The escalation from website defacement to kinetic-adjacent sabotage is complete. The Iran-affiliated threat group CyberAv3ngers, operating under the Islamic Revolutionary Guard Corps (IRGC) Cyber-Electronic Command, has moved beyond defacing water utility HMIs. They are now actively deploying a custom ICS malware platform known as IOCONTROL. This malware targets Rockwell Automation Logix controllers by exploiting CVE-2021-22681, a critical authentication bypass vulnerability.
For defenders, this is no longer a theoretical risk. It is an active nation-state campaign against U.S. critical infrastructure. The exploitation of CVE-2021-22681 allows attackers to bypass authentication on susceptible controllers, upload malicious control logic, and manipulate physical processes. Immediate asset inventory, patching to Firmware Revision 28 (FRN 28), and network segmentation are mandatory to prevent operational disruption.
Technical Analysis
Affected Products & Platforms:
- Vendor: Rockwell Automation
- Platform: Logix 5000 Controllers (including ControlLogix, CompactLogix, GuardLogix, and Compact GuardLogix 5380/5480 controllers)
- Vulnerable Software: Firmware versions prior to revision 28.
Vulnerability Details:
- CVE ID: CVE-2021-22681
- CVSS Score: 10.0 (Critical)
- CWE: CWE-287 (Improper Authentication)
Attack Mechanics: The vulnerability resides in the Common Industrial Protocol (CIP) implementation on Rockwell Automation EtherNet/IP communication modules. Specifically, the flaw allows an unauthenticated attacker to bypass the controller's security check mechanisms.
- Reconnaissance: The group scans for port 44818 (EtherNet/IP) exposed to the internet or internal networks.
- Exploitation: The attacker sends crafted CIP packets to the target controller. Due to the authentication bypass (CVE-2021-22681), the controller accepts these packets without valid credentials.
- Payload Delivery: Using IOCONTROL or modified project files, the attacker uploads unauthorized logic or alters existing control routines.
- Impact: This results in the manipulation of physical processes, potential equipment damage, and denial of service.
Exploitation Status:
- Confirmed Active Exploitation: Yes. CyberAv3ngers has demonstrated capability in the wild.
- CISA KEV: Listed in the Known Exploited Vulnerabilities Catalog.
Detection & Response
SIGMA Rules
---
title: Potential Rockwell Automation Exploitation - Unexpected CIP Traffic
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects network connections to TCP port 44818 (EtherNet/IP CIP) from non-standard hosts or unusual times. Rockwell Logic controllers primarily use this port; unexpected connections from engineering workstations to unknown IPs may indicate reconnaissance or exploitation.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2024/05/15
tags:
- attack.initial_access
- attack.t1190
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 44818
Initiated: 'true'
filter_legit_engineering:
Image|contains:
- '\RSLogix 5000\'
- '\Studio 5000\'
- '\FactoryTalk\'
- '\RSLinx\'
condition: selection and not filter_legit_engineering
falsepositives:
- Legitimate third-party OPC servers or SCADA clients not listed in filter
level: high
---
title: Suspicious Project File Creation - IOCONTROL Indicator
id: 1b4d2e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects the creation of Rockwell project files (.acd, .l5x) in suspicious user directories or temp folders, which may indicate logic injection or malware staging like IOCONTROL.
