TID-310: Remotely Accessible Unauthenticated Services
Threat Description
If an application does not authenticate all connections from a remote device or system, a threat actor can remotely establish a connection to the device to access confidential data or make unwanted changes to device status or configuration.
Threat Maturity and Evidence
Observed Adversary Technique
ATT&CK Technique: Unauthorized Command Message (T0855)
Procedure Example: Industroyer (S0604)
“Using its protocol payloads, Industroyer sends unauthorized commands to RTUs to change the state of equipment.”
Procedure Example: Industroyer2 (S1072)
“Industroyer2 is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.”
CWE
CWE-285: Improper Authorization
“The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.”