January 22, 2019 – Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (ICS CERT) experts have identified and patched seven previously unknown vulnerabilities in Moxa’s ThingsPro Suite – an industrial IoT (Internet of Things) platform, designed for industrial control systems (ICS) data acquisition and remote analysis. All vulnerabilities identified were reported to and patched by platform developer Moxa.
Kaspersky researchers found that some of the vulnerabilities could potentially allow threat actors to gain highly privileged access to industrial IoT gateways and execute deadly commands. As much as platforms like ThingsPro Suite are useful to ease IIoT (Industrial Internet of Things) integration and maintenance, they can also be dangerous, unless they are developed and integrated with adequate security concerns in mind. As such, solutions work as a connecting point between IT and OT (Operational Technology) security domains, vulnerabilities found in them can potentially allow attackers to gain access to an industrial network.
Throughout a period of two weeks, Kaspersky Lab ICS CERT security researchers conducted a preconceptual study of the product, testing it for vulnerabilities that could be exploited remotely. As a result, seven zero-day vulnerabilities were found. One of the most severe could allow a remote attacker to execute any command on the target IIoT gateway. Another vulnerability made it possible for cybercriminals to gain root privileges, providing the ability to change the device’s configuration.
Moreover, its exploitation could be automated, meaning that cybercriminals could automatically compromise multiple Moxa ThingsPro IoT gateways in different enterprises and potentially gain access to industrial networks of the organizations.
“Moxa is a trusted and respected brand in the industrial systems world,” said Alexander Nochvay, a security researcher at Kaspersky Lab. “However, despite the company’s vast expertise and experience, its new product had a number of vulnerabilities, which shows that it is important even for industry leaders to conduct proper cybersecurity tests. We call on all ICS-product developers to act responsibly, performing regular vulnerability checks, treating the security of solutions for industrial systems as an integral and essential part of development.”