Posted on May 31, 2021 at 9:16 PM
New Malware Detected on Siemens Allows Hackers to Remotely Execute Malicious Code
Siemens issued a security update stating that a severe vulnerability had been detected in its systems. The vulnerability was present in the SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs).
A threat actor could easily exploit a hack through this vulnerability to gain remote access to restricted areas while avoiding detection. The code execution would also be done without anyone detecting the same. According to cybersecurity researchers, this kind of sophisticated attack was termed by threat actors as a ‘holy grail.’
Sophisticated bug
This vulnerability, listed as CVE-2020-15782 (CVSS score:8.1), was unveiled by Claroty, a cybersecurity company. Because of the high level of sophistication in the malware, experts from the firm exploited the MC7 / MC7 + bytecode through reverse engineering to run PLC software in the microprocessor. However, it is not clear whether the vulnerability was exploited maliciously.
However, this malware posed a potential threat to the internet community because it could be used to develop future attacks. In its statement, Siemens stated that a threat actor could maliciously steal user information and gain access to sensitive data by accessing the network of the TCP port 102, which could compromise protected areas of the network. This could be achieved through writing arbitrary data and malicious code.
According to Tal Keren, a researcher at Claroty, stated that “Achieving native code execution on an industrial control system such as a programmable logic controller is an end-goal relatively few advanced attackers have achieved.” “These complex systems have numerous in-memory protections that would have to be hurdled in order for an attacker to not only run code of their choice but also remain undetected.”
Avoids detection
When threat actors use this bug, they gain access to the user’s systems and retrieve personal data and avoid detection. This means that users will continue with their normal operations without any red flags that may make them install updates or internet security software.
To escape detection, the hacker writes arbitrary data and the code directly to the regions of the user’s system that are protected. The security firm also stated that attackers who use this method need access to the PLC’s network to download. However, to go around this, the hackers use the PLC native sandbox, where it launches kernel-level software in the system to be granted remote access for code execution.
This will not be the first time that a similar sophisticated attack has been reported on Siemens PLC. In 2020, another similar malware that enabled unauthorized code execution was also detected. The malware, dubbed Stuxnet worm, exploited several vulnerabilities in the Windows system by changing the code on Siemens PLC. This was done to spy on users and to cover the tracks of attackers.
Again in 2019, another attack was also discovered, which used the vulnerabilities in the S7 communication mechanism to create an attack by sending messages that will be favourable to the threat actor.
Since the attack was discovered, Siemens has urged users to install the latest update, as it will prevent them from being victims of the attack. The firm also assured its customers that it worked around the clock to develop more updates and countermeasures to help curb such attacks.
However, Siemens is not the only firm to suffer from a series of sophisticated attacks from users. Other major firms have also warned clients of malware that avoid detection and steal sensitive data by spying on user activity. Such attacks were recently discovered by Microsoft and on the Pulse Secure Network. In all instances, updating to the latest versions of the software is the best way of counteracting the attacks.
