A newly discovered threat campaign called Evil PLC attack infiltrates engineering workstations using weaponised Programmable Logic Controllers. This threat campaign was initiated by threat actors who were fancied with PLC since it can cause disruption, damage, and changes to processes it controls.
The Evil PLC attack affects several industrial automation firms such as Emerson, B&R, Xinje, Rockwell Automation, Schneider Electric, GE, and OVARRO.
Based on reports, the adversaries initially infect PLCs exposed to the internet. After infection, they prompt and deceive the unwary engineer into linking the PLC to the controller from the engineering workstation.
Subsequently, the threat actors can use the compromised engineering workstation since they are given easy access to other Programmable Logic Controllers and sensitive systems related to the affected organisation.
Researchers explained that the Evil PLC attack could reveal vulnerabilities within the system after infiltrating the network.
The Evil PLC attack also shows several flaws in the engineering workstations because the security software within the system trusted arriving data from the PLC and avoided additional security checks.
The malicious actors utilise the information from the PLC to activate the security hole and run malicious code on the compromised workstation. The flaws are then triggered if an engineer operates an upload procedure that contains the transferring of metadata and text code from the PLC to the workstation.
Once the engineering workstation has been completely compromised, the malicious threat actors relocate to the remaining systems on the network. These systems will be prone to whatever the attackers would want to do.
Hence, this newfound campaign can cause catastrophic damages to any entity it breaches.
As of now, the Evil PLC method can also be utilised by researchers against malicious threat groups. The researchers highlighted that an attacker could compromise its devices if they connect to the PLC from their machines when they attempt to recover the loaded project.
Cybersecurity experts recommend that organisations employ authorised engineers and operators to access PLCs manually and over their networks. This method is executed to verify the engineering station using authentication mechanisms, monitoring OT network traffic for unwanted activities, and applying available fixes whenever an update is available.
