07-17-2022 , 09:32 AM
Quote:A threat actor is infecting industrial control systems (ICS) to create a botnet through password "cracking" software for programmable logic controllers (PLCs).
Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.
Security researchers at industrial cybersecurity company Dragos analyzed one incident impacting DirectLogic PLCs from Automation Direct and discovered that the "cracking" software was exploiting a known vulnerability in the device to extract the password.
But behind the scenes the tool also dropped Sality, a piece of malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster (e.g. password cracking, cryptocurrency mining).
Dragos researchers found that the exploit used by the malicious program was limited to serial-only communications. However, they also found a way to recreate it over Ethernet, which increases the severity.
More info HERE