Sality malware infected password cracking tool distributed for industrial PLCs and ISC

Sicherheit (Pexels, allgemeine Nutzung)[German]Cyber criminals are promoting a tool on social networks that can be used to crack passwords in industrial control systems (ICS, PLCs). This is certainly useful for technicians who need to access PLCs (Programmable Logic Controllers) or ICSs (Industrial Control Systems) but no longer know the access data. The problem: The advertised password cracking tool is contaminated with the Sality malware, and the attackers use it to infect the PLCs or ICS.


Advertising

The Internet offers endless opportunities for scammers and cyber criminals to make money in an illegal way. Typically, ransomware, business email compromise, Internet fraud and phishing come to mind, risks that threaten information security. But there is much more to it. 

Password cracking tool with malware

During a routine vulnerability assessment, Dragos security researchers discovered an attack technique targeting technicians and engineers who service industrial controls and control systems. Dragos security researchers documented this case in the blog post The Trojan Horse Malware & Password "Cracking" Ecosystem Targeting Industrial Operators.

AD for Passwort Cracking Tool
Ad for a Passwort Cracking Tool

Security researchers have noticed (after has been notified by a customer) that software for cracking passwords for programmable logic controllers (PLCs), human-machine interfaces (HMIs) and project files is being advertised on social media websites using various accounts. By means of a free tool, forgotten passwords for these ICSs and PLCs are supposed to be able to be determined. The ads offer the tool for various systems from Mitsubishi, Siemens and many other manufacturers (the complete list can be found here). 

For security experts it's  a night mare; there can't be enough warnings against downloading and running software from an untrusted source. But the people in the field, suddenly faced with the problem of accessing an industrial controller, but unable to do so because of a missing password, may throw all caution to the wind. "You could try it, it costs nothing, and what could happen – the software is executed on a PC."


Advertising

Get PLC password

Dragos looked at and analyzed one such advertised password cracking tool. In the specific case, the tool was able to access Automation's DirectLogic 06 PLC system from the PC via the specified COM interface and also reported back a password (see the figure above).

However, when reverse-engineering the password "cracking" software, it turned out that this software did not crack the password at all. Rather, the tool exploited a vulnerability in the firmware of the controller or control system in question to read the password. However, when the tool was executed, a malware dropper became active on the side, infecting the computer with the Sality malware and turning it into a participant of Sality's peer-to-peer botnet.

Sality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining. A Sality infection could allow remote access to a configuration system (Engineering Work Station,EWS) by an unknown attacker. Dragos estimates that while the attacker is capable of disrupting industrial processes. Attackers are likely to be financially motivated and may not have a direct impact on processes controlled or regulated and monitored by the PLCs or ICS.

The many details were documented by security researchers in the blog post The Trojan Horse Malware & Password "Cracking" Ecosystem Targeting Industrial Operators. The case shows once again that if people don't exercise appropriate caution, they will get the infections themselves on their equipment. (via)


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).