2. #WHOAMI
• Threat Researcher at Trend Micro- research and blogger on criminal
underground, persistent threats, and vulnerabilities.
• Bachelor’s and Master’s in Computer Science. Currently pursuing PhD.
Normal security certifications, CISSP, GCIH, GCFE, etc…
• Research:
-Malware detection/reversing
-Persistent Threats (Malware based espionage)
-ICS/SCADA Security
-Vulnerabilities and the “Underground”
3. This presentation will focus on:
• Concerns/Overview of ICS Security
• How terrible the security profiles of ICS devices are
• Are ICS devices attacked?
• Who attacks ICS devices?
4. Agenda
• ICS Overview
• Typical ICS Deployment
• Overview of two SCADA protocols
• ICS Vulnerabilities
• SCADA on the Internet?
• Story Time!
• Findings
• Attacker Profile
• Recommendations
5. ICS Overview
What are ICS devices?
• Used in production of virtually anything
• Used in water, gas, energy, automobile
manufacturing, etc.
• Notoriously insecure…in every way
• Software is sometimes embedded, sometimes not
• Typically proprietary
7. DNP3
• Used to send and receive messages
• Complex
• No authentication or encryption
• Several published vulnerabilities
8. Modbus
• Oldest ICS Protocol
• Controls I/O Interfaces (MOSTLY!!!!)
• No authentication or encryption! (Surprise!!!)
• No broadcast suppression
• Vulnerabilities are published
9. Security Concerns- ICS vs.
Traditional IT Systems
ICS
• Productivity
• Up-time
• Reliability of data
IT
• Protect the data
• Protect comms
• Limit interruptions
12. SCADA on the Internet???
• Pastebin
• ERIPP
• Twitter
13. Story Time!
• Small town in rural America
• Water pump controlling water
pressure/availability
• Population 18,000~
14. • WRONG!• WRONG!
Story Time!
• Water pressure system Internet facing
• No firewalls/security measures in place
• Could cause catastrophic water pressure
failures
15. • WRONG!• WRONG!
Story Time!
• Attacked several times…During Q3-Q4
• Attackers successfully gained access
• Has not been made public
• This is not a story…
• Real life event..
19. • WRONG!• WRONG!
Honeypot Overview
• Two low-interaction
• One high-interaction
• Ran for 28 days in total
• One Windows Server 08
• Two Ubuntu 12.04 Servers
24. Vulnerabilities Presented
“If you can ping it, you own it”
• SNMP vulns (read/write
SNMP, packet sniffing, IP spoofing)
• Authentication limitations
• Limits of Modbus/DNP3
authentication/encryption
• VxWorks Vulnerability (FTP)
• Open access for certain ICS
modifications- fan
speed, temperature, and utilization.
25. • WRONG!
What is an “attack”?
• ONLY attacks that were targeted
• ONLY attempted modification of pump system
(FTP, Telnet, etc.)
• ONLY attempted modification via Modbus/DNP3
• DoS/DDoS will be considered attacks
26. • WRONG!
Attack Profile Countries
US, 9
LAOS, 6
UK, 4
CHINA, 17
NETHERLANDS, 1
JAPAN, 1
BRAZIL, 2
POLAND, 1
VIETNAM, 1
RUSSIA, 3
PALESTINE, 1
CHILE, 1 CROATIA, 1 NORTH KOREA, 1
• Not Just IP’s
27. • WRON!
Attack Overview
0 2 4 6 8 10 12 14
Modification of CPU fan speed
Modbus traffic modification
Secured area access attempt
Modify pump pressure
Modify temperature output
Attempt to shutdown pump system
Vxworks exploitation attempt
Count
Count
28. Snort Findings
• Used Digital Bond’s Quickdraw SCADA Snort Rules
• Custom Snort Rules Created
1111006
Modbus TCP – Unauthorized Read Request to a PLC
1111007
Modbus TCP – Unauthorized Write Request to a PLC
1111206 / 11112061
DNP3 – Unauthorized Read Request to a PLC
1111207DNP3 – Unauthorized Write Request to a PLC
1111208
DNP3 – Unauthorized Miscellaneous Request to a PLC
29. • WRONG!• WRONG!
Spear Phished!
TO: CITYWORKX@<HOSTNAME OF OUR CITY>.COM
“ Hello sir, I am <name of city administrator> and would like
the attached statistics filled out and sent back to me. Kindly
Send me the doc and also advise if you have questions. Look
forward you hear from you soon
....Mr. <city administrator name> ”
33. • WRONG!• WRONG!
