TID-412: Network Routing Capability Abuse
Threat Description
Some devices will allow for the forwarding of packets to other connected devices (e.g., routing, port forwarding, tunneling, VPN). If the device is used to forward or route communications, a threat actor could change the forwarding rules or routes. This feature could be used by the threat actor to either (i) disable required forwarding rules to prevent authorized communications or (ii) add new rules that allow unauthorized access to other devices. The threat actor could potentially use this to gain access to devices that are within protected networks or zones.
Threat Maturity and Evidence
Observed Adversary Technique
ATT&CK Technique: Connection Proxy (T0884)
Procedure Example: Incontroller (S1045)
“The INCONTROLLER PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.”
CWE
CWE-306: Missing Authentication for Critical Function (Base)
“The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.”
CWE-15: External Control of System or Configuration Setting
“One or more system settings or configuration elements can be externally controlled by a user.”