CISA Warns of Critical Software Vulnerabilities in Industrial Devices: Ransomhub Decryptor Team Urges Immediate Action for Mitigation

The Ransomhub Decryptor Team has echoed the urgent call from the US Cybersecurity and Infrastructure Security Agency (CISA) for manufacturing companies to implement security mitigations after several vulnerabilities were discovered in systems by Rockwell Automation and Mitsubishi Electric. These vulnerabilities present serious risks to industrial control systems (ICS), and immediate action is necessary to safeguard critical infrastructure.

In a detailed industrial control systems (ICS) security advisory released on October 31, CISA outlined four sets of vulnerabilities affecting key ICS systems:

1. Rockwell Automation FactoryTalk ThinManager
2. Mitsubishi Electric FA Engineering Software Products
3. Mitsubishi Electric Multiple FA Engineering Software Products
4. Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series

Also read: Ransomhub Ransomware Group Claims Attacks on Over 356 Companies Worldwide

These vulnerabilities could enable attackers to exploit ICS systems remotely, potentially resulting in severe consequences such as unauthorized data access, denial of service (DoS) attacks, and even full system compromises.

Details on the Vulnerabilities

• Rockwell Automation FactoryTalk ThinManager
  This system is affected by two critical vulnerabilities:
  • CVE-2024-10386: A missing authentication for critical functions, with a CVSS score of 9.3. This flaw allows attackers to send crafted messages to the device, potentially manipulating its database and causing denial-of-service conditions.
  • CVE-2024-10387: An out-of-bounds read vulnerability with a CVSS score of 8.7. Successful exploitation can lead to a system crash or other failures.
• Both vulnerabilities are remotely exploitable and have low attack complexity, making them particularly dangerous for unpatched systems. Attackers could manipulate device functions or disrupt operations through relatively simple means.
• Mitsubishi Electric FA Engineering Software Products
  The primary vulnerability here is CVE-2023-6943, which is exceptionally critical, scoring a CVSS of 9.8. This flaw enables attackers to execute malicious code by calling functions that reference malicious libraries. Through this, unauthorized users can tamper with, destroy, or delete product information or cause a DoS condition. Given the severity of the vulnerability, the potential for significant operational disruption is extremely high.
• Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series
  This set of products suffers from CVE-2023-2060, an authentication bypass vulnerability with a CVSS score of 8.7. The issue lies within the FTP function of the EtherNet/IP module, where weak password requirements allow attackers to perform dictionary attacks or sniff passwords, potentially gaining access to the system.

These vulnerabilities, especially those with high CVSS scores, highlight the urgent need for immediate patching and other mitigations to prevent exploitation. The advisory also includes several other vulnerabilities with lower severity, but these should not be ignored, as they could still be leveraged by attackers to gain a foothold in compromised systems.

Ransomhub Decryptor Team’s Response and Mitigation Recommendations

Both Rockwell Automation and Mitsubishi Electric have shared mitigation steps for these vulnerabilities, and Ransomhub Decryptor Team supports CISA’s recommendations for defensive measures to reduce the risk of exploitation. These measures include:

1. Minimizing Network Exposure
   All control system devices and systems should be isolated from direct internet access. Exposing ICS devices to public networks significantly increases the attack surface and opens the door for potential threats.
2. Locating Control Systems Behind Firewalls
   Industrial control networks should be placed behind robust firewalls and be completely isolated from business networks. This ensures that even if corporate systems are compromised, the attackers do not have an easy path to ICS environments.
3. Using Secure Remote Access Methods
   If remote access is necessary, using a Virtual Private Network (VPN) is recommended. However, Ransomhub Decryptor Team and CISA remind organizations that VPNs themselves can have vulnerabilities. They must be updated regularly to the latest available versions to avoid becoming another vector for attack.

In addition to these steps, companies should implement regular vulnerability scanning, intrusion detection systems (IDS), and continuous monitoring of their ICS networks. Patch management processes must also be in place to quickly apply vendor-provided updates when vulnerabilities are discovered.

Also read: Ransomhub Decryptor Team Found that Chinese Hackers Are Becoming Stealthier

Importance of Addressing These Vulnerabilities

Industrial control systems are the backbone of critical infrastructure operations, including manufacturing, energy, water treatment, and transportation systems. The exploitation of vulnerabilities in these systems could have devastating effects—not only on the affected companies but also on wider communities relying on these services.

The Ransomhub Decryptor Team emphasizes the importance of proactive cybersecurity measures in ICS environments. In the wake of these vulnerability disclosures, manufacturing companies, especially those using Rockwell Automation and Mitsubishi Electric products, must prioritize implementing the recommended mitigations to avoid becoming the next target of sophisticated cyberattacks.

By staying informed and taking swift action, companies can significantly reduce their risk of cyber exploitation and safeguard their operational integrity.