March 4, 2024 at 07:18AM
A team of Georgia Tech researchers developed web-based PLC malware, IronSpider, targeting modern PLCs such as Wago, Siemens, and others. This malware exploits web APIs, can persist through updates and hardware replacements, and has potential for real-time data exfiltration and destruction of industrial processes. The researchers also proposed a vendor-agnostic framework for analyzing web-based PLC malware.
Based on the meeting notes, the key takeaways are:
1. Researchers from the Georgia Institute of Technology have developed web-based PLC malware that targets modern programmable logic controllers (PLCs) with the potential to significantly expand the attack surface of industrial control systems (ICS).
2. The web-based PLC malware can abuse the PLC’s legitimate web APIs to cause disruption to industrial processes or machinery damage and can be deployed through physical or network access to the web-based human-machine interface (HMI) or directly through the internet by exploiting cross-origin vulnerabilities.
3. The malware leverages service workers for persistence, allowing it to survive firmware updates, new web-based HMIs, and hardware replacements. It can cover its tracks by destroying itself, overwriting the payload, unregistering service workers, and potentially conducting a factory reset of the device.
4. The researchers demonstrated their work by developing a malware named IronSpider, which targeted Wago PLCs and can be compared to the notorious Stuxnet malware.
5. This type of PLC malware can also be used against other PLC brands such as Siemens, Emerson, Schneider Electric, Mitsubishi Electric, and Allen Bradley by exploiting newly discovered or previously known vulnerabilities, weak FTP passwords, insecure protocols, or insiders.
6. The researchers have created a vendor-agnostic framework for analyzing web-based PLC malware, exploring widely applicable strategies that can be used against most modern PLC models.
Let me know if you need any further information or assistance.