Cybercriminals are using default credentials to access products and software pertaining to the Industrial Control System (ICS) belonging to several defence forces, researchers found.
Cyble Research & Intelligence Labs (CRIL) researchers came across several posts on the dark web featuring screenshots used by cybercriminals to claim that they had access to data and systems used by the military and law enforcement agencies (LEA).
What did the cybercriminals claim?
According to the posts on the dark web, the cybercriminals claimed to have access to the supervisory control and data acquisition (SCADA) systems and the thermal imaging cameras of a North African country’s military base.
They posted pictures of the alleged access panel of a thermal imaging camera system to prove the same. The hacker collective also claimed to have IP addresses, which CRIL researchers confirmed to be legitimate.
The panel belonged to a big equipment manufacturer that produces military-grade TI cameras. If they have access to these systems, CRIL researchers noted that they could have real-time spying opportunities of the vital physical assets, weather, perimeter, automatic target identification along with moving targets and watching hazardous environments.
The post shared on the dark web featured aerial images allegedly from a military base in North Africa with its IP address. They seem to have network access codes, which researchers argue, they might have exploited to gain network access to assets.
Further investigations based on the product’s exposure from the aerial view led CRIL researchers to ascertain that over 607 instances of the same product being exposed were found by an online scanner.
The state of the thermal imaging camera systems
Researchers found multiple vulnerabilities in the internet-exposed thermal imaging camera systems that could lead cybercriminals to launch cyberattacks on military bases using those systems.
They can have unauthenticated remote code execution done besides credential and information disclosures.
Exploiting misconfigured camera systems, cybercriminals can disrupt surveillance of the military and conduct cyber espionage through the exposed internal networks. They can conduct reconnaissance to access system data.
Modbus exploitation
According to the post, the Modbus protocol, which is a significant communication channel across industrial networks, was also exploited by cybercriminals.
Besides the SCADA systems, hackers claimed to have been conducting reconnaissance to gain system data, including names of the vendor, products, coils, and version numbers of electronic devices used by them.
CRIL researchers pointed out that the vulnerabilities in the Modbus protocol could be exploited to send infected packets to the programmable logic controllers on Modbus. This can halt operations impacting the working of critical infrastructure.
The metaspoilt framework
The report further elaborated on how cybercriminals are using the metaspoilt framework to impact ICS systems as it offers several modules to launch reconnaissance attacks.
Based on intel from the Cyble Global Sensor Intelligence (CGSI) network, researchers confirmed that several exploitations attempt through the Modbus protocol were made in the last 30 days as shown below:
The web interface of the Rainbow SCADA was also targeted by likely using the default factory credentials of systems. Rainbow SCADA is an internet-based remote monitoring tool that works with all Datakom products. It is used in monitoring energy meters and controllers which makes exploiting it a desirable target for cybercriminals and hazardous victims of the military.
One of the reasons why the SCADA systems — one of the most widely used tools — are exploited is speculated to be the inefficient network segmentation and the less-than-perfect visibility of assets. Exposed SCADA systems over the internet endanger not only operations but also the lives of staff handling them, especially those working with heavy machinery.
CRIL researchers urged implementing adequate network segmentation to reduce lateral movement capabilities and using the Software Bill of Materials (SBOM) to have better visibility into assets. Having a strong password after changing the factory default credentials is a must, along with audits and pentesting exercises.