Blackhat Europe 2013

1. Who’s Really Attacking Your

2. #WHOAMI
• Threat Researcher at Trend Micro- research and blogger on criminal
underground, persistent threats, and vulnerabilities.
• Bachelor’s and Master’s in Computer Science. Currently pursuing PhD.
Normal security certifications, CISSP, GCIH, GCFE, etc…
• Research:
-Malware detection/reversing
-Persistent Threats (Malware based espionage)
-ICS/SCADA Security
-Vulnerabilities and the “Underground”

3. This presentation will focus on:
• Concerns/Overview of ICS Security
• How terrible the security profiles of ICS devices are
• Are ICS devices attacked?
• Who attacks ICS devices?

4. Agenda
• ICS Overview
• Typical ICS Deployment
• Overview of two SCADA protocols
• ICS Vulnerabilities
• SCADA on the Internet?
• Story Time!
• Findings
• Attacker Profile
• Recommendations

5. ICS Overview
What are ICS devices?
• Used in production of virtually anything
• Used in water, gas, energy, automobile
manufacturing, etc.
• Notoriously insecure…in every way
• Software is sometimes embedded, sometimes not
• Typically proprietary

6. TYPICAL ICS

7. DNP3
• Used to send and receive messages
• Complex
• No authentication or encryption
• Several published vulnerabilities

8. Modbus
• Oldest ICS Protocol
• Controls I/O Interfaces (MOSTLY!!!!)
• No authentication or encryption! (Surprise!!!)
• No broadcast suppression
• Vulnerabilities are published

9. Security Concerns- ICS vs.
Traditional IT Systems
ICS
• Productivity
• Up-time
• Reliability of data
IT
• Protect the data
• Protect comms
• Limit interruptions

10. ICS Vulnerabilities
• In 2012, 171 unique vulnerabilities affecting ICS products.
• 55 Vendors…

11. SCADA on the Internet???
• Google-fu
• Shodan

12. SCADA on the Internet???
• Pastebin
• ERIPP
• Twitter

13. Story Time!
• Small town in rural America
• Water pump controlling water
pressure/availability
• Population 18,000~

14. • WRONG!• WRONG!
Story Time!
• Water pressure system Internet facing
• No firewalls/security measures in place
• Could cause catastrophic water pressure
failures

15. • WRONG!• WRONG!
Story Time!
• Attacked several times…During Q3-Q4
• Attackers successfully gained access
• Has not been made public
• This is not a story…
• Real life event..

16. • WRONG!• WRONG!
Story Time!
This Happened.

17. • WRONG!
Story Time!
In my basement…

18. • WRONG!• WRONG!
Enter…Honeypots…

19. • WRONG!• WRONG!
Honeypot Overview
• Two low-interaction
• One high-interaction
• Ran for 28 days in total
• One Windows Server 08
• Two Ubuntu 12.04 Servers

20. What They See

21. • WRONG!• WRONG!
High-Interaction Architecture

22. • WRONG!• WRONG!
Low-Interaction Architecture

23. • WRONG!• WRONG!
Some Tools Used

24. Vulnerabilities Presented
“If you can ping it, you own it”
• SNMP vulns (read/write
SNMP, packet sniffing, IP spoofing)
• Authentication limitations
• Limits of Modbus/DNP3
authentication/encryption
• VxWorks Vulnerability (FTP)
• Open access for certain ICS
modifications- fan
speed, temperature, and utilization.

25. • WRONG!
What is an “attack”?
• ONLY attacks that were targeted
• ONLY attempted modification of pump system
(FTP, Telnet, etc.)
• ONLY attempted modification via Modbus/DNP3
• DoS/DDoS will be considered attacks

26. • WRONG!
Attack Profile Countries
US, 9
LAOS, 6
UK, 4
CHINA, 17
NETHERLANDS, 1
JAPAN, 1
BRAZIL, 2
POLAND, 1
VIETNAM, 1
RUSSIA, 3
PALESTINE, 1
CHILE, 1 CROATIA, 1 NORTH KOREA, 1
• Not Just IP’s

27. • WRON!
Attack Overview
0 2 4 6 8 10 12 14
Modification of CPU fan speed
Modbus traffic modification
Secured area access attempt
Modify pump pressure
Modify temperature output
Attempt to shutdown pump system
Vxworks exploitation attempt
Count
Count

28. Snort Findings
• Used Digital Bond’s Quickdraw SCADA Snort Rules
• Custom Snort Rules Created
1111006
Modbus TCP – Unauthorized Read Request to a PLC
1111007
Modbus TCP – Unauthorized Write Request to a PLC
1111206 / 11112061
DNP3 – Unauthorized Read Request to a PLC
1111207DNP3 – Unauthorized Write Request to a PLC
1111208
DNP3 – Unauthorized Miscellaneous Request to a PLC

29. • WRONG!• WRONG!
Spear Phished!
TO: CITYWORKX@<HOSTNAME OF OUR CITY>.COM
“ Hello sir, I am <name of city administrator> and would like
the attached statistics filled out and sent back to me. Kindly
Send me the doc and also advise if you have questions. Look
forward you hear from you soon
....Mr. <city administrator name> ”

30. • WRONG!• WRONG!
CityRequest.doc

31. • WRONG!• WRONG!
Malware
• CityRequest.doc
• File gh.exe dumps all local password hashes
– <gh.exe –w>
• File ai.exe shovels a shell back to a dump server.
– < ai.exe –d1 (Domain) –c1 (Compare IP) –s (Service) >
• Malware communicating to a drop/CnC server in China.
• exploiting CVE 2012-0158

32. • WRONG!• WRONG!
Execution

33. • WRONG!• WRONG!
Execution
• Upon execution of CityRequest.docx, files leaving the server
in question after 5 days.
– Fake VPN config file
– Network statistics dump
– SAM database dump
– Gain persistence via process migration
• Won’t execute on Office 2010.

34. • WRONG!• Monitors reg keys for value changes
• Creates guard pages
• Dropped PE files
• Communicates to C2 IP’s
• Creates files
• Creates fake document and opens it
Malware Features

35. Attack: Days 1-4

36. Attack: Days 5-17

37. Attack: Days 18-???

38. • WRONG!• WRONG!
• Chose most prevalent attacker(s)
• Profiled, poked, and researched who they were
• Malware was code-reuse
Targeted? Who Knows…
Attacker Profile

39. Motivation?
• Motivation is hard to establish…

41. Recommendations
• Disable Internet access to your trusted resources. Where possible.
• Maintain your trusted resources at the latest patch levels, and
ensure you are diligent in monitoring when new patches/fixes are
released.
• Require username/password (two-factor if possible) combinations
for all systems, including those that are not deemed “trusted”.
• Control contractor access- Many SCADA/ICS networks utilize
remote contractors, and controlling how they access trusted
resources is imperative.

42. Recommendations
• Utilize SSL/TLS for all communications to web-based ICS/SCADA
systems.
• Control access to trusted devices. For instance, for access to a
segmented network, use a bastion host with ACL’s for
ingress/egress access.
• Improve logging on trusted environments, in addition to passing
logs to SIEM devices for third party backup/analysis.
• Utilize Zones- such as “BLAN”, “WLAN”, and “SCADA”.
• Develop a threat modeling system to your organization-
understand who’s attacking you, and why.

43. REMEMBER:
• These attacks are happening… In the USA, and many other places…

44. Shout
Twitter: @lowcalspam
Email: kyle_wilhoit@trendmicro.com
Non-Work: kylewilhoit@gmail.com
Please complete the speaker feedback surveys! (m.blackhat.com)