Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Weapons of max destruction v41

749 views

Published on

Hack in Paris conference: Weapons of mass destruction V41, Protecting country critical infrastructure, tracking and Implications of Stuxnet, provides a detailled view of the ICS attack on the Iran nuclear fuel enrichment plant.

Published in: Education, Technology, Business
  • Be the first to comment

Weapons of max destruction v41

  1. 1. Hack in Paris – 2012Weapons ofmass destruction v4 Jorge Sebastiao 1
  2. 2. AgendaNew World OrderTarget AttackStuxnetFlameImplicationsQ&A 2
  3. 3. New World 3
  4. 4. Siberia Pipeline 1982CIA computer chip “The Logic Bomb”
  5. 5. Natanz Peace and ProsperityNuclear FuelReprocessing Plant
  6. 6. News
  7. 7. Persistent Targeted attacks Stats Worldwide industry sector since 2008 18172 targeted attacks during 2010
  8. 8. Target AttacksPhase Mass Attack Targeted AttackIncursion Generic social engineering Handcrafted & personalized delivery By-chance infection methodDiscovery Typically no discovery Examination of the infected resource Assumes pre-defined content Monitoring of the user Predictable location Determine accessible resources, & network enumerationCapture Pre-defined specific data Manual analysis & Matches a pre-defined pattern Inspection of the data (IE credit card number)Exfiltration Information sent to a dump Information sent back to the site with little protection attacker Not stored in location for Dump site is long term storage extended time period
  9. 9. What?1. Windows Computer worm discovered in July 20102. 100k+ lines of code (complex)3. 5 different exploits (4 MS vulnerabilities) 1. LNK File Bug – Initial auto exploitation via removable drive 2. Task Scheduler – Privilege Escalation VISTA+ 3. Keyboard Layout – Privilege Escalation XP 4. Spooler / MOF Files – Spreading/Lateral Movement 5. SMB Vuln (MS08-067) – Spreading/Lateral Movement4. Rootkit (hiding binaries) 9
  10. 10. Paradigm ShiftConsequences for the way we think… 10
  11. 11. Timeline 11
  12. 12. Focus on Siemens PLC• Targets SCADA networks • Siemens Simatic WinCC• Rootkit to hide itself • Classic Windows rootkit • PLC (Programmable Logic Controllers) code changes also hidden• Spreads via USB sticks & network shares• Creates botnet • Industrial espionage ready: steal code, documents, project designs • Injects & hide code in PLCs - modifies production processes 12
  13. 13. Overview• Target • Type Nuclear Plant • Victim Iran • Motivation Destroy Centrifuges• Compromise • Social Engineering – Memory Stick • Vector SCADA Systems • Vulnerability Windows/Siemens• Response • Disclosure Jun 2010 • Iran Replaces 1000 Centrifuges • Win/Siemens Patches 13
  14. 14. Attack Flow
  15. 15. Propagation
  16. 16. Network Propagation• Peer-to-peer communication & updates• Infecting WinCC machines via hardcoded database server password• Network shares• MS10-061 Print Spooler Zero-Day Vulnerability• MS08-067 Windows Server Service Vulnerability 16
  17. 17. Testing - Metasploit 17
  18. 18. Attack & Anti-Forensics• Uses encryption / encoding to obfuscate / data streams• Polymorphic• Zero day attacks• Root kits to evade detection• In-memory execution without creating files• Remote Programmable• Disabling itself• Hiding Results/Effects
  19. 19. Siemens - SIMATIC PLCs
  20. 20. From Root Kit to PLC 20
  21. 21. Hides Feedback 21
  22. 22. Resonance - Damage Frequency• In PLC:• forces motors to spin: • at 2 Hz • at 1064 Hz• Damages connected motors 22
  23. 23. Distribution 23
  24. 24. Infection Statistics• 29 September 2010, From Symantec Infected Hosts
  25. 25. Top Countries 25
  26. 26. Siemens Infections Distribution of Infected Systems with Siemens Software80.00 67.6070.0060.0050.0040.0030.0020.00 12.15 8.10 4.9810.00 2.18 2.18 1.56 1.25 0.00 U A S N A R N D I A I O H W R E T S N A T I O N D A E S I O U H A R K E T S N G A B R E T I
  27. 27. Result: Attack Critical Infrastructure
  28. 28. Target? • Natanz enrichment • Bushehri Nuclear Plant• 60%+ Infections in Iran• No commercial gain• Self destruct date• Siemens PLC• Target Nuclear Program• Enrichment• Plant
  29. 29. Siemens Response Source: WSJ, NY Times, eWeek 29
  30. 30. SCADA Impact 30
  31. 31. STRATEGY 31
  32. 32. Flame
  33. 33. Flame•Espionage•Sabotage•Size/Modularity•Gaming Language
  34. 34. Risky Leaks
  35. 35. Olympic GamesPrologueThe worm wasloose..
  36. 36. War and Cyberwar•Stuxnet•Duqu•Flame•…
  37. 37. Recruiting
  38. 38. QuoteBruce SchneierStuxnet a “Mistake”
  39. 39. 18 Critical Infrastructure Sectors
  40. 40. Cross-Sector Interdependencies•Control systems security not sector specific•Connectivity crosses geographic boundaries•Sectors not operationally isolated
  41. 41. Cyberwar: Rules of EngagementChina-USA 1998USA-Iran 200?Cyberwar=war?
  42. 42. Failure on P>D+R 42
  43. 43. Think outside the box 43
  44. 44. Creative Weapons 44
  45. 45. QuestionsJorge.sebastiao@gmail.com

×