Security News > 2024 > March > Web-based PLC malware: A new potential threat to critical infrastructure

"Our Web-Based PLC malware resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment. From there, the malware uses ambient browser-based credentials to interact with the PLC's legitimate web APIs to attack the underlying real-world machinery," the researchers explained.

"While previous attacks on PLCs infect either the control logic or firmware portions of PLC computation, our proposed malware exclusively infects the web application hosted by the emerging embedded webservers within the PLCs," the researchers noted.

PLCs having embedded webservers means that attackers don't need network or physical access to deliver the malware - they can simply lure an ICS operator to view an attacker-controlled website that exploits a cross-origin resource sharing misconfiguration vulnerability to transfer a web page with malicious JavaScript code to the webserver.

"Additionally, the two access levels used by traditional PLC malware are also viable access levels for WB PLC malware," the researchers noted.

Another advantage of WB PLC malware is that, since it runs only in the web browsers, it can work on many different PLCs without having to be specifically customized.

To prove the feasibility of a malware attack via this vector, they have created their own WB malware and tested how it can be used to compromise a popular PLC model in a real-world ICS testbed.

News URL

https://www.helpnetsecurity.com/2024/03/07/web-based-plc-malware/