Sality is an old piece of botnet that continues to evolve. In the latest edition, the botnet variant has been found targeting Industrial Control Systems (ICS).

What is happening?

  • A threat actor is infecting ICS to create a botnet through password cracking software for Programmable Logic Controllers (PLCs).
  • These cracked password recovery software are advertised on social media forums and offer to unlock PLC and HMI terminals from more than a dozen electronics manufacturing companies such as Omron, Siemens, Fuji Electric, Mitsubishi, LG, and much more.
  • As they are advertised online, industrial engineers and operators are lured into running the software that promises to retrieve the password in plain text.
  • However, researchers from Dragos claim that the cracked software is exploiting a known vulnerability—tracked as CVE-2022-2003—in the devices to drop the Sality botnet.

Other technical details

  • Once the Sality botnet is executed on systems, it joins a P2P network and provides remote access to the system.
  • Its primary intention is to cause disruption in computing tasks and mining cryptocurrency.
  • It employs a range of evasion techniques and silently hijacks the content in the cryptocurrency wallet addresses from the clipboard to steal people’s funds.

Key points

According to researchers, the campaign is ongoing and administrators of PLC systems from affected vendors should be aware of the risk of using password retrieval software in ICS environments. They should avoid downloading software from unknown sources. During the time of writing, it is found that Automation Direct has released a firmware update to address the flaw.
Cyware Publisher