"'Evil PLC' Could Turn PLCs into Attack Vectors"

When thinking of someone hacking a Programmable Logic Controller (PLC), one would typically think of the PLC as the final target of the attack. Adversaries use other systems to get to what will eventually allow them to cause industrial havoc. However, Claroty Team 82 gave a DefCon presentation on the use of a PLC as a vector rather than the destination. The researchers believe that the "Evil PLC" attack scenario is novel, infecting any engineer who communicates with a PLC with malicious code. Claroty published a set of 11 new vendor-specific vulnerabilities that would make the attack possible. These flaws have been discovered in platforms such as Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems, and Xinje XDPPro. Except for Emerson, all received CVEs. Claroty came up with the idea after wanting to learn more about the adversaries who target their honeypots. They wanted to further explore how they could actively combat the attackers. Claroty used a ZipSlip attack against vendors Emerson, Ovarro, B&R, GE, and Xinje. They used a heap overflow against Schneider and a deserialization attack against Rockwell to create an Evil PLC. Evil PLC would be appropriate for two attack scenarios, the first of which would be if the PLC was the only entry point into a secure facility. Waiting for an engineer to connect to the PLC allows the attacker to infect the engineer's workstation. This could be sped up by encouraging an early inspection with the newfound access to the PLC. Once the attacker has weaponized the PLC, they may intentionally cause a fault on the PLC, and the engineer would be drawn to the PLC to see what was wrong with it. This article continues to discuss the Evil PLC attack scenario.

SC Magazine reports "'Evil PLC' Could Turn PLCs into Attack Vectors"