Industrial systems are being targeted by hackers

• Dragos researchers have found a trojan that is disguised as password cracking tool for Automation Direct PLC devices.
• The trojan targets many Automation Direct PLC devices but there are also variations that target other PLCs and HMIs.
• The software uses a specific byte sequence to listen to the COM ports for exploiting the vulnerability that easily hands over the password.

Dragos, a cybersecurity company that is an expert on industrial systems, has published a whitepaper about a new threat. The company states that they had a customer who desperately needed to crack the password of Automation Direct DirectLogic 06 PLC and ended up buying a tool to crack it. They add that as the customer used the software, he successfully recovered the password but then the engineering workstation system began acting weird.

Drops Sality botnet to the system

The company then decided to reverse engineer the software; which was eventually found to be exploiting a vulnerability in the firmware rather than simply cracking it. Additionally, the software dropped the Sality botnet to the system as well. The software sends a specific byte sequence, “76 19 83”, to a COM port between the engineering workstation and the PLC (Programmable Logic Controller) to read and display the password to the user; which is the exploit of the CVE-2022-2003 (CVSS 7.7) vulnerability. The security researchers managed to duplicate the attack over ethernet as well.

This vulnerability affects the Automation Direct DirectLogic D0-06 series products that can be seen below with firmware versions older than 2.72, the firmware version which fixes the issue:

• D0-06DD1
• D0-06DD2
• D0-06DR
• D0-06DA
• D0-06AR
• D0-06AA
• D0-06DD1-D
• D0-06DD2-D
• D0-06DR-D
• D0-06DD2-D
• D0-06DR-D

Dragos researchers state that Automation Direct is not the only company that is being targeted by hackers via similar cracking tools. You can see the Dragos’ list for the other targeted products below: