How a port misconfiguration exposed critical infrastructure data
Much has already been said and written about the dangers of potential cyber attacks targeting the electric/power grid. And in Ukraine, they’ve already gone from theoretical scenarios to actual attacks.
More limited attacks hitting companies’ electrical systems are also possible, especially when information that provides insight into those systems’ weak points is freely accessible online.
If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers: an open port used for rsync server synchronization has left the network of Power Quality Engineering (PQE) wide open to malicious attackers.
The discovery
“On July 6th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an open port configured to accept packets at an IP address which, when entered into a command-line interface, returned a fully downloadable data repository originating from Power Quality Engineering,” UpGuard analyst Dan O’Sullivan explained.
Vickery managed to access and exfiltrate 205 GB of data from PQE’s servers, up until the moment when the company secured its systems two days later after being notified of the problem by UpGuard.
The Texas-based electrical engineering operator numbers among its customers Oracle, Dell, Texas Instruments and the City of Austin. Among the documents that Vickery managed to exfiltrate were reports containing electrical infrastructure data of those and other customers’ facilities.
“Beyond this highlighting of potential weak points and trouble spots in customer electrical systems, publicly downloadable schematics reveal the specific locations and configurations of government-operated top secret intelligence transmission zones within at least one Dell facility,” O’Sullivan also shared.
“Besides these reports, other exposed data for clients, such as that of the City of Austin, include schematics of solar fields, electrical gap analyses, proposals for future construction, inspection reports of aviation breakers at local airfields, maintenance reports for municipal fuel systems, and a ‘Hazardous Operations Report.'”
Finally, Vickery also managed to access a plain text file of internal PQE passwords, potentially enabling further access to more company systems.
The way in
It is unknown whether other (potentially malicious) parties made the same discovery as Vickery, and stole any of the accessible information. What is sure, though, is that this is another instance of misconfiguration opening the doors to attackers.
“The exposed port granting public access to these systems, 873, is the default port used for rsync (remote synchronization), a command line utility that allows for the easy and rapid copying of data to another machine,” O’Sullivan explained.
“While the IP addresses able to access these systems via this port can be easily restricted by IT administrators using rsync’s ‘hosts allow/deny’ functions, this requires an extra step once the rsync utility is configured. This default accessibility, while simple to restrict, can be missed.”
Companies should have processes in place to ensure that such security gaps are identified and closed immediately, he concluded.