Forescout’s Vedere Labs details deep lateral movement in OT Networks

Forescout’s Vedere Lab has released its research report on Deep Lateral Movement: how advanced adversaries can move laterally among devices at the controller level – also known as Purdue level 1 or L1 – of OT networks. This is the first systematic study into deep lateral movement, a type of infiltration method adopted by attackers to gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.

This research demonstrates that there is a lot of ‘network crawl space’, that is, space that is not on asset owners’ radars, such as links that run between security zones at deep system levels that might not receive the attention they deserve. To close these gaps, an L1 device that sits between segments still needs a corresponding perimeter security profile.

Commenting on the latest research, Daniel dos Santos, Head of Security Research at Forescout, said, “Unsecure OT L1 devices often become the target of cyber attackers through deep lateral movement, largely due to gateways enable direct communications between L1 devices on the edge and cloud platforms amidst the rise of Industrial Internet of Things (IIoT) that potentially exposes the soft underbelly created by limited perimeters beyond the traditional hardening at the intermediate Purdue levels. Our research deeply assesses the issue, which also provides the cybersecurity community with methods to mitigate risk.”

In the proof-of-concept developed for this research, Vedere Labs uses two new vulnerabilities that we are publicly disclosing for the first time: CVE-2022-45788 and CVE-2022-45789. They allow for remote code execution (RCE) and authentication bypass, respectively, on Schneider Electric Modicon programmable logic controllers (PLCs) – one of the most popular families of PLCs in the world, used in several critical infrastructure sectors. These issues were found as part of our OT:ICEFALL research in 2022 but were not disclosed then at the request of the vendor. More details about the issues are available on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06.

“There is little prior work on lateral movement for L1 devices, which has primarily focused on worms moving between identical L1 devices on the same segment or upstream hacking to L2 and above (e.g., from a PLC to an engineering workstation). We hope that with this new research we increase the cybersecurity community’s understanding of deep lateral movement and how to mitigate attacks,” said Jos Wetzels, Security Researcher at Vedere Labs.

OT L1 devices such as PLCs are notoriously insecure. RCE has been demonstrated against many of them using techniques such as insecure engineering interfaces (see OT:ICEFALL), malicious logic or firmware downloads and memory corruption vulnerabilities (see Project Memoria). Additionally, malware such as TRITON has shown that real-world threat actors are both capable of and interested in developing such capabilities.

The newly uncovered issues, summarized below, only affect the Modicon PLC Unity line. CVE-2022-45788 is an example of RCE via an undocumented memory write operation, while CVE-2022-45788 exemplifies a broken authentication scheme. As we explain in the technical report and demonstrate in the proof-of-concept for L1 lateral movement, when combined, these vulnerabilities can lead to RCE on Modicon Unity PLCs.

With the access attackers achieve through deep lateral movement, things might become possible which magnify the impact of an attack. Mitigating the risks of deep lateral movement requires a careful blend of network monitoring to detect adversaries as early as possible, visibility into often overlooked security perimeters at the lower Purdue levels and hardening the most interconnected and exposed devices.