Execution
• Upon execution of CityRequest.docx, files leaving the server
in question after 5 days.
– Fake VPN config file
– Network statistics dump
– SAM database dump
– Gain persistence via process migration
• Won’t execute on Office 2010.
34. • WRONG!• Monitors reg keys for value changes
• Creates guard pages
• Dropped PE files
• Communicates to C2 IP’s
• Creates files
• Creates fake document and opens it
Malware Features
38. • WRONG!• WRONG!
• Chose most prevalent attacker(s)
• Profiled, poked, and researched who they were
• Malware was code-reuse
Targeted? Who Knows…
Attacker Profile
41. Recommendations
• Disable Internet access to your trusted resources. Where possible.
• Maintain your trusted resources at the latest patch levels, and
ensure you are diligent in monitoring when new patches/fixes are
released.
• Require username/password (two-factor if possible) combinations
for all systems, including those that are not deemed “trusted”.
• Control contractor access- Many SCADA/ICS networks utilize
remote contractors, and controlling how they access trusted
resources is imperative.
42. Recommendations
• Utilize SSL/TLS for all communications to web-based ICS/SCADA
systems.
• Control access to trusted devices. For instance, for access to a
segmented network, use a bastion host with ACL’s for
ingress/egress access.
• Improve logging on trusted environments, in addition to passing
logs to SIEM devices for third party backup/analysis.
• Utilize Zones- such as “BLAN”, “WLAN”, and “SCADA”.
• Develop a threat modeling system to your organization-
understand who’s attacking you, and why.
today I'm going to be talking about who's really attacking your ICS devices. There is a lot of hype about ICS devices, and are they attacked, and I felt this needed more research to prove or disprove the data behind this. This talk isn’t going to cover 0-days of ICS devices, nor is it going to cover some new tool to exploit ICS devices- it’s to cover who’s really attacking your ICS devices. Before we get started, I'm going to share a little bit about who I am.
I’m part of a team called “Future Threat Research”. We look at threats from the current to five years out.
-Likewise, I will also be discussing the security profiles of ICS, and how terrible they are.-In addition, I will cover how ICS devices are traditionally attacked, and who would usually do the attacking.
Before we get started on our talk today, let's quickly cover what I'm going to discuss. This is a full talk, so we're going to have breeze through these slides quickly- covering a lot of topics in a short period of time.A.) First, were going to cover what in the hell ICS devices are, and where they are used.B.)Second, I'm going to give an overview of the two most widely used SCADA protocols- Modbus and DNP3.
So…what are ICS devices? Typically proprietary based on manufacturer/function!!!!
This is a typical ICS deployment. A few things to take note of here:A.) The SCADA network sits on top, under "Supervisory Network" You would typically see these in office locations of a mining site for instance.B.) The Control networks sit below, labled "Control systems". These control systems are typically found in remote areas of an industrial site, and can seen as controllers on an assembly belt for instance.C.) There are no security devies anywhere to be found. THIS IS TYPICAL!!!!TYPICAL ICS DEVICES HAVE NO SECURITY WHATSOEVER.
The assumption exists that DNP3 traffic comes from the same subnet…TRUST FLAW!!!!!!!!!!!A DNP3 frame consists of a header and data section. The header specifies the frame size, contains data link control information and identifies the DNP3 source and destination device addresses. The data section is commonly called the payload and contains data passed down from the layers above. The assumption exists that DNP3 traffic comes from the same subnet…TRUST FLAW!!!!!!!!!!!A DNP3 frame consists of a header and data section. The header specifies the frame size, contains data link control information and identifies the DNP3 source and destination device addresses. The data section is commonly called the payload and contains data passed down from the layers above.
Used to read/write input/output interfaces. Very simple and usage is limited in nature.
26% of incidents revolved around Internet-facing and Water…
-Many ICS devices are Internet facing, and have VERY little security-Target Rich environment-THESE DEVICES THAT ARE INTERNET FACING BRING ME TO OUR STORY TIME.
----- Meeting Notes (3/8/13 16:08) -----Recent water plant in IL FOR INSTANCE
This is where the presentation gets fun. I’m not going to talk about how I exploited a vulnerability in an ICS or SCADA device, nor am I going to talk about a zero-day affecting SCADA devices. What I’m going to do is share a story about a small town in rural Missouri, in the US.
-THE HONEYPOT ARCHITECTURE IS FAIRLY STRAIGHT FORWARD, I USED TWO LOW-…-YOU SEE IN TEH SCREENSHOTS THAT THE FIELDS ARE IDENTICLE TO WHAT YOU WOULD SEE IN A TRADITIONAL ICS DEVICE CONTROL PAGE.
