TID-406: Unauthorized Messages or Connections

Threat Description

Some devices operate using protocols that have no capacity for network-level authentication, connection, or creation of sessions on-device, therefore allowing a threat actor to establish malicious connections or send malicious data to the device. Authentication mechanisms include passwords and cryptographic keys/certificates.

Threat Maturity and Evidence

Observed Adversary Technique
ATT&CK T0860 Wireless Compromise
“During the Polish Train incident, a teenager was able to program a remote with commands to operate and change junctions on the tracks. The teenager was able to then send those commands, without authentication, to operate the junctions.”

ATT&CK Technique: Unauthorized Command Message (T0855)
Procedure Example: INCONTROLLER (S1045)
“INCONTROLLER can send custom Modbus commands to write register values on Schneider PLCs.”

CWE

CWE-306: Missing Authentication for Critical Function (Base)
“The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.”

CWE-287: Improper Authentication (Class)
“When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.”

CVE

CVE-2022-30266 / CVE-2022-33139 / CVE-2019-18250 (OT-ICEFALL)
Many devices in the OT-ICEFALL report had authentication on the client-side, but not for the protocol. What this means is that while users may think actions are authenticated, actors who are able to send/receive traffic over the network may be able to issue commands without proper authentication.

CVE-2019-6533
“Registers used to store Modbus values can be read and written from the web interface without authentication in the PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166).”