Corrupt code... AB and Schneider

Dyslexicbloke

Member
D
Join Date
Jul 2011
Location
Leek, ST13 7ER
Posts
34
Hi folks,
over the last couple of weeks I have seen 5 PLC.s with simmilar code modifications that I cant explain.

My site s typically use Schneider TM221CExxT or various Micrologix units.
I have seen 5 instances now of the code changong, OK being changed, on rungs where physical IO is the preceeding or following instruction.

Either coils/bits are repicated and inverted immidiatly before an output or bits/contacts are inserted after an input, or the input bit is entirly removed.

Typically I use IO mapping so physical IO only appears once in any program an the bits/coils asociated with IO are mapped to internal bits.

On the Schneider PLC's, 3 so far, a random bit, %M345 or %M789, was inserted twice, once inverted, in my IO map ladders preventing inputs and or outputs from working.

What I do is neither critical or importent and I douby my sites have been targetted but there is no buzz that suggests this is a wisespread thing either.
Is anyone els having issues?

Strangest thing I ever saw and aparantly not manufacturer speciffic.

BTW... All of thrse PLC's were internet connected and some not adiquatly protected... I guess tow decades of nothing made me complacent... My Bad

Is this just me, surely not?
 
Dyslexicbloke said:
Hi folks,
over the last couple of weeks I have seen 5 PLC.s with simmilar code modifications that I cant explain.

My site s typically use Schneider TM221CExxT or various Micrologix units.
I have seen 5 instances now of the code changong, OK being changed, on rungs where physical IO is the preceeding or following instruction.

Either coils/bits are repicated and inverted immidiatly before an output or bits/contacts are inserted after an input, or the input bit is entirly removed.

Typically I use IO mapping so physical IO only appears once in any program an the bits/coils asociated with IO are mapped to internal bits.

On the Schneider PLC's, 3 so far, a random bit, %M345 or %M789, was inserted twice, once inverted, in my IO map ladders preventing inputs and or outputs from working.

What I do is neither critical or importent and I douby my sites have been targetted but there is no buzz that suggests this is a wisespread thing either.
Is anyone els having issues?

Strangest thing I ever saw and aparantly not manufacturer speciffic.

BTW... All of thrse PLC's were internet connected and some not adiquatly protected... I guess tow decades of nothing made me complacent... My Bad

Is this just me, surely not?
Click to expand...


It COULD be that you have an angry guy on 2nd shift causing mischief.


Could be the "on the internet with no protection" thing, tho. People on the internet like to play games for fun.
 
There’s a youtube video where someone exposed a plc to the internet, and within a week someone had found it and modified the program. So it’s possible that’s what happened you.
 
dmroeder said:
If I had access to one via the internet, I'd slowly convert all extended branches to nested.
Click to expand...

The devil himself!

One time I found an L61 PLC on the internet I was able to go online with via logix. Scary times. All you need is the MAC to find the PLC brand, then 9am3 0v3r.
 
Hey.... I get that I messed up or was at least niave but some of this stuff has been live for at least a dcade, with no issues.
HMI's require a login, most PLC;s I use none standard ports, NATed, although not these units.

Personall attack is not likely, although I guess possible. No other shifts though I am a self employed sub contractor.

Also if it was a person then much more damage could hav been done by planning the code mods as opposed to simply disabling or forcing physical IO.
The whole thing feels like a BOT/Virus, something automated and yes am kicking myselfor being so silly/lax

That said... Just my unsecured stuff... Really? Perhaps I am the only guy daft enouh to admit it!
 
Out of interest... How would you get the MAC of a device on the inside of a NAT that only has a single external IP? Wouldnt any returned MAC be the router? I realise the roiter maintains an ARP table byt I wast aware that could be accdsed extrnally.

Perhaps that is something els I should have a btter handle on.
 
dmroeder said:
If I had access to one via the internet, I'd slowly convert all extended branches to nested.
Click to expand...

Dyslexicbloke said:
Out of interest... How would you get the MAC of a device on the inside of a NAT that only has a single external IP? Wouldnt any returned MAC be the router? I realise the roiter maintains an ARP table byt I wast aware that could be accdsed extrnally.

Perhaps that is something els I should have a btter handle on.
Click to expand...

It would not work like this for 1:many NATs, but most NATs I've seen in the plants I've worked on are 1:1, giving you access to individual IPs.

