The portal arsTechnica reports that hundreds of Internet-connected devices in solar parks are still not patched against a critical and actively exploited vulnerability. Attackers can easily disrupt operations from a distance or gain a foothold in the systems. The Mirai botnet already appears to be exploiting the vulnerability.
The devices, sold under the SolarView brand name by Contec based in Osaka, Japan, help people in solar arrays monitor the amount of electricity they're generating, storing and distributing. According to Contec, around 30.000 power plants have introduced the devices, which are available in different packages depending on the size of the operation and the type of equipment used. However, only these solar parks are currently known. The problem will affect other parks and systems from other manufacturers in the future.
The first “hackable” solar parks
Searches on Shodan show that more than 600 of them are reachable on the open internet. As problematic as this configuration is, said Researchers from the security company VulnCheck on Wednesday , more than two-thirds of them still haven't installed an update that patches CVE-2022-29303 , the tracking designation for a vulnerability with a severity of 9,8 out of 10. The flaw arises from potentially malicious elements in user-supplied inputs are not neutralized, leading to remote attacks that execute malicious commands.
Security firm Palo Alto Networks said last month that the vulnerability was being actively exploited by an operator of Mirai, an open-source botnet composed of routers and other so-called Internet-of-Things devices. The compromise of these devices could cause facilities that use them to lose track of their operations, which could have serious consequences depending on where the vulnerable devices are deployed.
Mirai botnet exploits many IoT vulnerabilities
Palo Alto Networks said the CVE-2022-29303 exploit activity is part of a broader campaign that exploited 22 vulnerabilities across a range of IoT devices to propagate a Marai variant. The attacks began in March and attempted to use the exploits to install a shell interface that allows remote control of devices. After exploitation, a device downloads and runs the bot clients written for various Linux architectures. Although there is no evidence that attackers are actively exploiting CVE-2023-23333, there are already several exploits on GitHub.