Security News > 2022 > July > Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems

Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems
2022-07-19 01:28

Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers and co-opt the machines to a botnet.

The software "Exploited a vulnerability in the firmware which allowed it to retrieve the password on command," Dragos security researcher Sam Hanson said.

"Further, the software was a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality's peer-to-peer botnet."

The industrial cybersecurity firm said the password retrieval exploit embedded in the malware dropper is designed to recover the credential associated with Automation Direct DirectLOGIC 06 PLC. The exploit, tracked as CVE-2022-2003, has been described as a case of cleartext transmission of sensitive data that could lead to information disclosure and unauthorized changes.

The infections culminate in the deployment of the Sality malware for carrying out tasks such as cryptocurrency mining and password cracking in a distributed fashion, while also taking steps to remain undetected by terminating security software running in the compromised workstations.

Automation Direct is not the only vendor impacted as the tool claim to encompass several PLCs, HMIs, human-machine interface, and project files spanning Omron, Siemens, ABB Codesys, Delta Automation, Fuji Electric, Mitsubishi Electric, Schneider Electric's Pro-face, Vigor PLC, Weintek, Rockwell Automation's Allen-Bradley, Panasonic, Fatek, IDEC Corporation, and LG. This is far from the first time trojanized software has singled out operational technology networks.


News URL

https://thehackernews.com/2022/07/hackers-distributing-password-cracking.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-08-31 CVE-2022-2003 Unspecified vulnerability in Automationdirect products
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext.
network
low complexity
automationdirect
critical
9.1