Researchers Release Stuxnet-Like Exploits on Metasploit

By | Apr 10, 2012

IT professionals working in the industrial sector should be on alert for two new exploits that could allow a hacker manipulate critical infrastructure. The exploits are similar in nature to the notorious Stuxnet, the worm that enabled attackers to take control of uranium centrifuges in Iran back in 2010.

The exploits take advantage of flaws in Schneider-Electric's Modicon Quantum programmable logic controller (PLC), which has a variety of industrial applications.

Reid Wightman, a security consultant at Digital Bond, developed the malicious code as part of Project Basecamp, a volunteer project with the goal of exposing vulnerabilities in industrial PLCs. Project Basecamp submitted the exploits as modules to Metasploit, a penetration-testing software IT professionals can use to test for and detect vulnerabilities in a network.

One of the exploits enables a hacker to overwrite the ladder logic--the schematic diagram used to define the program--of the PLC, allowing the attacker to compromise the device. Using the module, the attacker can download and examine the existing ladder logic to understand how the device functions. The attacker can then upload a modified version of his ladder logic to the unsecured PLC. The other exploit can be used to send "stop" or "run" commands to the Modicon Quantum PLC.

These modules can cause serious damage to companies that use the Modicon Quantum, but the real problem isn't that these exploits are now public. The issue is rather that the makers of industrial control systems have done little to protect their devices against hackers. Stuxnet should have been a kick in the pants for PLC makers to amp up security, but vendors have not put forth much effort to repair well-known design flaws. For example, Siemens 7--the PLC that Stuxnet took control of in its 2010 attack--still has not been fixed.

Hacking into these vulnerable PLCs isn't too arduous a task for attackers who know what to look for. According to a post from Digital Bond CEO Dale Peterson, Wightman was able to access and download the existing ladder logic and upload a rogue program to the Modicon Quantum in less than eight hours. Of course, now that the modules are public, most of the legwork has been done for attackers looking to infiltrate industrial control systems. After all, IT professionals aren't the only ones who use Metasploit; hackers use the software to quickly find existing vulnerabilities to attack.

In general, all midsize businesses using industrial control systems are potentially at risk. Most common PLCs contain significant vulnerabilities that are known to vendors and have been left unpatched. To protect against hackers, Peterson recommends companies know as much as possible about the security of their devices. "Every owner/operator should be asking their vendors how ladder logic upload/download is secured, as well as firmware upload/download and commands that could be used maliciously to affect the availability or integrity of the process," wrote Peterson.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Become a fan of the program on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM's IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

IBM’s New Social Collaboration Tool

By Rebecca Herold on Dec 3, 2014
I am intrigued by the new social collaboration tool, Verse, which IBM just released that is reportedly intended to reinvent email. Quite a lofty, but worthwhile, goal considering email hasn’t significantly changed since the move from a mainframe based character ...