Posted on July 18, 2022 at 7:53 PM
Researchers have discovered that hackers are now using password recovery tools to infect industrial control systems (ICS) The report reveals that they are infecting the systems through the password “cracking” software for programmable logic controllers (PLCs).
The password recovery tools are marketed on several social media platforms. They promise to unlock HMI (human-machine interface) and PLC terminals from Siemens, Omron, Automation Direct, Vigor, LG, Mitsubishi, Panasonic, and other electronic devices.
The Hackers Are Exploring Known Flaws To Extract Passwords
Researchers at Dragon, an industrial cybersecurity firm, analyzed an incident impacting DirectLogic. They uncovered a campaign where hackers are using the “cracking” software to explore known vulnerabilities in targeted devices to extract passwords.
The tool is also used to deploy the Sality malware behind the scenes. The malware creates a peer-to-peer botnet for different tasks. To successfully deploy the botnet, it requires the owner of distributed computing, such as crypto mining, and password cracking, to complete faster.
The researchers also discovered that the exploit utilized by the malicious program was capable of serial-only communications. But they also saw a way they can recreate it through Ethernet, increasing its severity in the process.
Dragos notified Automation Direct about the vulnerability after examining the Sality-laced software. The vendor has already released patches to the bug.
However, the researchers stated that the campaign of the threat actors is still ongoing. The PLC and administrators from other vendors have been advised to be wary of the risks of using password-cracking software in ICS environments.
Recommendations For Protection Against The Exploit
No matter how genuine the reason for using them is, operators have been advised to stop using password cracking tools, especially when their source is not known.
Dragos has also recommended solutions for situations where there is a need for password recovery if they forgot it. In this case, the security firm recommended that the user should contact the service vendor directly for guidance and instructions. In that way, they will be dealing with the vendor directly and avoid any scenario that will give hackers the chance to penetrate.
The Sality Malware Has Several Data-Stealing Capabilities
Sality is an old piece of malware that has been changing and upgrading its features. Its new features make it possible to complete a series of tasks on the targeted system. It can download additional payload, open connections to remote sites, steal data from the host, and terminate processes. These capabilities make it very dangerous and highly effective on host systems.
The malware also has several evasion methods that can keep it inside the host system undetected. It can eject itself into running processes while abusing the Windows autorun function to duplicate itself in the network.
Sality Also Has High Evasive Capabilities
The malware can hide within removable storage devices, external drives, as well as network shares that could deliver it to other targets. Its self multiplication features make the malware very difficult to wipe clean from an infected device or system.
Dragos analyzed a specific sample that seemed to be efficient at stealing cryptocurrencies. According to the researchers, the malware added a payload that took over the contents in the clipboard to diver crypto transactions.
But when the malware is operated by a more experienced threat actor, they could use this point of entry to achieve more serious damage through the disruption of operations within the affected system.
In the specific sample, the target became suspicious of the activities of the malware after running security software. The user discovered that the CPU usage level increased by 100% while Windows Defender issued several threat alerts. The researchers have warned that the malware’s high evasive capabilities are very impressive. They can hide in several areas while carrying out their exploits in secret.
The new campaign is targeting industrial operators and engineers
The exploit has been traced as CVE-2022-2003, with a score of 7.7 allocated to its as a measure of severity. Firmware Version 2.72, released last month, addressed the issue, but those that are yet to update their system are still vulnerable to the attack.
This is not the first time hackers have used trojanized software to launch attacks on operational technology (OT) networks. Last October, cybersecurity platform Mandiant revealed how hackers were compromising genuine portable executable binaries through a variety of malware, such as Ramnit, Virut, and Sality.