New Tool Extracts Hidden Forensics from HMIs/PLCs

Researchers have developed tools to extract forensic information from Unitronics integrated HMIs and PLCs following critical infrastructure attacks attributed to Iran-linked CyberAv3ngers. 

By reverse-engineering the proprietary PCOM protocol, two tools, PCOM2TCP and PCOMClient, were created to convert serial and TCP PCOM messages and query or extract data from Unitronics Vision and Samba PLCs, respectively. 

The research uncovered two vulnerabilities, CVE-2024-38434 and CVE-2024-38435, prompting Unitronics to recommend upgrading to v9.9.1. 

Recent cyberattacks targeting Unitronics HMIs and PLCs exploited a lack of password protection, enabling remote access and device control. 

Unitronics RJ11 port pinout (RS232 standard)

Acquiring a Unitronics Vision 570 PLC without an Ethernet port necessitated reverse-engineering an RJ11 to DB9 cable for serial communication. 

Despite a successful connection using VisiLogic, a Wireshark-based man-in-the-middle attack was hindered by exclusive serial port access. To circumvent this, a custom tool, PCOM2TCP, was developed to enable packet capture and manipulation between the PLC and engineering workstation. 

Connecting to the PLC using VisiLogic.

To overcome challenges in intercepting PCOM traffic transmitted over serial connections, a Python-based PCOM2TCP tool was developed, which translates serial PCOM messages into TCP/IP packets, enabling redirection of EWS communication to a local system instead of the PLC. 

This setup facilitates Man-in-the-Middle (MiTM) attacks and traffic analysis using Wireshark, allowing for detailed inspection and potential modification of PCOM data before forwarding it to the PLC. 

The PCOM protocol facilitates communication between an EWS and a PLC using ASCII or binary formats, while opcodes differentiate commands within each format. 

PCOM ASCII format.

Binary PCOM employs a fixed header, with the opcode’s most significant bit indicating a request or response, while ASCII PCOM uses distinct magic bytes for requests and responses. 

By analyzing these structures and identifying opcodes, a basic PCOM client can be developed to interact with the PLC. 

Researchers developed a PCOM client to reverse engineer the Unitronics PLC protocol, uncovering undocumented opcodes and functionalities. 

By analyzing Wireshark captures and leveraging existing research, they identified and implemented numerous function codes for tasks such as reading and writing memory, retrieving PLC information, and resetting the upload password. 

It led to the discovery of a critical vulnerability (CVE-2024-38434) allowing unauthorized password resets, which was responsibly disclosed to Unitronics.

A signature log extracted from an attacked PLC.

According to Team 82, forensic analysis of Unitronics Vision series PLCs can yield critical evidence through two primary sources: VisiLogic project files and PLC signature logs. 

VisiLogic project files, when available, offer rich forensic data, including project paths, creation dates, connected computer details, and keyboard layouts, but their accessibility depends on project burn settings and potential upload password protection. 

Conversely, PLC signature logs, while requiring extensive extraction, provide detailed connection history, including dates, user information, and project paths, even when project files are unavailable. Together, these artifacts can illuminate attack timelines, attacker identities, and compromised system details. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here