Preface: In IoT and IIoT world, windows OS and Linux Based OS become the mainstream technology. The endpoint devices mainly based on Linux operation system as a design baseline. If you have chances to explore the operation system architecture for IIoT and IoT. Your will found that it is a Linux world. Even through the IoT monitor API (mini dashboard) installed on your mobile phone is a Linux.
Pehaps to indicated the border of IT and consumer IoT can be catalogries by operation system. Why? Because the mainstream of information technology (IT) deploy the windows OS system.
The concept above might not apply to Industrial area. As you know, OPC technology implemented to OT environment nearly 20 years. Perhaps OPC-UA is based on Linux. But when you look at it from a wide angle, it lets you know that hybrid OS architecture design has settled in the OT space.
Background: About two decades ago, PsExec was a powerful tool. Meanwhile, Threat actors misused and transformed this program as a tool. In fact, PsExec can help use scripts and exploit vulnerabilities when malware downloads payloads to victim machines. Why do they use the PsExec program because it’s a Windows based machine. Few years ago, hacker misuse powershell language and jepodized a bunch of MS Exchange servers. As of today, powershell still capable to enagage cyber attack in misconfig system environment. Long story tell short, IoT and IIoT devices based on Linux. It seems that the above serious effects can be avoided. is this real?
Details: The common programming language in IoT and IIoT environment will using Python. As we heard by far when IoT devices vulnerable, it can tranform into a botnet thus engage cyber attack. But in what way they do?
CISA discovery activity shows that, the new method for engaging in cyber attacks will use two Impacket tools: wmiexec[.]py and smbexec[.]py.
Smbexec[.]py uses a similar approach to psexec w/o using RemComSvc. Remcomsvc.exe is a tool used by us to execute remote command on the agent machines. Actors used Impacket tools wmiexec[.]py and smbexec[.]py to leverage Windows Management Instrumentation and execute malicious commands.
According to the above information, this is a new way for botnet activity to effectively affect the Microsoft operating system architecture environment.
But don’t take this approach lightly. People will feel when the windows OS machine doesn’t have python installed. There is no chance of falling into this attack scenario. The details below show that it can run Python scripts if you don’t have Python installed on your Windows PC.
You can either use py2exe or use the Python exe without installing. py2exe will require setting up beforehand with an environment with Python, as it is an extension of Distutils. Create a file called setup.py, with the content
from distutils[.]core import setup
For using python without installing:
You can download the latest version in zip format and extract it into any folder and add that folder to your PATH environment variable so you can execute python from any directory or use the exact path to the python exe.
More details on this technical information. Please refer to the official CISA article – https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
- July 2004 issue of Windows IT Pro Magazine for Mark’s article that covers advanced usage of PsExec.
- Threat actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:
powershell add-pssnapin exchange;New-ManagementRoleAssignment – name:”Journaling-Logs” -Role:ApplicationImpersonation -User:
This command gave the service account the ability to access other users’ mailboxes.
- On Oct 2022, CISA found that two different types of Python script in frequently exploit by attacker. So called wmiexec[.]py and smbexec[.]py。