Introduction
Recent intelligence confirms that Iranian state-sponsored actors (specifically "CyberAv3ngers") are actively targeting U.S. critical infrastructure, focusing on Internet-exposed Rockwell Automation Programmable Logic Controllers (PLCs). According to CISA Advisory AA24-208A and recent reporting, nearly 4,000 devices are currently exposed to the public internet, presenting a significant attack surface for remote code execution (RCE) and logic manipulation.
This is not a theoretical risk. Active exploitation campaigns are scanning for and compromising ControlLogix and CompactLogix devices. Defenders in the OT/ICS space must immediately assume that any PLC with a public-facing IP address on TCP port 44818 is either currently compromised or under active scanning.
Technical Analysis
Affected Products:
- Rockwell Automation ControlLogix 5580 Controllers
- Rockwell Automation CompactLogix 5380 Controllers
- Rockwell Automation CompactLogix 5480 Controllers
Vulnerability Details:
- CVE ID: CVE-2024-6242
- CVSS Score: 10.0 (Critical)
- Vulnerability Class: Improper Validation of Specified Quantity in Input (CWE-20)
Mechanism of Exploitation: The vulnerability exists in the EtherNet/IP implementation (port 44818/TCP). The flaw allows an unauthenticated, remote attacker to send specifically crafted packets to the controller. This can lead to a denial-of-service (DoS) condition or, more critically, arbitrary remote code execution. Successful exploitation allows the attacker to modify the controller's logic or project files, potentially causing physical damage to industrial processes.
Exploitation Status:
- Confirmed Active Exploitation: Yes (CISA KEV)
- Publicly Known: Yes
Detection & Response
Given that these controllers sit on the network edge, detection relies heavily on network telemetry (Firewall, IDS, or NetFlow) rather than endpoint agents running directly on the PLC. Defenders must look for anomalous traffic on TCP port 44818 and connections originating from untrusted geographic locations.
SIGMA Rules
---
title: Rockwell Automation PLC External Exposure Detected
id: 8a2b1c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects inbound connection attempts to Rockwell EtherNet/IP port (44818) from external IPs, indicating scanning or exploitation attempts.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-208a
author: Security Arsenal
date: 2024/09/10
tags:
- attack.initial_access
- attack.t1190
- attack.cve-2024-6242
logsource:
category: network_connection
product: firewall
detection:
selection:
DestinationPort: 44818
Protocol: tcp
filter_internal:
SourceIP|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '127.0.0.0/8'
condition: selection and not filter_internal
falsepositives:
- Authorized remote vendor access via VPN (if VPN IP space is not defined)
level: high
---
title: Suspected Outbound C2 from Rockwell PLC
id: 9b3c2d4e-5f60-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects outbound traffic from a Rockwell PLC to the Internet on port 44818. PLCs should initiate connections only to internal HMIs/Engineering workstations.
references:
- https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2024/09/10
tags:
- attack.exfiltration
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: firewall
detection:
selection:
DestinationPort: 44818
Protocol: tcp
SourceIP|cidr: # Replace with your specific OT Subnets
- '10.20.0.0/16'
- '192.168.50.0/24'
filter_internet_dest:
DestinationIP|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_internet_dest
falsepositives:
- Legitimate cloud-based MES connections if explicitly allowed
level: critical
KQL (Microsoft Sentinel / Defender)
// Define your internal OT subnets here
let OT_Subnets = dynamic(["10.0.0.0/8", "192.168.100.0/24"]);
// Hunt for external connections hitting Rockwell EtherNet/IP port
CommonSecurityLog
| where DestinationPort == 44818
| extend IsInternalSrc = ipv4_is_in_range(SourceIP, OT_Subnets)
| extend IsInternalDst = ipv4_is_in_range(DestinationIP, OT_Subnets)
// Focus on External -> Internal or Internal -> External
| where IsInternalSrc != IsInternalDst
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, DestinationPort, Protocol, OriginalProtocol, Activity, ReceivedBytes, SentBytes
| order by TimeGenerated desc
Velociraptor VQL
While PLCs do not support VQL clients, this query is designed to run on Windows-based Engineering Workstations or Jump Servers that communicate with the PLCs. It identifies suspicious processes communicating with the EtherNet/IP port, which could indicate an HMI acting as a pivot or compromised engineering software.
-- Hunt for processes connecting to Rockwell PLCs (Port 44818)
-- Run on Engineering Workstations/HMI Servers
SELECT Fqdn, Name, Pid, CommandLine, Username
FROM process_open_sockets()
WHERE RemotePort = 44818
AND NOT Name =~ "RSLinx.exe"
AND NOT Name =~ "FactoryTalk*")
Remediation Script
This PowerShell script is designed for Windows-based network administration or engineering workstations to verify that PLCs are not inadvertently exposed to the outside world by checking internal network reachability. Note: This requires network connectivity to the PLC subnets.
<#
.SYNOPSIS
Scans local subnet for exposed Rockwell EtherNet/IP ports.
.DESCRIPTION
Identifies devices listening on TCP 44818 (EtherNet/IP) in the specified range.
Helps identify devices inadvertently exposed to internal networks that might route externally.
#>
$targetSubnet = "192.168.1" # Modify to match your OT network prefix
$port = 44818
$openPorts = @()
1..254 | ForEach-Object {
$ip = "$targetSubnet.$_"
$connection = Test-NetConnection -ComputerName $ip -Port $port -InformationLevel Quiet -WarningAction SilentlyContinue
if ($connection) {
Write-Host "[!] Potential Rockwell Device Found: $ip" -ForegroundColor Red
$openPorts += $ip
}
}
if ($openPorts.Count -eq 0) {
Write-Host "No exposed EtherNet/IP ports found in $targetSubnet.0/24" -ForegroundColor Green
} else {
Write-Host "Audit Complete. Review the above IPs against firewall rules." -ForegroundColor Yellow
}
Remediation
1. Immediate Isolation (Patch Management): Apply the official firmware updates released by Rockwell Automation immediately. The vulnerability is patched in the following firmware versions:
- CompactLogix 5380: Firmware v33.013 or newer
- CompactLogix 5480: Firmware v33.013 or newer
- ControlLogix 5580: Firmware v33.013 or newer
Reference: Rockwell Automation Security Advisory
2. Network Segmentation (Critical Control): Ensure TCP port 44818 (EtherNet/IP) is blocked at the perimeter firewall. There is no legitimate operational reason for a PLC to be directly accessible from the public internet. Implement a Demilitarized Zone (DMZ) architecture where Engineering Workstations reside in a secure zone, and PLCs reside in an isolated zone with strict inbound/outbound rules.
3. Configuration Hardening: Disable the "Unicast Mode" or unused EtherNet/IP ports on the controllers if not required for specific operations. Review the "CIP Security" configuration on the devices to enforce TLS encryption and device authentication, which mitigates man-in-the-middle attacks.
4. Deadlines: CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch this vulnerability by September 19, 2024. Private sector operators of critical infrastructure should adhere to this same timeline due to the active exploitation status.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.