TID-310: Remotely Accessible Unauthenticated Services

Threat Description

If an application does not authenticate all connections from a remote device or system, a threat actor can remotely establish a connection to the device to access confidential data or make unwanted changes to device status or configuration. Many popular protocols, such as FTP, Telnet, and HTTP, provide some support for authentication but are often implemented without enabling it. Authentication is critical for any remote services that supports configuration changes, enables access to sensitive data, or that can change operational functions.

Threat Maturity and Evidence

Observed Adversarial Technique

• ATT&CK Technique: Unauthorized Command Message (T0855) – Procedure Example: Industroyer (S0604)
  “Using its protocol payloads, Industroyer sends unauthorized commands to RTUs to change the state of equipment.”

• ATT&CK Technique: Unauthorized Command Message (T0855) – Procedure Example: Industroyer2 (S1072)
  “Industroyer2 is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.”

CWE

• CWE-285: Improper Authorization
  “The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.”

CVE

• None referenced