Lifting Zmiy and КУН-IP8. Solar released an interesting article about the group Lifting Zmiy. The group hosts its control servers (C2) on compromised programmable logic controllers (PLC). In particular, on the “Концентратор универсальный КУН-IP8” for elevator control, developed by Tekon-Avtomatika.
Why КУН-IP8:
🔻 It has Linux-based firmware and a module for loading and executing custom LUA script plugins as root (allows you to execute any bash commands as root).
🔻 Often the web interfaces of such PLCs are accessible directly on the Internet, even with the default administrator login/password. 🤦♂️ More than a hundred hosts can be found using Google Dorks.
If you have a piece of hardware that is accessible from the Internet and you do not secure it and update it, then it is very likely that criminals will start using it. For example, in attacks on critical infrastructure. And then YOU will have to prove you had nothing to do with it.