TID-312: Credential Change Mechanism Can Be Abused

Threat Description

A device’s credential change mechanisms can be abused to lock out users from their own devices by changing credentials to something unknown to the legitimate user. This could impair the legitimate user from accessing the device and may also render the device permanently inoperable. This could also be coupled with unwanted device configuration changes before the user is locked out.

Threat Maturity and Evidence

Observed Adversarial Technique
ATT&CK Technique: Change Credential (T0892)
“A chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key.”

ATT&CK Technique: Account Access Removal (T1531)
“Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.”

CWE

CWE-645: Overly Restrictive Account Lockout Mechanism (Base)
“The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.”

CVE

Kunbus PR100088 Modbus Gateway (Update B) | CISA, CVE-2019-6527
“PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) may allow an attacker to be able to change the password for an admin user who is currently or previously logged in, provided the device has not been restarted.”