references:
- https://www.tenable.com/blog/what-to-know-about-cyberav3ngers
author: Security Arsenal
date: 2024/05/15
tags:
- attack.impact
- attack.t0885 (ICS Attack)
logsource:
category: file_creation
product: windows
detection:
selection:
TargetFilename|contains:
- '.acd'
- '.l5x'
- '.l5k'
filter_legit_paths:
TargetFilename|contains:
- '\Program Files (x86)\Rockwell Automation\'
- '\Program Files\Rockwell Automation\'
- '\Projects\' # Adjust to specific legit project paths if known
condition: selection and not filter_legit_paths
falsepositives:
- Users moving project files for backup
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for connections to Rockwell EtherNet/IP Port (44818)
// Look for sources that are not known Engineering Workstations
DeviceNetworkEvents
| where RemotePort == 44818
| where InitiatingProcessVersionInfoCompanyName != "Rockwell Automation"
| summarize count(), make_set(InitiatingProcessFileName), make_set(DeviceName) by RemoteIP, RemotePort
| extend Severity = iff(count_ > 10, "High", "Medium")
Velociraptor VQL
-- Hunt for processes connecting to Rockwell CIP Port or suspicious file artifacts
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "RSLinx.exe" OR Name =~ "Studio5000.exe"
OR Exe =~ ".*\\Temp\\.*\\.acd"
-- Identify active network connections on Port 44818
SELECT Fd, Family, RemoteAddr, RemotePort, State, Pid
FROM netstat()
WHERE RemotePort == 44818
Remediation Script (PowerShell)
<#
.SYNOPSIS
Asset Discovery for Rockwell Automation Devices on TCP/44818.
.DESCRIPTION
Scans the local subnet to identify devices listening on TCP/44818 (EtherNet/IP).
This helps identify unmanaged or shadow IT assets that may be vulnerable to CVE-2021-22681.
#>
$Port = 44818
$Subnet = (Get-NetIPConfiguration).IPv4DefaultProfile.NextHop
$PrefixLength = (Get-NetIPConfiguration | Where-Object {$_.IPv4DefaultProfile.NextHop -eq $Subnet}).IPv4Address.PrefixLength
# Calculate IP Range (Simplified for /24, adjust for production subnets)
$BaseIP = $Subnet.Substring(0, $Subnet.LastIndexOf('.'))
Write-Host "[+] Scanning for Rockwell EtherNet/IP devices (Port $Port)..."
1..254 | ForEach-Object {
$TargetIP = "$BaseIP.$_"
$Result = Test-NetConnection -ComputerName $TargetIP -Port $Port -InformationLevel Quiet -WarningAction SilentlyContinue
if ($Result) {
Write-Host "[!] Device Found: $TargetIP is listening on TCP/$Port" -ForegroundColor Yellow
# Attempt to resolve MAC/Hostname if on local subnet
try {
$MAC = (Get-NetNeighbor -IPAddress $TargetIP -ErrorAction SilentlyContinue).LinkLayerAddress
$Hostname = ([System.Net.Dns]::GetHostEntry($TargetIP)).HostName
Write-Host " Hostname: $Hostname"
Write-Host " MAC: $MAC"
} catch {
Write-Host " Could not resolve Hostname/MAC."
}
}
}
Write-Host "[+] Scan Complete. Verify firmware revisions (Must be FRN 28+) on identified devices immediately."
Remediation
Immediate action is required to neutralize the threat posed by CyberAv3ngers and CVE-2021-22681.
- Patch Firmware Immediately:
Update all affected Rockwell Automation Logix controllers to **Firmware Revision 28 (FRN 28)** or later. This version contains the fix for CVE-2021-22681.
* *Official Advisory:* [Rockwell Automation Security Advisory AD2018](https://www.rockwellautomation.com/en-us/trust-center/security-advisories/ad2018.html)
2. Verify Configuration: Even after patching, ensure the "Safety Lockout" and "Force" configurations are reviewed to ensure no residual IOCONTROL logic is present.
-
Network Segmentation (Purdue Model):
- Ensure TCP port 44818 is not accessible from the internet.
- Restrict access to port 44818 strictly to known Engineering Workstations (EWS) and HMIs within the ICS zone.
- Implement a DMZ for all remote access connections; direct RDP/VPN connections into the ICS network must be blocked.
-
CISA Directive Compliance: Per CISA KEV catalog requirements (due date often within weeks of disclosure), ensure this vulnerability is remediated or mitigated.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.