TID-303: Excessive Trust in Offboard Management/IDE Software
Threat Description
If device management is intended to be performed by a dedicated engineering software platform or integrated development environment (IDE), the threat actor could potentially modify the software platform, such as by manipulating key .dlls, to install malicious code or manipulate the operation of the device. This can provide the threat actor with a mechanism to bypass protections/countermeasures.
Threat Maturity and Evidence
Observed Adversarial Technique
ATT&CK Technique: Rootkit (T0851)
Procedure Example: Stuxnet (S0603)
“Stuxnet has the capability, through malicious .DLLs, to intercept read requests and write requests, include those the could overwrite code on the device”
Proof of Concept
Applying a Stuxnet Type Attack to a Modicon PLC
“Implementing Stuxnet type attacks on PLC’s from other manufacturers is possible. In the case of the Modicon M340, this porting is easier because the PLC executes ARM bytecode natively (and not proprietary assembly code).
This exercise gives us the opportunity to extend M340 functionality by developing automation code directly in C. Now we can perform low level actions which are very difficult to do with other languages (e.g Ladder, Grafcet).
We developed a program that allows the changing of logical programs on the fly (no need for recompilation – stop – upload – start steps in Unity)”
The Old Switcheroo: Hiding Code on Rockwell Automation PLCs
“Team82 decided to test for these Stuxnet-type of attacks on the Rockwell Automation PLC platform. Our research uncovered two vulnerabilities that expose the company’s Logix Controllers and Logix Designer application for engineering workstations to attacks that allow threat actors to stealthily modify automation processes.
Programmable logic and predefined variables drive these processes, and changes to either will alter normal operation of the PLC and the process it manages. An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility.”
CWE
CWE-114: Process Control (Class)
“Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.”
CVE
CVE-2022-1159
“Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.”