The security company Dragos describes an interesting case in which an industrial controller is compromised that should not actually be connected to the Internet. An alleged password cracker plays the central role in the story. But some important questions remain unanswered.
A fictional story…
The engineer responsible for the system needs to update the programmable logic device (PLC) of an industrial control system. But the password required for this has disappeared with its predecessor, which is no longer accessible. So he grasps at straws: his search of the internet turns up a password cracker for the AutomationDirect DirectLogic PLC in question.
And the amazing thing about it: After the engineer has installed it on the workstation responsible for the control and has it talked to the PLC via the serial connection, it actually presents the missing password. But the joy does not last long: because the password cracker secretly infects the workstation with the malicious code of the Sality botnet in the background.
… reveals real problems
Drago’s analysis of the alleged DirectLogic password cracker revealed some interesting things. The cracker not only contained additional malware as a souvenir – it was also not a cracker in the traditional sense. Instead, he exploited a vulnerability in the DirectLogic PLC that gave him the password for free. And according to Dragos, not only via the serial cable, but potentially also via its Ethernet connection.
A quick Google search reveals an entire ecosystem of password crackers for industrial controls of all stripes, including PLCs and Human/Machine Interfaces (HMIs) from Siemens to LG, Panasonic and Mitsubishi. Specifically, Dragos only examined the cracker for the DirectLogic PLCs; but with many others they also found signs of malware with the first tests. It is therefore safe to assume that the majority of crackers are Trojan horses whose real purpose is to inject malware.
The malware injected with the DirectLogic cracker belongs to the Sality botnet. Their specialty is stealing cryptocurrency. To do this, she constantly monitors the clipboard. If she discovers the address of a crypto wallet there, she exchanges it for one of the criminals. In the hope, of course, that the user does not notice the manipulation, then uses the wallet as the target of a transaction and thus transfers the coins to you.
Unfortunately, Dragos leaves some questions unanswered. The security specialists do not reveal how much of the fictitious story with the infection actually happened. Installing cracking software on a workstation should be a common sense ban.
After all, the situation with the lost password and the grasping at straw is plausible enough that there could be more than a grain of truth in it. But the actually exciting question is another one anyway: Where did the fraudsters get the information about the real password backdoor of the DirectLogic PLCs from AutomationDirect, which according to ICS-CERT is also used in the area of critical infrastructure?
To home page