Pendalar Posted November 27, 2023 Report Share Posted November 27, 2023 Wasn't certain where to drop this but... woke up to a coworker texting me the attached photo. Luckily they renamed the PLC to "GAZA" and didn't actually do too much damage. Link to comment Share on other sites More sharing options...
stembera Posted November 27, 2023 Report Share Posted November 27, 2023 Hello Pendalar, I have exactly the same incident on V570. Probably there is a security flaw in PCOM protocol, vulnerable if PLC is contacted via internet. I am planning to change all PLCs names, change number of service ports and hide PLCs behind the VPN. I will have a meeting with security expert today evening so I hope I will get more informations. Please keep us informed about the situation development, if possible. Also, in case of need, feel free to contact me directly. Link to comment Share on other sites More sharing options...
Pendalar Posted November 27, 2023 Author Report Share Posted November 27, 2023 I'm afraid I can't supply much on the how-this-happened end due to the lack of logs per our IT's router settings and such. I can verify, however, that we had the same PLC names for ~6 years on that particular PLC, fairly standard service ports reachable via the internet, and our PLCs were not behind a VPN. Probably was asking to be hacked I guess with that setup 😅 On the repair end, I updated the PLC name in the programming suite to GAZA after reviewing Info Mode, flashed a current BIOS / full wipe, and then downloaded/burn. Was a quick repair once I understood what was going on. Preventing a reoccurrence however, will be new ground for me / semi-hand tied on the upstream security due to IT policies. Link to comment Share on other sites More sharing options...
MVP 2023 Flex727 Posted November 27, 2023 MVP 2023 Report Share Posted November 27, 2023 @Cara Bereck Levy, I don't see anything in the Help file that indicates exactly what special characters are allowed or disallowed for the PLC Name. Since this is essentially the password for remote communications, could we get this spelled out so that we can take the appropriate action to secure PLCs in the field? Thanks. Link to comment Share on other sites More sharing options...
Pendalar Posted November 27, 2023 Author Report Share Posted November 27, 2023 @Flex727 I haven't thoroughly read all the various news articles to see if there are any details about how exactly the attack works, but I'm wondering if the exploit necessarily needs brute-forcing the PLC name. If it doesn't, I wouldn't imagine setting it to an extremely long name with only special characters to necessarily help secure it in this case. Obviously couldn't hurt regardless 😥 Link to comment Share on other sites More sharing options...
MVP 2023 Flex727 Posted November 27, 2023 MVP 2023 Report Share Posted November 27, 2023 8 minutes ago, Pendalar said: I'm wondering if the exploit necessarily needs brute-forcing the PLC name. If it doesn't, I wouldn't imagine setting it to an extremely long name with only special characters to necessarily help secure it in this case. True, but I'm having difficulty imagining another point of attack. If there is, then Unitronics can circumvent with a firmware upgrade. Link to comment Share on other sites More sharing options...
MVP 2014 Simon Posted November 27, 2023 MVP 2014 Report Share Posted November 27, 2023 The most secure way to prevent this is with a VPN. Unitronics have UniCloud, but there are 3rd party options as well. Link to comment Share on other sites More sharing options...
Pendalar Posted November 27, 2023 Author Report Share Posted November 27, 2023 After giving it some thought and strictly speaking about internet reachability, we would only need the following to likely be secure enough: iOS/Android Remote Operator app connections to the non internet reachable PLCs via passing through a secure connection to an internet reachable work PC that has a static IP (internet and intranet) Would you still recommend a full VPN solution? I'm thinking this could be done with various proxy or tunneling methods but would appreciate some pointers / how to links that should serve the purpose with some light modification. It's possible there is some functionality in the router we used by I don't have access currently to dig around. Link to comment Share on other sites More sharing options...
MVP 2014 Simon Posted November 28, 2023 MVP 2014 Report Share Posted November 28, 2023 You could have a local PC talking to the PLCs via the intranet, running the PC version of Remote Operator. They key point is then how you access that PC from the internet. If you use port forwarding and a public IP then the old problem still remains. However with a PC involved you have access to more secure methods such as TeamViewer or AnyDesk. This would mean connecting to that PC from the iOS/Android tablet, then operating the Remote Access app remotely using the iOS/Android device. This can be cumbersome if done on a phone, but not so bad on a tablet. I'll give another plug for UniCloud, as it now allows creation of a dashboard sized specifically for mobile devices. The UCR router supports 3rd party VPNs, you would just need to have a server set up with your chosen VPN installed. In terms of what I recommend, I'm just saying a VPN (or similar) is the most secure. Public IP and port forwarding is just about the least secure. I'd suggest considering multiple factors such as: * who will use the system and what is their expertise and comfort level with tech? * who will maintain the system, in-house experts or outsourced? * how frequently will it be used? * will it be monitor-only or monitor and control? Look at your available options and assess how well they fit the intended use. From experience I'd suggest that unless you are already an expert in VPN setups, pay for a professional service rather than try to teach yourself how to set up and manage a "free" system. That's just my opinion though 🙂 Link to comment Share on other sites More sharing options...