WHAT THESE ATTACKERS SEE IS WHAT AN ATTACKER WOULD SEE IN A TRADITIONAL ICS SETUP. HAVING PEN TESTED ICS/SCADA ENVIRONMENTS, I REPLICATED THIS HONEYPOT ARCHITECTURE TO DIRECTLY MIMIC COMMONLY FOUND ICS DEVICE DEPLOYMENTS.EXTERNAL IP COULD BE CONSIDERED “HMI”PLC IS WHAT DIRECTLY MIMCS THE WATER PRESSURE PLANT.
THESE ADMINSTRATIVE FUNCTIONS WOULD BE CONSIDERED MODBUS AND DNP3.THESE SALTED DOCUMENTS ARE WHAT YOU WOULD TRADITIONALLY FIND ON ICS BOXES…SUCH AS ENGINEERING DOCUMENTS, GEO SPATIAL INFORMATION, LOAD CONTROL DOCUMENTS, ETC.
THIS HONEYWALL ALLOWS US TO DO SEVERAL THINGS. FIRST, IT ALLOWS US TO PASS TRAFFIC TO TWO DIFFERENT AMAZON EC2 INSTANCES, THAT MAY NOT BE LOGICALLY OR PHYSICALLY CONNECTED.Again, “External IP” would be considered the HMI. (Human Machine Interface)SECOND, IT ALLOWS TO HAVE A SECONDARY POINT OF LOGGING SHOULD THE ATTACKER GAIN ACCESS
Snort (Digital Bond Modbus TCP Rules)]BeEFDionaneaTcpdumpHoneydNano-10Siemens SIMATIC S7-1200 CPU 1212CDell DL360Amazon EC2SMTPSalted sample data
AUTHENTICATION LIMITATIONS- WE SET THE USERNAME/PASSWORD MORE COMPLEX THEN ADMIN/ADMIN TO ENSURE WE WERE SEEING WHAT WE CONSIDERED "TARGETED" ATTACKS. WE WERE REALLY ONLY INTERESTED IN "TARGETED ATTACKS"
Not port scans, or non-targeted attacks.Not automated attacksNot drive-byWE ARE ONLY CONCERNED WITH TARGETED ATTACKS AGAINST ICS DEVICES. WE SAW MULTIPLE ATTACK ATTEMPTS VIA THE STANDARD DRIVE-BY'S AND AUTOMATED ATTACKS, Think of these classifications:Information DisclosureCommunications WeaknessAccess Control and Permission ErrorsConfiguration ErrorsInput Validation Errors
49 attacks in total. 17 were considered “catastrophic” the rest were considered “attacks” that “could” cause massive issues.1.) CHINA2.) USA3.) LAOSAN INTERESTING COUNTRY OF ATTACK ORGIN: NORTH KOREA - MORE INFORMATION ON THAT IN A SECOND
THERE WAS A LOT OF ATTACKERS INTERESTED IN NOT PROVIDING WATER TO THE PEOPLE OF ARNOLD DURING OUR TESTING.ALSO INTERESTED IN HAVING PEOPLE DRINK WARM WATER. (NORTH KOREA- MODBUS TRAFFIC MOD)----- Meeting Notes (3/8/13 16:08) -----Authenticated realm- PUMP SYSTEM AND TEMP OUTPUT
Custom rules created for SCADA controllers, vulnerabilities, and protocols. Highly effective for low-interaction honeypots. In addition, it works well for high-interaction honeypots.----- Meeting Notes (3/5/13 13:17) -----DIRECT MODIFICATIONS TO MODBUS AND DNP3. THESE WOULD BE CONSIDERED THE MOST TARGETED OF ALL ATTACKS WE SAW DURING OUR TESTING PERIOD.AS IF ALL THAT INFORMATION ISN'T INTERESTING ENOUGH, IT'S ABOUT TO GET EVEN MORE INTERESTING.
IT GOT WEIRD WHEN I CHECKED OUR EMAIL AT CITYWORKX@<HOSTNAME OF OUR CITY>.COMHAD AN ATTACHMENT, NAMED CITYREQUEST.DOC
Document dropped two PE files- gh.exe and ai.exeNOTE (NOT TO DISCLOSE): THIS IS COMMENT CREW HACKSFASE. CONFIRMED.
Will execute on Office 03/07 with various Service Packs
-Mutexes created-process migration-IOC’s available
Attacker days 1-4
Attacker days 5-17
Just a super sweet venn to show “WHO” could be interested in pwnage of water goodness.