Rockwell warns of new APT RCE exploit targeting critical infrastructure

Rockwell Automation says a new remote code execution (RCE) exploit linked to an unnamed Advanced Persistent Threat (APT) group could be used to target unpatched ControlLogix communications modules commonly used in manufacturing, electric, oil and gas, and liquified natural gas industries.

The company teamed up with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to analyze the exploit linked to APT threat actors, but they have yet to share how they obtained it.

"Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules," the company said in a security advisory accessible only after logging in.

"We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear."

The targeted vulnerability (tracked as CVE-2023-3595) is caused by an out-of-bounds write weakness that can let attackers gain remote code execution or trigger denial-of-service states through maliciously crafted CIP messages.

Following successful exploitation, malicious actors could also manipulate the module's firmware, wipe the module memory, alter data traffic to and from the module, establish persistent control, and potentially impact the industrial process it supports.

"This could result in destructive actions where vulnerable modules are installed, including critical infrastructure," Rockwell added.

Customers urged to patch all affected products

Rockwell strongly advises applying the security patches it released for all affected products (including those out of support). It also provides detection rules to help defenders detect exploitation attempts within their networks.

CISA also published an advisory warning Rockwell customers to patch the critical RCE vulnerability to thwart potential incoming attacks.

"Knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense for critical industrial sectors," said industrial cybersecurity firm Dragos which also analyzed the APT exploit.

"We know there is an exploit owned by an unknown APT and we have not seen nor are we aware of any exploitation in the wild," Dragos Senior Threat Analyst Kevin Woolf told BleepingComputer.

According to Dragos, the level of access facilitated by the CVE-2023-3595 vulnerability is similar to the zero-day exploited by the Russian-linked XENOTIME threat group, which used TRISIS (aka TRITON) destructive malware against Schneider Electric Triconex ICS equipment in 2017 attacks.

"Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers," Rockwell also warned.

"Threat activity is subject to change and customers using affected products could face serious risk if exposed."