Lifting Zmiy and КУН-IP8. Solar released an interesting article about the group Lifting Zmiy. The group hosts its control servers (C2) on compromised programmable logic controllers (PLC). In particular, on the “Концентратор универсальный КУН-IP8” for elevator control, developed by Tekon-Avtomatika.
Why КУН-IP8:
🔻 It has Linux-based firmware and a module for loading and executing custom LUA script plugins as root (allows you to execute any bash commands as root).
🔻 Often the web interfaces of such PLCs are accessible directly on the Internet, even with the default administrator login/password. 🤦♂️ More than a hundred hosts can be found using Google Dorks.
If you have a piece of hardware that is accessible from the Internet and you do not secure it and update it, then it is very likely that criminals will start using it. For example, in attacks on critical infrastructure. And then YOU will have to prove you had nothing to do with it.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.