Trojanized Password Crackers Targeting Industrial Systems

  /     /     /  
Publicated : 23/11/2024   Category : security


Trojanized Password Crackers Targeting Industrial Systems


Tools purporting to help organizations recover lost passwords for PLCs are really droppers for malware targeting industrial control systems, vendor says.



Threat actors are targeting systems in industrial control environments with backdoor malware hidden in fake password-cracking tools. The tools, being touted for sale on a variety of social media websites, offer to recover passwords for hardware systems used in industrial environments.
Researchers from Dragos recently analyzed one such password-cracking product and found it to contain Sality, an old malware tool that makes infected systems part of a peer-to-peer botnet for cryptomining and password cracking.
The password-cracking tool was being hawked as software that could help users of Automation Directs DirectLogic 06 programmable logic controllers (PLCs) recover lost or forgotten passwords. When installed on the PLC, the software did not really crack the password. Rather, it
exploited a vulnerability in the PLC
to recover the password from the system on command and send it in clear text to the users connected engineering workstation. The sample that Dragos analyzed required the user to have a direct serial connection from their workstation to the Automation Direct PLC. However, the security vendor said it was able to develop a more dangerous version of the exploit that works over Ethernet as well.
Dragos said it reported the vulnerability (CVE-2022-2003) to Automation Direct, which
issued a fix for it in June
.
In addition to retrieving the password, Dragos observed the so-called password-cracking tool dropping Sality on the host system and making it a part of the botnet. The specific sample of Sality also dropped malware for hijacking the infected systems clipboard every half second and checking it for cryptocurrency address formats. If the malware detected one, it replaced the address with a threat actor-controlled address. This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated, Dragos said in a recent blog.
Dragos did not immediately respond to a Dark Reading request for clarification on who exactly the buyers for such password-cracking software would be and why they might want to buy these tools from unverified sellers on social media websites. It was also not clear why threat actors would go to the trouble of developing Trojanized password crackers for PLCs in critical infrastructure and operational technology environments if the goal is purely financial. Often attacks targeting equipment in industrial and OT environments have other motivations such as surveillance, data theft, and sabotage.
Dragos research showed that the password cracker for Automation Directs PLCs is just one of many similarly fake password retrievers that are available on social media websites. Dragos researchers found similar executables for retrieving passwords from more than 30 PLCs, human-machine interface (HMI) systems, and project files in industrial settings. Among them were six PLCs from Omron, two PLCs from Siemens, four HMIs from Mitsubishi, and products from an assortment of other vendors including LG, Panasonic, and Weintek.
Dragos said it only tested the password cracker for Automation Directs DirectLogic PLC. However, an initial analysis of the other tools showed they contained malware as well. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password crackers, Dragos said in its blog.
Attacks targeting ICS environments have grown in number and sophistication in recent years. Since the 2010 Stuxnet attack on Irans uranium enrichment facility in Natanz, there have been numerous instances where threat actors have gained access to critical systems in ICS and OT environments and deployed malware on them. Some of the more recent, notable examples include malware such as
Industroyer/Crashoverride, Triton/Trisis, and BlackEnergy
. In April 2022, the US Cybersecurity and Infrastructure Agency (CISA) warned critical infrastructure organizations to be on the lookout for three sophisticated malware tools — collectively referred to
as Incontroller/PipeDream
— custom-built to attack PLCs from Schneider Electric, Omron, and systems based on the Open Platform Communications Unified Architecture (OPC UA) standard.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Trojanized Password Crackers Targeting Industrial Systems