Security researchers at the industrial cybersecurity firm Dragos have warned of a malicious campaign aimed at industrial engineers and operators that involves a password “cracking” software for programmable logic controllers (PLCs) which infects systems with malware in order to ensnare them in a botnet.
A routine vulnerability assessment performed by the researchers during the investigation of an incident involving a DirectLogic PLC from Automation Direct that impacted its customer found the PLC password “cracking” software used by the affected company’s engineer to recover the password was exploiting a known vulnerability (CVE-2022-2003) in the device to extract the password.
Furthermore, the tool was a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining.
The analysis showed that the malware contained a serial-only version of the exploit, requiring the user to have a direct serial connection from an Engineering Workstation (EWS) to the PLC.
“A Sality infection could risk remote access to an EWS by an unknown adversary. Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes,” the researchers said.
To maintain persistence on the host Sality uses process injection and file infection. The malware abuses Window’s autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives. According to the researchers, the Sality sample they discovered also dropped clipboard hijacking malware designed to steal cryptocurrency.
In order to remain invisible on a system, Sality drops a kernel driver and starts a service to identify any potential security products such as antivirus systems or firewalls and terminates them.
Dragos says that Automation Direct likely is not the only vendor affected, as the threat actor behind the campaign advertises “cracking” software for several PLCs and HMIs, including those manufactured by Omron, Siemens, Delta Automation, Fuji Electric, Mitsubishi Electric, Panasonic, LG, and others.