MVP 2023 Flex727 Posted November 28, 2023 MVP 2023 Report Share Posted November 28, 2023 Saw a report on ABC News this morning about a drinking water pumping station in Pennsylvania being hacked. The photo was clearly a Unitronics V570 PLC. Unitronics, among others, is being targeted and we need to be acting immediately to prevent more occurrences. We need some guidance from Unitronics right away. Link to comment Share on other sites More sharing options...
Pendalar Posted November 28, 2023 Author Report Share Posted November 28, 2023 Has there been any official word from Unitronics on this? Still curious if this widespread method is fixable via BIOS update and, if so, ETA. Link to comment Share on other sites More sharing options...
MVP 2023 Joe Tauser Posted November 28, 2023 MVP 2023 Report Share Posted November 28, 2023 I've had a couple of customers hit by this. I've been in communication with Unitronics and the problem has understandably been promoted to top priority. Their position right now is a VPN is the way to go. Joe T. Link to comment Share on other sites More sharing options...
swb311 Posted November 29, 2023 Report Share Posted November 29, 2023 Anyone affected by this hack had port 20256 forwarded to their public IP. It's literally because the programming port is forwarded to the internet, doesn't even really qualify as a hack. If you get hit by this you should fire your networking guy. 1 Link to comment Share on other sites More sharing options...
MVP 2023 Flex727 Posted November 29, 2023 MVP 2023 Report Share Posted November 29, 2023 38 minutes ago, swb311 said: Anyone affected by this hack had port 20256 forwarded to their public IP. It's literally because the programming port is forwarded to the internet It's actually the exact opposite. The router is set to forward port 20256 from their public IP address (WAN) to their to their private IP address (LAN). This is actually fairly common, and while it's not secure, it's generally okay because there is little incentive (profit motive) to hack in these situations. Tensions in the ME provided the incentive absent a profit motive. It's a good lesson learned here - avoid using default settings. 1 Link to comment Share on other sites More sharing options...
swb311 Posted November 29, 2023 Report Share Posted November 29, 2023 24 minutes ago, Flex727 said: It's actually the exact opposite. The router is set to forward port 20256 from their public IP address (WAN) to their to their private IP address (LAN). This is actually fairly common, and while it's not secure, it's generally okay because there is little incentive (profit motive) to hack in these situations. Tensions in the ME provided the incentive absent a profit motive. It's a good lesson learned here - avoid using default settings. Please forgive my oversimplification of the issue. I've been awake since early Thanksgiving morning trying to get wells back online that were affected by this hack lol. Link to comment Share on other sites More sharing options...
Pendalar Posted November 30, 2023 Author Report Share Posted November 30, 2023 Saw this today while taking a breather after completing our VPN transition: https://www.msn.com/en-us/news/technology/suspected-iranian-cyberattack-on-key-us-infrastructure-probed-by-security-agency/ar-AA1kNaqW?cvid=574519f6e11441188c139bf181aca0e2&ocid=winp2fptaskbarent&ei=103&sc=shoreline Link to comment Share on other sites More sharing options...
kurt_pf Posted December 4, 2023 Report Share Posted December 4, 2023 Same Problem at v130. How can i reset the plc ? Link to comment Share on other sites More sharing options...
Fernando Castro Posted December 4, 2023 Report Share Posted December 4, 2023 On 11/27/2023 at 5:16 AM, stembera said: Hello Pendalar, I have exactly the same incident on V570. Probably there is a security flaw in PCOM protocol, vulnerable if PLC is contacted via internet. I am planning to change all PLCs names, change number of service ports and hide PLCs behind the VPN. I will have a meeting with security expert today evening so I hope I will get more informations. Please keep us informed about the situation development, if possible. Also, in case of need, feel free to contact me directly. Using PCOM protocol you only need the IP, and it is easy to get once you are in the network Link to comment Share on other sites More sharing options...
Fernando Castro Posted December 4, 2023 Report Share Posted December 4, 2023 On 11/27/2023 at 10:27 AM, Flex727 said: @Cara Bereck Levy, I don't see anything in the Help file that indicates exactly what special characters are allowed or disallowed for the PLC Name. Since this is essentially the password for remote communications, could we get this spelled out so that we can take the appropriate action to secure PLCs in the field? Thanks. I see that I am joining late. but I think you could bypass the name with the PCOM protocol. Since I no longer work with Unitronics I don't have access to the old software that I developed with PCOM dll but I am 99% sure it can be bypassed Edit: yes, you don't even need to know the name, and in fact you can retrieve the PLC name using this method. Once you get the PLC name then you can do a new blank download. Link to comment Share on other sites More sharing options...
MVP 2023 Ausman Posted December 4, 2023 MVP 2023 Report Share Posted December 4, 2023 12 hours ago, kurt_pf said: Same Problem at v130. What is the 130 showing? What is it doing? Do you have the .vlp file that was already loaded in the PLC? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now