[German]Cyber criminals are promoting a tool on social networks that can be used to crack passwords in industrial control systems (ICS, PLCs). This is certainly useful for technicians who need to access PLCs (Programmable Logic Controllers) or ICSs (Industrial Control Systems) but no longer know the access data. The problem: The advertised password cracking tool is contaminated with the Sality malware, and the attackers use it to infect the PLCs or ICS.
Advertising
The Internet offers endless opportunities for scammers and cyber criminals to make money in an illegal way. Typically, ransomware, business email compromise, Internet fraud and phishing come to mind, risks that threaten information security. But there is much more to it.
Password cracking tool with malware
During a routine vulnerability assessment, Dragos security researchers discovered an attack technique targeting technicians and engineers who service industrial controls and control systems. Dragos security researchers documented this case in the blog post The Trojan Horse Malware & Password "Cracking" Ecosystem Targeting Industrial Operators.
Ad for a Passwort Cracking Tool
Security researchers have noticed (after has been notified by a customer) that software for cracking passwords for programmable logic controllers (PLCs), human-machine interfaces (HMIs) and project files is being advertised on social media websites using various accounts. By means of a free tool, forgotten passwords for these ICSs and PLCs are supposed to be able to be determined. The ads offer the tool for various systems from Mitsubishi, Siemens and many other manufacturers (the complete list can be found here).
For security experts it's a night mare; there can't be enough warnings against downloading and running software from an untrusted source. But the people in the field, suddenly faced with the problem of accessing an industrial controller, but unable to do so because of a missing password, may throw all caution to the wind. "You could try it, it costs nothing, and what could happen – the software is executed on a PC."
Advertising
Dragos looked at and analyzed one such advertised password cracking tool. In the specific case, the tool was able to access Automation's DirectLogic 06 PLC system from the PC via the specified COM interface and also reported back a password (see the figure above).
However, when reverse-engineering the password "cracking" software, it turned out that this software did not crack the password at all. Rather, the tool exploited a vulnerability in the firmware of the controller or control system in question to read the password. However, when the tool was executed, a malware dropper became active on the side, infecting the computer with the Sality malware and turning it into a participant of Sality's peer-to-peer botnet.
Sality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining. A Sality infection could allow remote access to a configuration system (Engineering Work Station,EWS) by an unknown attacker. Dragos estimates that while the attacker is capable of disrupting industrial processes. Attackers are likely to be financially motivated and may not have a direct impact on processes controlled or regulated and monitored by the PLCs or ICS.
The many details were documented by security researchers in the blog post The Trojan Horse Malware & Password "Cracking" Ecosystem Targeting Industrial Operators. The case shows once again that if people don't exercise appropriate caution, they will get the infections themselves on their equipment. (via)
