Password recovery tool infects industrial systems with malware

Security researchers at Dragos have uncovered the activities of a threat actor that uses password recovery tools to infect Industrial Control Systems (ICS).

After analyzing an incident involving Automation Direct’s DirectLogic PLCs, the researchers discovered that the cracking software exploited a known vulnerability in the device to extract the password.

The software also dropped a malware known as Sality during the recovery process. Sality is a malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster actions such as password cracking or cryptocurrency mining.

Sality can also inject itself into running processes and abuse the Windows autorun function to copy itself into network shares, external drives, and removable storage devices that could transfer it to other systems.

The malicious software and vulnerability identified have been reported to Automation Direct and the manufacturer has released fixes to address them.

Administrators of PLC from other providers should be aware of the risk of using password cracking in ICS environments. Operational technology engineers are also advised to avoid password cracking tools, especially if the source is unknown.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web