A threat actor is infecting industrial control systems (ICS) to create a botnet through password “cracking” software for programmable logic controllers (PLCs).
Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.
Security researchers at industrial cybersecurity company Dragos analyzed one incident impacting DirectLogic PLCs from Automation Direct and discovered that the “cracking” software was exploiting a known vulnerability in the device to extract the password.
But behind the scenes the tool also dropped Sality, a piece of malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster (e.g. password cracking, cryptocurrency mining).
Dragos researchers found that the exploit used by the malicious program was limited to serial-only communications. However, they also found a way to recreate it over Ethernet, which increases the severity.
After examining the Sality-laced software, Dragos informed Automation Direct of the vulnerability and the vendor released appropriate mitigations.
The threat actor’s campaign is ongoing, though, and administrators of PLC from other vendors should be aware of the risk of using password cracking software in ICS environments.
Regardless how legitimate is the reason for using them, operational technology engineers should avoid password cracking tools, especially if their source is unknown.
For scenarios where there is the need to recover a password (because you forgot it, or the individual that had it is no longer your colleague), Dragos recommends contacting them or the device vendor for instructions and guidance.
Sality P2P botnet
Sality is an old piece of malware that continues to evolve with features that allows it to terminate processes, open connections to remote sites, download additional payloads, or steal data from the host.
The malware can also inject itself into running processes and abuse the Windows autorun function to copy itself onto network shares, external drives, and removable storage devices that could carry it to other systems.
The specific sample analyzed by Dragos appears to be focused on stealing cryptocurrency. The researchers say that the malware added a payload that hijacked the contents in the clipboard to divert cryptocurrency transactions.
However, a more advanced attacker could use this point of entry to create more serious damage by disrupting operations.
In this particular case, the victim grew suspicious after running the malicious software because the CPU usage level grew to 100% and Windows Defender issued multiple threat alerts.