Security News > 2022 > July > Password recovery tool infects industrial systems with Sality malware
A threat actor is infecting industrial control systems to create a botnet through password "Cracking" software for programmable logic controllers.
Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.
Security researchers at industrial cybersecurity company Dragos analyzed one incident impacting DirectLogic PLCs from Automation Direct and discovered that the "Cracking" software was exploiting a known vulnerability in the device to extract the password.
Behind the scenes the tool also dropped Sality, a piece of malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster.
The threat actor's campaign is ongoing and administrators of PLC from other vendors should be aware of the risk of using password cracking software in ICS environments.
Regardless how legitimate is the reason for using them, operational technology engineers should avoid password cracking tools, especially if their source is unknown.