Threat actors are targeting systems in industrial control environments with backdoor malware hidden in fake password-cracking tools. The tools, being touted for sale on a variety of social media websites, offer to recover passwords for hardware systems used in industrial environments.
Researchers from Dragos recently analyzed one such password-cracking product and found it to contain "Sality," an old malware tool that makes infected systems part of a peer-to-peer botnet for cryptomining and password cracking.
The password-cracking tool was being hawked as software that could help users of Automation Direct's DirectLogic 06 programmable logic controllers (PLCs) recover lost or forgotten passwords. When installed on the PLC, the software did not really "crack" the password. Rather, it exploited a vulnerability in the PLC to recover the password from the system on command and send it in clear text to the user's connected engineering workstation. The sample that Dragos analyzed required the user to have a direct serial connection from their workstation to the Automation Direct PLC. However, the security vendor said it was able to develop a more dangerous version of the exploit that works over Ethernet as well.
Dragos said it reported the vulnerability (CVE-2022-2003) to Automation Direct, which issued a fix for it in June.
In addition to retrieving the password, Dragos observed the so-called password-cracking tool dropping Sality on the host system and making it a part of the botnet. The specific sample of Sality also dropped malware for hijacking the infected system's clipboard every half second and checking it for cryptocurrency address formats. If the malware detected one, it replaced the address with a threat actor-controlled address. "This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated," Dragos said in a recent blog.
Dragos did not immediately respond to a Dark Reading request for clarification on who exactly the buyers for such password-cracking software would be and why they might want to buy these tools from unverified sellers on social media websites. It was also not clear why threat actors would go to the trouble of developing Trojanized password crackers for PLCs in critical infrastructure and operational technology environments if the goal is purely financial. Often attacks targeting equipment in industrial and OT environments have other motivations such as surveillance, data theft, and sabotage.
Dragos' research showed that the password cracker for Automation Direct's PLCs is just one of many similarly fake password retrievers that are available on social media websites. Dragos researchers found similar executables for retrieving passwords from more than 30 PLCs, human-machine interface (HMI) systems, and project files in industrial settings. Among them were six PLCs from Omron, two PLCs from Siemens, four HMIs from Mitsubishi, and products from an assortment of other vendors including LG, Panasonic, and Weintek.
Dragos said it only tested the password cracker for Automation Direct's DirectLogic PLC. However, an initial analysis of the other tools showed they contained malware as well. "In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password 'crackers'," Dragos said in its blog.
Attacks targeting ICS environments have grown in number and sophistication in recent years. Since the 2010 Stuxnet attack on Iran's uranium enrichment facility in Natanz, there have been numerous instances where threat actors have gained access to critical systems in ICS and OT environments and deployed malware on them. Some of the more recent, notable examples include malware such as Industroyer/Crashoverride, Triton/Trisis, and BlackEnergy. In April 2022, the US Cybersecurity and Infrastructure Agency (CISA) warned critical infrastructure organizations to be on the lookout for three sophisticated malware tools — collectively referred to as Incontroller/PipeDream — custom-built to attack PLCs from Schneider Electric, Omron, and systems based on the Open Platform Communications Unified Architecture (OPC UA) standard.