CISA warns of dangerous Rockwell industrial bug being exploited by gov’t group

The Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday of a vulnerability affecting industrial technology from Rockwell Automation that is being exploited by government hackers.

One of the world’s biggest providers of industrial automation and digital transformation technologies, Rockwell Automation reported CVE-2023-3595 and CVE-2023-3596 to CISA after analyzing a novel exploit capability that was attributed to an unnamed APT group.

CISA said the first vulnerability has a CVSS score of 9.8 out of 10 while the second has a score of 7.5.

The issues affect a line of communication modules and allow hackers to take control of a device, steal operational data or manipulate devices for “disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible,” according to operational technology (OT) experts from cybersecurity firm Dragos.

Dragos said it worked with Rockwell Automation to assess the threat before the disclosure was made public and urged all OT companies to update their firmware to the latest version “as soon as possible.” Rockwell Automation has released updates for all of the affected devices.

“An unreleased exploit capability leveraging these vulnerabilities is associated with an unnamed APT (Advanced Persistent Threat) group…As of mid-July 2023 there was no evidence of exploitation in the wild and the targeted victim organizations and industry verticals were unknown,” Dragos said.

“Threat activity is subject to change and customers using affected products could face serious risk if exposed.”

Rockwell Automation did not respond to requests for comment but released a private advisory confirming that it coordinated with the U.S. government in analyzing the “novel” exploit capability attributed to APT actors.

Experts from Dragos and cybersecurity firm Tenable, which was also involved in the response to the issue, said the Rockwell Automation product is typically used by companies in the manufacturing, electric, oil and gas, and liquified natural gas industries.

“ControlLogix Communications Modules are used in many industries and sectors, including energy, transportation and water, to enable communication between machines, IT systems and remote chassis,” the Tenable Research team told Recorded Future News.

“One of the vulnerabilities, rated critical, could allow an attacker to affect the industrial process along with the underlying critical infrastructure, which could result in possible disruption or destruction via remote code execution.”

Dragos added that hackers could potentially corrupt the information used for incident response and recovery or overwrite any part of the system to hide themselves and stay persistent.

Dragos experts compared the access provided by CVE-2023-3595 to the zero-day used in conjunction with the TRISIS malware that was developed and deployed in 2017 against at least one victim in the Middle East to target safety instrumented systems (SIS) — automated processes that kick in when a plant detects anomalous behavior.

Four Russian government officials were indicted last year by the U.S. government for their role in creating TRISIS.