Hackers targeting industrial PLCs with a new password cracking tool by remaining undetected

Industrial Programmable Logic Computers (PLCs) are being hacked via password-cracking software in the latest hacking campaign that turns the PLC machine into a botnet, a robot network under the control of a single attacking party called bot-herder. A PLC is an industrial computer control system that monitors the input and output devices to process manufacturing.

Dragos Industrial Cyber Security researcher Sam Hanson said that the hackers “exploited a vulnerability in the firmware which allowed it to retrieve the password on command” with the help of software and “the software was a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet.”

Security researchers termed the software that exploited a vulnerability in PLC as malware droppers retrieving passwords in order to steal the credentials from Automation Direct DirectLOGIC 06 PLC.

The Sality malware has been deployed in order to exploit a vulnerability on PLC which has been tracked as CVE-2022-2003 (CVSS score: 7.7). The malware has been associated with carrying out cryptocurrency mining and password cracking in a distributed fashion along with remaining undetectable by the terminating security software.

The malware has impacted not only Automation Direct but also other PLCs, Human-Machine Interface (HMI), project files of Omron, Siemens, ABB Codesys, Delta Automation, Fuji Electric, Mitsubishi Electric, Schneider Electric’s Pro-face, Vigor PLC, Weintek, Rockwell Automation’s Allen-Bradley, Panasonic, Fatek, IDEC Corporation, and LG.

According to Mandiant Cyber Threat Defense Solutions, the Sality malware has been attacking executable binaries by planting infected binary files with malicious code in order to compromise the industrial systems since 2021.