Directlogicplcpasswordcrack
DirectLogic PLC Password Crack: A Trojan Horse Malware Targeting Industrial Systems
Programmable logic controllers (PLCs) are devices that automate processes in industrial settings, such as factories, power plants, and water treatment facilities. PLCs are often configured with passwords to protect them from unauthorized changes. However, what if the password is lost or forgotten? How can an engineer or operator recover the password and access the PLC?
Download File: https://miimms.com/2w3wrj
Some online advertisements claim to offer password cracking software for various PLCs, including Automation Direct's DirectLogic 06 PLC. These software tools promise to retrieve the password from the PLC over a serial connection, without damaging the device or affecting its operation. However, these tools are not what they seem. They are actually malware droppers that exploit a vulnerability in the PLC firmware and install a malicious program on the workstation that communicates with the PLC.
The Vulnerability and the Exploit
Dragos, a security firm that specializes in industrial control systems (ICS), discovered that the password cracking software for DirectLogic 06 PLC exploited a zero-day vulnerability in the firmware that allowed it to retrieve the password in cleartext. The vulnerability, tracked as CVE-2022-2003, has a CVSS score of 7.7 and could lead to information disclosure and unauthorized changes. The issue was addressed in firmware Version 2.72 released in June 2022.
The exploit works by sending a specific byte sequence to a COM port that is connected to the PLC. The PLC then responds with the password in cleartext, which is displayed on the screen of the workstation. The exploit does not crack a scrambled version of the password, as historically seen in popular exploitation frameworks.
The Malware Dropper and the Payload
Besides recovering the password, the software also installs malware on the workstation that communicates with the PLC. The malware is known as Sality, which is a well-known family of polymorphic file infectors that has been around since 2003. Sality infects executable files on local and network drives and turns the infected machines into peers in a peer-to-peer botnet.
The botnet can be used by the attackers for various purposes, such as cryptocurrency mining, distributed denial-of-service (DDoS) attacks, spamming, stealing sensitive information, and downloading additional malware. One of the additional malware that Sality downloads is a crypto-clipper payload that monitors the clipboard of the infected workstation for any data related to cryptocurrency wallet addresses. If detected, the crypto-clipper replaces the original wallet address with one owned by the attackers, effectively stealing cryptocurrency from unsuspecting users.
The Ecosystem and the Motivation
Dragos found that there is an entire ecosystem of malware droppers that masquerade as password cracking software for various PLCs and human-machine interfaces (HMIs) from different vendors, such as Omron, Siemens, ABB Codesys, Delta Automation, Fuji Electric, Mitsubishi Electric, Schneider Electric's Pro-face, Vigor PLC, Weintek, Rockwell Automation's Allen-Bradley, Panasonic, Fatek, IDEC Corporation, and LG. Several websites and social media accounts exist that promote these tools and offer them for sale or download.
The motivation behind these attacks is likely financial gain. The attackers can profit from stealing cryptocurrency, selling access to infected machines or botnets, or extorting victims with ransomware or other threats. The attackers may also have an interest in targeting industrial systems for espionage or sabotage purposes, although there is no evidence of such activity so far.
The Mitigation and the Prevention
To mitigate the risk of these attacks, Dragos recommends that industrial operators and engineers should avoid using any third-party software tools that claim to crack passwords for PLCs or HMIs. Instead, they should contact the vendor or use official tools to reset or recover passwords. They should also update their firmware to the latest version and apply security patches as soon as possible.
To prevent these attacks from happening in the first place, Dragos advises that industrial operators and engineers should follow best practices for securing their ICS environments. These include segmenting networks, implementing firewalls and intrusion detection systems (IDS), enforcing strong passwords and multi-factor authentication (MFA), restricting physical access to devices and ports, monitoring network traffic and device behavior, and educating staff on the risks and signs of phishing and malware attacks.
By following these steps, industrial operators and engineers can protect their PLCs and HMIs from being compromised by malicious password cracking software and ensure the safety and reliability of their industrial processes.
References
[Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems]
[AutomationDirect DirectLogic 06 PLC Firmware 2.72]
[The Trojan Horse Malware & Password Cracking Ecosystem Targeting Industrial Operators]
[Sality: Story of a Peer-to-Peer Viral Network]
[Sality (Malware Family)]