Sign up or login to join the discussions!
Dan Goodin - Jul 16, 2022 12:00 am UTC
From the what-could-possibly-go-wrong file comes this: People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported.
Lost passwords happen in many organizations. A programmable logic controller—used to automate processes inside factories, electric plants, and other industrial settings, for example, may be set up and largely forgotten over the following years. When a replacement engineer later identifies a problem affecting the PLC, they may discover the now long-gone original engineer never left the passcode behind before departing the company.
According to a blog post from security firm Dragos, an entire ecosystem of malware attempts to capitalize on scenarios like this one inside industrial facilities. Online advertisements like those below promote password crackers for PLCs and human-machine interfaces, which are the workhorses inside these environments.
Dragos—which helps firms secure industrial control systems against ransomware, state-sponsored hackers, and potential saboteurs—recently performed a routine vulnerability assessment and found software advertised as a password cracker for the DirectLogic 06, a PLC sold by Automation Direct. The software recovered the password but not through the normal method of cracking the cryptographic hash. Instead, the software exploited a zero-day vulnerability in Automatic Direct PLCs that exposed the passcode.
“Previous research targeting DirectLogic PLCs has resulted in successful cracking techniques,” Dragos researcher Sam Hanson wrote. “However, Dragos found that this exploit does not crack a scrambled version of the password as historically seen in popular exploitation frameworks. Instead, a specific byte sequence is sent by the malware dropper to a COM port.”
The vulnerability and a related one also found by Hanson have now been patched. The two are tracked as CVE-2022-2033 and CVE-2022-2004. The latter vulnerability can recover passwords and send them to a remote hacker, bringing the severity rating to 7.5 out of a possible 10.
Besides recovering the password, the software Hanson analyzed also installed malware known as Sality. It made the infected system part of a botnet and monitored the clipboard of the infected workstation every half second for any data related to cryptocurrency wallet addresses.
“If seen, the hijacker replaces the address with one owned by the threat actor,” Hanson said. “This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated.”
Hanson went on to say that he has found password crackers advertised online for a wide range of industrial software sold by other companies. They include:
Dragos tested only the malware targeting the DirectLogic devices, but a rudimentary analysis of a few samples indicated they also contained malware.
“In general, it appears there is an ecosystem for this type of software,” Hanson said. “Several websites and multiple social media accounts exist all touting their password ‘crackers.’”
The account is concerning because it illustrates the threat posed to many industrial control settings. The criminals behind the malware Dragos analyzed were after money, but there’s no reason more malicious hackers out to sabotage a dam, power plant, or similar facility couldn’t perform a similar intrusion with much more severe consequences.
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices