2022-07-18
Maliciously Crafted Password Crackers Target Industrial Systems
Threat actors are using Programmable Logic Controller password cracking tools that contain trojans to infect industrial systems. Researchers from Dragos have analyzed a malicious password cracking tool that contains malware known as Sality, which corrals infected systems into being part of a botnet.
Editor's Note
Downloading a random password cracker or any piece of software for that matter, and using it in a production environment without verifying the source and integrity of said software is never a good idea.

Johannes Ullrich
Downloading password crackers from unvetted sources and running it in production on systems connected to the Internet are 3 very bad practices. Great write up by Dragos.

Jorge Orchilles
In this case the password cracking tool doesn't crack the password, it exploits a vulnerability in the firmware which allows the password to be retrieved. While the software required a serial connection, Dragos researchers determined the exploit will also work over an Ethernet connection. A firmware update has been released by Automation Direct for this weakness. See CISA ICS Advisory 22-167-02 (https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-02) The Dragos blog post includes other PLCs, HMIs which the threat actor sells password "cracking" for.

Lee Neely
Read more in
Dragos: The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Ars Technica: Hackers are targeting industrial systems with malware
The Register: Botnet malware disguises itself as password cracker for industrial controllers
SC Magazine: Industrial control system password cracker may be bad, actually
Dark Reading: Trojanized Password Crackers Targeting Industrial Systems