How to Find and Probe ENCO PLCs on the Internet Just Like FrostyGoop malware

How to Find and Probe ENCO PLCs on the Internet Just Like FrostyGoop malware

Welcome to the 17th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet. The primary aim of this series is to raise awareness within the ICS community and serve as a wake-up call for both asset owners and ICS/OT vendors to fortify their assets against potential cyber threats.

Today’s target is the ENCO Control, a PLC made by Eco Therm Services, a Romanian company. Enco Control is designed as controller for process control in district heating / hot water and ventilation systems. This PLC was the target of the FrostyGoop malware, which a group launched against a Ukrainian energy company in January 2024. The attackers gained access to the company network through a router.

Naturally, I became curious to find out if these PLCs are present on the internet. It’s a habit of mine to always dig into ICS devices online. This time, I used Shodan and Zoomeye to find ENCO Control.

To find ENCO Control on Shodan , I used the following dork:

ENCO port:23        

There are 38 PLCs, most of them located in Romania, Ukraine, and Lithuania.

Similarly, I used this filter in Zoomeye , 107 PLCs exist:

enco +port:23        

These PLCs have Telnet (port 23) open, which is used for remote connection. I discovered an alarmingly weak configuration; some hosts allow instant access to the server without credentials. Not only that, but they also allow you to use the system commands that are used for administering the PLC.

The display message has a screen with a title “ENCO Control Telnet Server v1.00” and a list of management commands. Here’s a snapshot of the commands .


Let’s explore some built-in commands that you can use through the Telnet console:

To list TCP statistics, type tcpstat.


To list Ethernet connections, type ethr.


To list existing sensors and their temperatures, type owire.


To get an idea of analogue inputs, type io.


And a few other commands. Attention! Some of the commands, I think, have administrative role permissions such as disconnect ip and change output. These, I believe, might have critical impacts, such as disconnecting a device or changing an output.

Asset owners, if you are reading this article, please make sure to put access control for this Telnet service and/or put a firewall. If you know organizations that use this PLC, please share this article with them. Stay safe.

Conclusion:

In closing, I invite you to explore our project, ICSRank — a unique tool tailored for the ICS/OT domain, exemplifying our commitment to enhancing ICS/OT cybersecurity. With its capabilities to Discover, Assess, and Secure, ICSRank stands as a vital resource in fortifying ICS/OT environments against cyber threats.

要查看或添加评论,请登录

Sulaiman Alhasawi的更多文章

  • HTML5 in the Wild: Transforming OT Interfaces but Opening New Risks

    HTML5 in the Wild: Transforming OT Interfaces but Opening New Risks

    Introduction Welcome to the 20th installment of "OT Hunt” where we dive into the challenges and opportunities within…

  • How to Find Water Systems on the Internet: A Guide to ICS/OT OSINT

    How to Find Water Systems on the Internet: A Guide to ICS/OT OSINT

    Welcome to the 19th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet.…

    8 条评论
  • OT Hunt: clearSCADA

    OT Hunt: clearSCADA

    Welcome to the 18th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet.…

    1 条评论
  • Finding WAGO 750-88x PLC Using Google

    Finding WAGO 750-88x PLC Using Google

    Welcome to the 16th installment of “OT Hunt” where we delve into the world of ICS/OT devices connected to the internet.…

    1 条评论
  • How Google Can Be Used in ICS/OT OSINT

    How Google Can Be Used in ICS/OT OSINT

    Welcome to the second installment of our series "ICS/OT OSINT" where we delve into the use of Open Source Intelligence…

  • OT Hunt: Analyzing CODESYS Security with MITRE T0886

    OT Hunt: Analyzing CODESYS Security with MITRE T0886

    Welcome to the 15th installment of "OT Hunt" where we delve into the world of ICS/OT devices connected to the internet.…

  • ICS/OT OSINT: Using Gemini AI for PLC and HMI Image Analysis

    ICS/OT OSINT: Using Gemini AI for PLC and HMI Image Analysis

    Welcome to the first installment of our series "ICS/OT OSINT" exploring the role of Open Source Intelligence (OSINT) in…

    7 条评论
  • OT Hunt: Finding ICS/OT with Censys

    OT Hunt: Finding ICS/OT with Censys

    Welcome to the 14th installment of “OT Hunt”, a series that has become a beacon for those navigating the murky waters…

  • OT Hunt: Finding HMIs with Shodan

    OT Hunt: Finding HMIs with Shodan

    Welcome to the 13th installment of “OT Hunt”, a series that has become a beacon for those navigating the murky waters…

  • OT Hunt: Finding ICS/OT with ZoomEye

    OT Hunt: Finding ICS/OT with ZoomEye

    Welcome to the 12th installment of “OT Hunt,” a series dedicated to uncovering Industrial Control Systems/Operational…

    4 条评论

社区洞察

其他会员也浏览了