company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Malware

PLC

ICS

loading..
loading..
loading..

Salty malware used to infect ICS through password cracking tool

On the pretext of unlocking PLC & HMI luring through shady ads of password cracking tools hackers target industrial control systems…

17-Jul-2022
3 min read

Industrial Control Systems (ICS) are getting infected by threat actors with password "cracking" tools for compromising programmable logic controllers(PLC) in order to develop a botnet.

The password recovery tools, which have been promoted on a number of social media channels, claim to be able to unlock PLC and HMI (human-machine interface) terminals made by Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.

Advertisment.jpg

Researchers from the industrial cybersecurity firm Dragos reviewed an event exploiting DirectLogic PLCs from Automation Direct and determined that the "cracking" software exploited a known vulnerability in the device to extract the password.

Password Cracker.jpg

However, Sality, a piece of malware that generates a peer-to-peer botnet for various tasks that benefit from distributed computer power, was also secretly deployed by the tool (e.g., password cracking, cryptocurrency mining).

Researchers at Dragos determined that the malicious program's exploit was limited to serial-only interactions. However, scientists also discovered a technique to duplicate it across Ethernet, heightening its severity.

Response.jpg

After reviewing the product including Sality, Dragos notified Automation Direct of the vulnerability, and the vendor subsequently provided the necessary litigation.

But because the threat actor's campaign is still active, administrators of PLC from other vendors should be mindful of the dangers of utilizing password-cracking tools in ICS setups.

Regardless of the justification for their use, operational technology engineers should avoid password cracking tools, particularly if their origin is unknown.

If you need to recover a password (either because you lost it or because the person who had it is no longer your colleague), Dragos suggests contacting them or the device manufacturer for instructions and support.

Sality is an ancient piece of malware that continues to evolve with new capabilities that enable it to terminate processes, open connections to distant sites, download more payloads, and steal data from the host.

Additionally, the malware can inject itself into ongoing processes and exploit the Windows autorun feature to replicate itself onto network shares, external disks, and removable storage devices that could transport it to other systems.

The sample examined by Dragos appears to be focused on cryptocurrency theft. According to the researchers, the malware introduced a payload that hijacked cryptocurrency transactions using the contents of the clipboard.

However, an expert attacker may use this entry point to interrupt operations and do more severe damage.

In this instance, the victim became suspicious after executing the malicious software, as the CPU utilization rate increased to 100 percent and Windows Defender sent repeated threat alerts.