Instead, a specific byte sequence is sent by the malware dropper to a COM port. However, Dragos found that this exploit does not crack a scrambled version of the password as historically seen in popular exploitation frameworks. Previous research targeting DirectLogic PLCs has resulted in successful cracking techniques. #S7 200 plc password breaker softwareFigure 1: Demonstration of password “cracking” software as seen by a user. A second or two later, the password is shown to the user as seen in Figure 1. From a user’s perspective, they simply need to have a connection from the Windows machine to the PLC, then specify the COM port to communicate over and click the “READPASS” button. #S7 200 plc password breaker serialThe Exploitĭragos researchers confirmed the password retrieval exploit embedded in the malware dropper successfully recovers Automation Direct’s DirectLogic 06 PLC password over a serial connection. Further, the software was a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet. Troy called in Dragos to reverse engineer the password “cracking” software and determined it did not crack the password at all, rather, it exploited a vulnerability in the firmware which allowed it to retrieve the password on command. Password Retrieval and a Sality Malware Infection Troy successfully recovers the PLC password, but a couple of minutes later he discovers the engineering workstation system is acting strange. He purchases the software and runs it on his engineering workstation. But Troy insists this is a time-sensitive task. Cassandra, Troy’s security-conscience coworker, warns against introducing this unnecessary risk into their OT environment. Troy looks for answers online, and seeing an advertisement for PLC password cracking software, decides to give it a go. Troy doesn’t know the password, and Hector left a few months ago and is now vacationing on a boat without service indefinitely. After firing up the PLC programming software, DirectSOFT, a password prompt pops up. #S7 200 plc password breaker updateTroy needs to update some ladder logic Hector wrote on Automation Direct’s DirectLogic 06 PLC. Take the following as an example: an engineer named Troy just got promoted to senior engineer when his old colleague, Hector, retired after serving 30 years at an electric utility. Buyers can retrieve forgotten passwords by running an executable provided by the seller that targets a specific industrial system.Īn advertisement like this raises the question, “Who would buy this?” Any information security professional would caution against downloading and running software from an untrusted party. Multiple accounts across a variety of social media websites are advertising Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project file password cracking software. The Story of Troy and the Password “Cracking” Trojan Horse However, during a routine vulnerability assessment, Dragos researchers uncovered a smaller in scale technique targeting industrial engineers and operators. The usual suspects – ransomware, business email compromise, internet fraud, and phishing are well known to the information security community. The internet brings endless possibilities for scammers and cyber criminals to make money illegitimately.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |