U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacking industrial processes with and undetectable PLC Rootkit

Two security researchers have developed an undetectable PLC rootkit that will present at the upcoming Black Hat Europe 2016. The energy industry is under unceasing attack, cyber criminals, and state-sponsored hackers continue to target the systems of the companies in the sector. The Stuxnet case has demonstrated to the IT community the danger of cyber attacks, […]

Hacking industrial processes with and undetectable PLC Rootkit

Two security researchers have developed an undetectable PLC rootkit that will present at the upcoming Black Hat Europe 2016.

The energy industry is under unceasing attack, cyber criminals, and state-sponsored hackers continue to target the systems of the companies in the sector.
The Stuxnet case has demonstrated to the IT community the danger of cyber attacks, threat actors could spread a malicious code to interfere with processes inside a critical infrastructure.
A new attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes.

The security researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, an independent security researcher, have developed an undetectable PLC rootkit. The security duo will present the undetectable PLC rootkit at the upcoming Black Hat Europe, that will be held in London in November.

The security duo will also present a version of the PLC attack that leverages shellcode.  The title of the presentation if Ghost In The PLC: Designing An Undetectable Programmable Logic Controller Rootkit.

PLC rootkit

The researchers believe that their PLC rootkit could be dangerous more than Stuxnet because it is stealth and affects directly the PLC differently from Stuxnet that was designed to target SCADA systems running on Windows architecture.It’s much less likely to be discovered because it sits at the lower-level of the system.

The PLC rootkit was developed to compromise the low-level components of a PLC system, it could be considered a cross-platform PLC threat because it is able to infect PLC manufactured by almost any vendor.

“It’s a race to the bottom” Abbasi told DarkReading. “Everybody has access to higher-level [SCADA operations]. Attackers in the future will go to lower level assaults” such as this to evade detection, he says.

Hacking a PLC system directly could more simple for Vxers because such kind of devices don’t implement many detection mechanisms, this means that a PLC running a real-time operating system could me more exposed to cyber attacks.

In August, a group of researcher presented at the Black Hat USA presented a PLC worm that spreads among PLCs, it was dubbed by the creator PLC-Blaster.

Abbasi and Hashemi explained their PLC rootkit doesn’t target the PLC logic code like other similar threats making hard its detection.

Furthermore, the researchers explained that the activity of the PLC rootkit will go unnoticed even to systems that monitor the power consumption of the PLC.

“The overhead imposed of our attack outside of kernel is below one percent, which means even those approaches which monitor the power usage of PLC for attack detection will be useless,” explained Abbasi.

The malware interferes with the connection between PLC runtime and logic with the I/O peripherals. The malware resides in the dynamic memory of the industrial component and manipulates the I/O and PLC process, while the PLC is communicating with I/O block composed of output pins that handle the physical control of the process.

The PLC receives signals from the field from the input PINs (i.e. level of the liquid in a pipe) and controls the process through actuators that receive instructions from the output PINs of the PLC (i.e. control of a valve).

Clearly manipulating the I/O signals it is possible to interfere with industrial process in a stealthy way, and this is what the PLC rootkit does.

“Our attack instead targets the relation between PLC runtime and logic with the I/O peripherals of it. In our attack, the PLC logic and PLC runtime remain intact,” said Abbasi. ” “in PLCs, the I/O operations are one of the most important tasks.”

As explained by the duo, the attack is feasible due to lack of hardware interrupt on the PLC’s SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection.

Abbasi and Hashemi are currently studying defensive countermeasures to detect and protect PLCs from such kind of threats.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PLC rootkit, hacking)