From the what-could-possibly-go-wrong files comes this: An industrial control engineer recently made a workstation part of a botnet after inadvertently installing malware that posed as a means of recovering lost passwords.
Lost passwords happen in many organizations. A programmable logic controller – used to automate processes in factories, electrical plants and other industrial settings – can be set up and largely forgotten in the years to come. If a replacement engineer later discovers a problem affecting the PLC, they can discover that the now long-gone original engineer never left the passcode behind before leaving the company.
according to a blog entry by security firm Dragos, an entire malware ecosystem attempts to capitalize on scenarios like this inside industrial plants. Online advertisements like the one below promote password crackers for PLCs and human-machine interfaces, which are the workhorses in these environments.
If your industrial system is part of a botnet
Dragos – which helps company protect industrial control systems from ransomware, state-sponsored hackers and would-be saboteurs – recently performed a routine vulnerability assessment and discovered that a customer’s system was running software that was able to successfully recover the plain text password for DirectLogic 06, a PLC sold by Automation Direct. The software recovered the password, but not through the normal method of cracking the cryptographic hash. Instead, the software exploited a zero-day vulnerability in Automatic Direct PLCs that exposed the passcode.
“Previous research on DirectLogic PLCs has led to successful cracking techniques,” wrote Dragos researcher Sam Hanson. However, Dragos found that this exploit does not crack an encrypted version of the password, as has been seen in popular exploit frameworks in the past. Instead, a specific sequence of bytes is sent to a COM port by the malware dropper.”
The vulnerability and a related vulnerability also found by Hanson have now been patched and are being tracked as CVE-2022-2033 and CVE-2022-2004. The latter vulnerability can recover passwords and send them to a remote hacker, increasing the severity rating to 7.5 out of a possible 10.
Besides recovering the password, the software installed on the Dragos customer’s network also installed malware called Sality. It made the infected system part of a botnet and monitored the infected workstation’s clipboard every half second for data related to cryptocurrency wallet addresses.
“If the kidnapper is seen, he replaces the address with one that belongs to the attacker,” Hanson said. “This real-time hijacking is an effective way to steal cryptocurrency from users looking to transfer funds and increases our confidence that the adversary is financially motivated.”
Hanson said he found password crackers advertised online for a wide range of industrial software sold by other companies. They include:
|provider and facility||system type|
|Automation Direct DirectLogic 06||SPS|
|Siemens S7-200||Project file (*.mwp)|
|Siemens LOGO! 0AB6||SPS|
|ABB Codesys||Project file (*.pro)|
|Delta Automation DVP, ES, EX, SS2, EC Series||SPS|
|Fuji Electric POD UG||HMI|
|Fuji Electric Hakko||HMI|
|Mitsubishi Electric FX series (3U and 3G)||SPS|
|Mitsubishi Electric Q02 series||SPS|
|Mitsubishi Electric GT 1020 series||HMI|
|Mitsubishi Electric GAT F930||HMI|
|Mitsubishi Electric GAT F940||HMI|
|Mitsubishi Electric GOT 1055||HMI|
|Pro Face GP Pro Face||HMI|
|Pro Face GP||Project file (*.prw)|
|Allen Bradley MicroLogix 1000||SPS|
|Panasonic NAIS F P0||SPS|
|Fatek FBe and FBs series||SPS|
|IDEC Corporation HG2S-FF||HMI|
Dragos only tested the malware targeting the DirectLogic devices, but a rudimentary analysis of some samples showed that they also contained malware.
“In general, there seems to be an ecosystem for this type of software,” Hanson said. “There are multiple websites and multiple social media accounts all touting their password ‘crackers’.”
The report is worrying because it illustrates the neglect that persists in many industrial control environments. The criminals behind the malware that infected the Dragos customer were after money, but there’s no reason why more malicious hackers sabotaging a dam, power plant, or similar facility couldn’t perform a similar intrusion with far more serious consequences .
This article was previously published on Source link