Experts have uncovered a threat operator infecting dedicated industrial control systems (ICS) to build a botnet using password crunching software designed for programmable logic controllers (PLCs).

The password recovery tools are currently being advertised on multiple social media platforms with the claim that they can unlock HMI (human-machine interface) and PLC terminals from Omron, Siemens, Automation Direct, Fuji Electric, LG, Mitsubishi, Vigor, Allen Bradley, Pro-Face, Weintek, Panasonic and ABB.

Infection revealed by researchers

A research team at Dragos, the industrial cybersecurity company analysed an incident impacting Automation Direct DirectLogic PLCs and found that cracking software was being used to exploit a known weakness within the device in order to extract a password.

However, in the background the malicious tool also deployed Sality, a type of malware that can create a peer-to-peer style botnet for a wide range of tasks that need the power supplied by distributed computing for faster completion. Examples of such activity include cryptocurrency mining and password cracking.

The researchers at Dragos discovered that the exploit utilised by the malicious software was limited, however, to serial-only comms. Additionally, it can be recreated over Ethernet, increasing the severity of the infection.

Upon examining the software laced with Sality, the Dragos research team informed Automation Direct of the weakness. As a result, the vendor rolled out appropriate mitigations for the known vulnerability.

The threat operator’s campaign is still ongoing and cybersecurity experts are warning administrators of PLC supplied by other vendors to be aware of the potential risk of utilising password-cracking software within ICS environments at their enterprise.

Regardless of how legitimate the reason is for using these tools, operational technology engineers are always advised to avoid employing password-cracking tools, particularly if the source from which they originated cannot be confirmed.

For situations where a password must be required, perhaps because a user forgot it or a password holder is no longer with the company, researchers at Dragos recommend contacting them or the dedicated vendor of the device for guidance and instructions on how to proceed.

What is Sality?

The Sality malware is an older model of malicious software that keeps evolving with new features that enable it to end processes, steal data, open new connections to remote sites and download further malware payloads.

Sality also has the capability to inject itself into processes that are already running and exploit the autorun function in Windows to copy itself onto external drives, network shares, and removable storage drives that can potentially load it on to other devices and systems.

The sample specifically analysed by Dragos seems to be focused on illegally obtaining cryptocurrency. The research team said that the malicious software added a payload capable of hijacking the contents in a clipboard so it could divert crypto transactions.

Experts have warned, however, that a more advanced threat actor could potentially use this entry point to create serious damage through disrupting operations.

In this recent case, the user became suspicious when running the malicious program because the Central Processing Unit usage level hit 100% and security software issued several threat alerts.