Even with 1:many, I think port scanning is viable, once identified it's the same penetration method from there on.
 
Dyslexicbloke said:
Out of interest... How would you get the MAC of a device on the inside of a NAT that only has a single external IP? Wouldnt any returned MAC be the router? I realise the roiter maintains an ARP table byt I wast aware that could be accdsed extrnally.

Perhaps that is something els I should have a btter handle on.
Click to expand...


The MAC of the device is not included in the packets that are transmitted outside the NAT. You are correct, the other communications partner only recieves the MAC of the NAT router.



Hypothetically you could pull this info from the router, if it is not secured properly. Either from the telnet, or the web interface, or via something like SNMP. SNMP v1 especially has essentially no security and is commonly enabled, so an attacker would essentially have full access to the data (and potentially config) of the device. If you aren't familiar, SNMP is something like OPC UA, but for IT stuff.


Why do you ask about the MAC?
 
If I am reading this right, then you have actual code modifications on several machines. Yep, that sounds as a malicious attacker.

The malicious attacker may be inside your network.
It may have started as an attack from outside on only a single PC, but after gaining control of the PC, the hacker has access to all devices as if he is onsite. The attacker may also have access to programming resources, to password lists etc.
The internet access that the machines use is obviously suspect, but the hacker can have gained access through some other means.
It only takes that one person clicks on a link in an email or opens a certain webpage, and with that a hacker can slowly pry his way into your system until he has access to everything.

Definitely perform a security review and renew all PLC and HMI passwords under the assumption that your system is compromised from the inside.
Also, the internet connection that the machines use should be reviewed. Are all accesses logged ? Does login require 2-factor authentication ?
 
These are all isolated networks, just a PLC and HMI out in th wild...
As I said in post 1 calling security lax is generious, my bad. the routers are password protected and have standard firewall rules but the PLC's were just NATed in with no security...

Yes I know, doing better already whils feeling a little silly to say the least.

I know why this happened, it was my fault. What I am most confused about is how it happened. The mods in question didnt look like a person did them, because of what was done and where in the code.

All mods were adjcent to physical IO bits, either preventing them from being driven or read.
all mods either deleted the preceeding instroction or appended two new ones, XIC & XIO of a single bit effectivly disconnecting that rung.

One of units had, a Schneider had %m789 appended ~200 times in ~100 locatons. I am suer a person would have been far more efficiant and devious... My point is after looking at a couple of examples, one Schneider and one Micrologix it was clear that simmilar 'rules' had been used to decide what to alter. with the actual alteration being predictable with regard to location and random wih respect to weather it was a deletion or addition.

All a bit odd realy.
 
You should report the incident to your country's authority on that. They might give you advice on how to recover, and can use your report to determine how widespread it is. I don't know the right authority in the US to report it to, but the police can guide you in that if needed, but maybe someone else here knows.
 
Our intranet computers that happen to face the internet get immediately disconnected.

I am not sure how IT is accomplishing this. There are some .bat's that get loaded at startup that ping 8.8.8.8 and if any ping returns then something happens in some program where the PC's network cards get disabled and requires elevated privileges to re-establish network connections.
 

Similar Topics

D
Alarms and Events Setup Corrupt FactoryTalk View 13
Hi guys, I've got problem about my Alarms services (i think), that happen after installed Visual Studio. I did a few things like, Repair : Studio...
Replies
3
Views
139
msyahrulg
M
B
Corrupt Tags? Studio5000
We keep experiencing an issue with corrupt tags. PLC is using Studio5000 version 30 and newer. The symptom is that the PanelView HMI populates...
Replies
4
Views
2,204
5618
5618
F
Error Vijeo runtime corrupt vda
I'm trying to load a *.vda file in Vijeo Runtime PC 6.2 as per the instructions of this video in YouTube...
Replies
0
Views
1,052
fullanitox
F
P
RsLogix 5000 corrupt?
Why is my RSlogix 5000 showing only one tag numerous times (version 15) or not showing any tags (version 16)? I'm running windows 10 and have had...
Replies
2
Views
1,279
peter764
P
T
Corrupt .rss file recoverable?
We have a machine that has lost its PLC program (we buy & refurbish used machinery). The manufacturer kindly sent us the .rss file. Unfortunately...
Replies
9
Views
3,130
rupej
R
Back
Top Bottom