2023-6448 vulnerability:

This security flaw tracked as CVE-2023-6448 and boasting a critical CVSS score of 9.8, allows unauthenticated attackers with network access to take complete control of the PLC and manipulate critical infrastructure functions.

Preventive Measures and Recommendations:

In response, cybersecurity experts have outlined a series of measures to fortify defenses against such insidious threats. System administrators are urged to:

1. Replace default Unitronics PLC passwords immediately, particularly avoiding the ubiquitous “1111”.

2. Embrace multi-factor authentication (MFA) for all remote accesses within the Operational Technology (OT) network, extending this protocol to IT and external networks.

3. Sever the direct connection of PLCs from the open internet. If remote access is indispensable, a firewall or VPN setup should be employed to regulate access.

4. Conduct regular backups of logic and configurations to ensure rapid recovery in the event of ransomware attacks.

5. Abandon the default TCP port 20256, a known target for cyber actors. If feasible, switch to an alternate TCP port and incorporate PCOM/TCP filters for augmented security.

6. Diligently update the PLC/HMI firmware to the latest version as provided by Unitronics.