Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Are Exposed Amid Iranian APT Activity

Iranian-backed advanced persistent threat (APT) actors are actively going after Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) that are connected to the internet This article explores exposed devices verizon. . These industrial machines are often used in important parts of the economy, like water treatment plants, energy facilities, and government operations.

Censys researchers found 5,219 internet-connected hosts around the world that respond to EtherNet/IP (EIP) on port 44818. The United States is responsible for 74.6% of these exposures, which puts 3,891 hosts at risk. Almost 49.1% of all exposed devices are behind Verizon Business cellular modems, and 13.3% are behind AT&T Mobility cellular modems. A lot of these PLCs are used in the field at pump stations, electrical substations, and city buildings.

Administrators should turn off VNC, Telnet, and FTP access on any host that shares space with a PLC.

You should look over all incoming traffic on TCP ports 44818, 2222, 102, 502, and 22 from known operator IPs right away. Use multi-factor authentication for all remote OT access, and check MicroLogix 1400 deployments that are running end-of-sale firmware versions C/21.02 and C/21.07. You should also look over the new addresses 185.82.73.160, .161, .163, and .166.

You can read the whole report at: http://www.cnn.com/2013/01/28/tech/top-security-top-10-micrologix-1400-vNC-telnet-ftp-fstab-tcp-port-list.