An undisclosed Advanced Persistent Threat (APT) group has identified and is exploiting two vulnerabilities in Rockwell Automation products. These vulnerabilities could be used to cause significant disruption or damage to organizations involved in critical infrastructure.
Rockwell has partnered with the US government to explore and understand this new exploit, which takes advantage of vulnerabilities in the ControlLogix EtherNet/IP communication modules. The affected products include 1756 EN2 and 1756 EN3, which are impacted by CVE-2023-3595, a critical flaw that allows an attacker to execute remote code with persistence on the targeted system using specially crafted Common Industrial Protocol (CIP) messages.
This vulnerability could be exploited by a threat actor to alter, block or extract data passing through a device. The 1756-EN4 products are affected by CVE-2023-3596, a high-severity denial-of-service (DoS) bug that can also be exploited using specially crafted CIP messages.
Rockwell Automation has responded by releasing firmware patches for each affected product and sharing potential indicators of compromise (IoCs), in addition to detection rules. “We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell stated.
The company also suggested that based on previous threat actors' activities involving industrial systems, there is a high likelihood that these capabilities were developed to target critical infrastructure. The scope of potential victims could include international customers. The threat activity is subject to change, and customers using the affected products could face significant risk if exposed.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory warning organizations about these vulnerabilities, following its assistance to Rockwell in investigating the exploits. Industrial cybersecurity firm Dragos has analyzed the vulnerabilities and the exploit, warning of potential disruptive or destructive consequences depending on the targeted ControlLogix device’s configuration.
Dragos indicated that the exploit capability seems to be the work of an unidentified APT group, though no evidence of exploitation in the wild has been found to date. The company also compared the access provided by CVE-2023-3595 to a zero-day flaw used by a Russia-linked state-sponsored group in attacks involving the Trisis/Triton malware.
“Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same,” Dragos clarified. The company also noted that knowing about an APT-owned vulnerability before exploitation presents a rare opportunity for proactive defense in critical industrial sectors.
The discovery of these exploits comes shortly after reports that several US government departments were investigating Rockwell’s operations at a facility in China. There were concerns that employees might access information that could be used to compromise the systems of the company’s customers, potentially finding vulnerabilities in Rockwell products and exploiting them in zero-day attacks targeting systems in the US.