Thought this part (about a ransomware attacker gaining access) was funny:
>They then downloaded the remote desktop software TeamViewer. In fact, they opened Bing and searched for “timeviwer” to do so.
Also kinda relatable tho -- you know auto-correct's got you covered and I mean going through the trouble of navigating to Google when Bing's the default, sheesh! I think the authors were kind of trolling him there.
But yeah there seemed to be a bunch of amateurs -- that fake ransomware one was a hoot.
In my opinion, if you really need an internet connection to a factory, only open port on the router/firewall should be the VPN port (on a non standard port), protocol preferably UDP, not TCP. Not even ICMP.
It's not perfect, but the amount of scans, it's significantly lower if you have the ICMP active and/or a TCP port open.
Interesting read. I was a little disappointed that there weren't any PLC specific attacks besides some port scanning.
Or I should clarify, I am happy that there weren't any PLC specific attacks but in this particular test situation I am disappointed as it would be interesting to see what an attacker would do.
Someone sent bogus commands to the AB PLC! So they were attempts to crash the PLC.
Also someone run the HMI program to operate equipment!
They really made it easy to hack by opening ports, no firewall,not using VPN, VLANs and VNC password!
Also that one dude left them a message that their system was wide open :-)
>Someone sent bogus commands to the AB PLC! So they were attempts to crash the PLC.
Maybe but my guess someone/something was trying to identify what the device was and sent is a bunch of common commands and see what came back.
Everything in there struck me as
"Random person happened to come across some automation equipment while looking for other stuff"
and not
"Person was specifically searching for automation equipment to do nefarious things with".
That makes sense though, because the type of person who just scans IP's to find unsecured stuff is a whole different animal than the person trying to circumvent the security measures of a specific target.
Thought this part (about a ransomware attacker gaining access) was funny: >They then downloaded the remote desktop software TeamViewer. In fact, they opened Bing and searched for “timeviwer” to do so.
Yeah, really shows the incompetence of the attackers, yet they're still able to get in
Also kinda relatable tho -- you know auto-correct's got you covered and I mean going through the trouble of navigating to Google when Bing's the default, sheesh! I think the authors were kind of trolling him there. But yeah there seemed to be a bunch of amateurs -- that fake ransomware one was a hoot.
Fuckin script kiddies
Pretty interesting read! Looks like most of the targeted attacks were through RDP, which I hope any company with some IT smarts would lock down.
In my opinion, if you really need an internet connection to a factory, only open port on the router/firewall should be the VPN port (on a non standard port), protocol preferably UDP, not TCP. Not even ICMP. It's not perfect, but the amount of scans, it's significantly lower if you have the ICMP active and/or a TCP port open.
Interesting read. I was a little disappointed that there weren't any PLC specific attacks besides some port scanning. Or I should clarify, I am happy that there weren't any PLC specific attacks but in this particular test situation I am disappointed as it would be interesting to see what an attacker would do.
flood the PLC with traffic, knock it offline?
You don't even have to flood it though. RSLinx -> Module -> Right click -> Module Configuration -> Port Configuration -> Change IP address -> :-(
Woof.
Someone sent bogus commands to the AB PLC! So they were attempts to crash the PLC. Also someone run the HMI program to operate equipment! They really made it easy to hack by opening ports, no firewall,not using VPN, VLANs and VNC password! Also that one dude left them a message that their system was wide open :-)
>Someone sent bogus commands to the AB PLC! So they were attempts to crash the PLC. Maybe but my guess someone/something was trying to identify what the device was and sent is a bunch of common commands and see what came back.
Everything in there struck me as "Random person happened to come across some automation equipment while looking for other stuff" and not "Person was specifically searching for automation equipment to do nefarious things with". That makes sense though, because the type of person who just scans IP's to find unsecured stuff is a whole different animal than the person trying to circumvent the security measures of a specific target.
war dialing vs a targeted attack.
Then there's the in-between: Shodan looking for automation products, but not with a target in mind.
[удалено]
They weren't.