Researchers from Dragos discovered a smaller in-scale technique targeting industrial engineers and operators during their usual vulnerability assessment.
Experts say threat actors used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.
Experts from Dragos examine the scenario affecting DirectLogic PLCs from Automation Direct and found that the ‘cracking software’ was exploiting a known vulnerability in the device to extract the password.
“It is found that this exploit does not crack a scrambled version of the password as historically seen in popular exploitation frameworks. Instead, a specific byte sequence is sent by the malware dropper to a COM port”, says Dragos.
The malware holds serial-only version of the exploit that requires the user to have a direct serial connection from an Engineering Workstation (EWS) to the PLC. This vulnerability is tracked as (CVE-2022-2003) and was responsibly disclosed to Automation Direct.
Sality refers to an old, large family of viruses that infect executable files. Modern Sality variants can, among other things, act as a backdoor and connect infected machines to a botnet.
Sality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining. A Sality infection could risk remote access to a EWS by an unknown adversary.
It employs process injection and files infection to maintain persistence on the host. It abuses Window’s autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives.
Dragos experts say it is an efficient way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated. The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.
Therefore, “Dragos only tested the DirectLogic-targeting malware. However, an initial dynamic analysis of a couple of other samples indicates they also contain malware. Several websites and multiple social media accounts exist all touting their password “crackers”.