Get the latest updates on the Coronavirus impact on engineers.点击这里


Virtual private network (VPN) implementations that give remote access to operations technology (OT) networks have received more focus due to COVID-19 since more people are working remotely.

通过Claroty研究亚洲必赢团队 2020年8月11日





Remote access servers

脆弱的远程访问服务器可以作为非常有效的攻击面的威胁者瞄准的VPN。这些工具允许客户通过一个加密的隧道到服务器连接。然后,服务器转发所述通信进入内部网络。这意味着服务器是网络中的关键资产 - 因为它已经在网上一“腿”,向所有人开放,以及安全,内部网络中的一个“腿” - 超越了所有的周边安全的措施。因此,获得对它的访问允许攻击者不仅能查看内部的交通也沟通,好像他们是在网络中的合法主机的。

In recent years, there has been a shift toward cloud-based remote access solutions, which typically enable rapid deployment and reduce cost. Usually, they also offer white-labeled solutions that large-scale companies can purchase to have their own personal cloud while the underlying software is exactly the same. Thus, finding bugs in one instance could mean that all other instances would be affected, too.

Remote network connections

其中一个ICS行业的一大挑战是远程站点和在SCADA /数据采集服务器位于主数据中心之间的安全连接。最近一个时期,我们已经看到,其中面向Internet的ICS设备已被直接访问,而无需任何凭据多个事件;这种威胁最近一直解决在CISA警报。为了避免这样的场景,multiple ICS VPN solutions exist that are able to make these remote connections between site and central in a secure manner.

Client control

Another prevalent attack surface for targeting VPNs is the client. Gaining control of an authorized user’s computer grants attackers access to that user’s VPN credentials, as well as those for other employee accounts that could enable the adversary to penetrate and further expand their foothold within the organization’s internal network without needing to tackle the server instance.


远程访问趋势:In recent weeks we have seen numerous vulnerabilities published on popular remote access solutions. We expect in the COVID-19 era of working from home, the increased use of these platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common. Denial-of-service (DoS) attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.


Leveraging vulnerabilities in edge devices can provide these groups with direct access to ICS devices and key target areas, which when taken over could potentially yield the most benefit for these attackers’ business model. A good example of attackers using this exact tactic is the recent Honda attack. (本田表示,其内部的一台服务器在外部攻击。它补充问题是影响其访问其计算机服务器,使用电子邮件和其他方式使用其内部系统的能力。它补充说:“这种病毒具有传播”在其整个网络,但没有提供进一步的细节。汽车巨头感受到了EKANS,或SNAKE落后,勒索软件的影响。)

网络钓鱼活动:Claroty has been focusing on client-side attacks due to the increase in APT activity targeting OT networks leveraging phishing campaigns as an attack vector. The main focus of our research in this area is to find vulnerabilities and exploits targeting OT-relevant clients, as shown through attacks on VPN clients.

These vulnerabilities reinforce the unique risks inherent to OT remote access. While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.

This content originally appeared onISSSource.comISSSource是CFE媒体内容合作伙伴。

Claroty Research Team