Industrial Control Systems (ICS) have been identified as the target of a threat actor looking to build a botnet network. The attacker does this by using many social media profiles to advertise password-cracking tools for PLCs and HMIs.
What is going on with the campaign?
PLC and HMI terminals from Automation Direct, Siemens, Fuji Electric, Mitsubishi, Weintek, ABB, and more manufacturers are up for unlocking through the campaign.
In one specific instance involving DirectLogic PLCs from Automation Direct, researchers at Dragos looked at how infected software—rather than a crack—took use of a known weakness in the device to acquire the password.
The malicious program’s usage of the exploit (CVE-2022-2003) was restricted to serial-only communications. An Engineering Workstation (EWS) must have a direct serial connection to the PLC in order to do this.
Let’s discuss Sality.
Older malware called Sality needs a distributed computing architecture to do operations like cryptomining and password cracking more quickly. Its capabilities, which are still under development, include terminating running processes, downloading more payloads, connecting to distant locations, and stealing data from the host.
The virus copies itself onto external discs, portable storage devices, and network shares to propagate further by injecting itself within active processes and attacking the Windows autorun feature.
It was discovered that the identified sample also concentrated on stealing bitcoin. It uses the clipboard’s contents to reroute bitcoin transactions.