In the name of recovering passwords to programmable logic controllers (PLCs) in industrial control systems, a hacker is hijacking the machines to create a botnet.
This was then used to mine cryptocurrency, though he has access to shut them down completely. The hacker is advertising his password cracking tool on various social media platforms to get the potential victims.
Targeting ICS to Mint Cryptocurrencies
As noted by researchers at Dragos, an industrial cybersecurity company, an unknown hacker is targeting ICS admins to hijack their systems for his own use. Promising to crack passwords of their programmable logic controllers (PLCs), the hacker is seen infecting their industrial control systems (ICS) with Sality malware.
Abusing the Windows autorun function, Sality can make itself run on network shares, external drives, and even removable storage devices to be able to transport to other systems.
Acting as a backdoor, it can download additional payloads, open connections to remote sites, steal data, and even terminate processes critical to the industry’s functioning.
Thus, researchers warn system admins to use password cracking tools, especially if they come from unreliable providers. Hacker, in this case, is seen promoting his password cracking tool (laced with Sality malware) on various social media platforms, targeting PLCs of Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.
Dragos demonstrated an example with DirectLogic PLC from Automation Direct, where the hacker’s tool is found to be exploiting a known vulnerability to extract the password while also dropping Sality malware in the background.
In this campaign, he’s seen using the compromised machines for mining cryptocurrencies, although he can perform other bigger tasks for more profit. Dragos advised system admins to approach them or the concerned ICS vendor to crack passwords if needed but not to try their own with suspicious tools.