SlideShare a Scribd company logo

TRITON: The Next Generation of ICS Malware

T
Thomas Roccia

This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.

Technology
1 of 31
Download to read offline
The Next Generation of ICS Malware Overview of Triton Thomas ROCCIA Security Researcher, Advanced Threat Research
2CNES COMET SSI - Thomas Roccia – 2018 Whoami Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ https://securingtomorrow.mcafee.com/author/thomas-roccia/ http://troccia.tdgt.org Disclaimer: all the research presented are based on the public and internal information collected by the actors who were engaged during the investigation. A combined investigation and collaboration within the following actors: The FBI, NCCIC, Schneider Electric, McAfee, FireEye, DragosInc, Nozomi, Cyberx…
3CNES COMET SSI - Thomas Roccia – 2018 Agenda • Brief ICS Malware History • Safety Instrumented System (SIS) • TRITON Attack Overview • Detection Demo • About the Attackers • Take Away
4CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past
5CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • Targeted Iranian centrifuges • Spread via USB and over the network • Used four zero-day • Able to reprogram the PLC to change the rotation speed of centrifuges • Designed to control the industrial Process
6CNES COMET SSI - Thomas Roccia – 2018 2010 STUXNET HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • Targeted energy grids, electricity firms, petroleum pipeline operators • Spread via, spear phishing and watering hole • Detected ICS devices using OPC (Open Platform Communication) • Attackers collected a large amount of data and were able to remotely monitor the industrial system • Designed for espionage and sabotage
7CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • First appears in 2007 as a DDOS malware • Spread via spear phishing and weaponized Microsoft Document • Remote monitoring of SCADA system • Disabling and destroying several IT infrastructure component • Destruction of file stored on servers and workstations • 230,000 people in Ukraine were left in the dark for six hours after hackers compromised several power distribution centers
8CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • The malware targets a simulated Siemens control system environment • Stuxnet-like behavior • Includes evasion mechanisms (anti-vm, antiav…) • Mostly written in Python • Probably a penetration tool or a Proof of concept BLACKENERGY 2015
9CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • Targeted Ukraine’s power grid • Remote control and persistence mechanisms • Abused OPC (Open Platform Communication) • Contained a data wiper component • Shutdown for the second time Ukraine’s power grid IRONGATE 2015 BLACKENERGY 2015
10CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 TRITON 2017 • Targeted Middle Eastern oil and gas petrochemical facility • Interacting with a Safety Instrumented System (SIS) • Abuse of the TriStation proprietary communication protocol • Detected thanks to “an accidental shutdown” • The Triton attack is considered as unprecedented and could have done physical impact! BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 ICS Malware over the past
11CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 TRITON 2017 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 Even regular Malware can impact ICS WANNACRY: Maersk, Renault, NHS SamSam: Unnamed ICS company in the U.S NOTPETYA: Chernobyl nuclear power plant, power grid, and healthcare systems RAMNIT: German nuclear energy plant in Gundremmingen SHAMOON: Saudi and Qatari 2012 CryptoMiner: Water Utility in Europe 2018
12CNES COMET SSI - Thomas Roccia – 2018 Safety Instrumented Systems • Safety Instrumented System are designed to add a layer of security • Schneider Triconex safety controllers used in 18000 plants (nuclear, oil and gas refineries, chemical plants…) • Such attacks require a high level of process comprehension (analysis of acquired documents, diagrams, device configurations and network traffic). • TRITON specifically targeted a system that is designed to protect human life. Source: https://www.arcweb.com/sites/default/files/Images/blog-images/Layers-of-Protection.png
13CNES COMET SSI - Thomas Roccia – 2018 Attackers Collected Many Information
14CNES COMET SSI - Thomas Roccia – 2018 TRITON Attack OVERVIEW Customer Network Previous research from TALOS specify ICS targeted attack by phishing delivering payload via a compromise SMB server !No evidence found! IT DCS / ICS TRITON SIS Controllers SIS Engineering Workstation Physical Process TRITON Launch Cyberattack? Trilog.exe Triconex MP3008 Firmware v10.0–10.4 MPC860 PowerPC Processor Tristation Protocol UDP 1502 TRITON specifically targets this version of Triconex.
15CNES COMET SSI - Thomas Roccia – 2018 Triton Framework Main Modules Trilog.exe • Python files compiled in the main executable • Masquerades Triconex Trilog application • Receive IP address as argument • Python scripts • Contains attack framework Library.zip • Payload that places “imain.bin” in the memory controllerinject.bin imain.bin • Backdoor Implant Missing OT Payload • Physical impact
16CNES COMET SSI - Thomas Roccia – 2018 Triton Framework Main Modules Filename Description trilog.exe Python executable main module (includes script_test.py) |_PresetStatus PPC shellcode use to perform a periodic check and deploy the next stages |_DummyProgram Anti-forensic trick used to reset the memory and avoid forensic detection (clean-up) inject.bin Injector used to verify every thing and injected the next payload imain.bin Used to perform custom actions on-demand Filename Description Library.zip Python module library used by trilog.exe. |_TsLow.pyc Implement low functionalities such as UDP, TCM. Used to send, receive and parse packet. |_TsBase.pyc Basic functionalities used to interact with the Controller (upload, download, device status). |_TsHi.pyc Appending program, uploading, retrieving program table, interpreting status structures. |_Ts_cnames.pyc Strings representation of TS protocol features (message, error codes…). |_crc.pyc Implements or imports a number of standard CRC functions. |_sh.pyc Few utility functions for flipping endianness and printing out binary data with a hexadecimal representation.
17CNES COMET SSI - Thomas Roccia – 2018 Trilog.exe (Script_test.py) • Main python file that takes the target SIS IP Address • Attackers reversed the Tristation Communication Protocol ATTACKER SIS Target TS_cnames.py
18CNES COMET SSI - Thomas Roccia – 2018 Tristation Communication Protocol • UDP Protocol • Port 1502 • Triton checked the state of the controller • Some companies created a Wireshark Dissector (Nozomi, Fireewe, MidnightBlue) Protocol Name Kind of Answer Communication Direction Controller Information “Running State” Required by Triton
19CNES COMET SSI - Thomas Roccia – 2018 Initial Payload - Stage 1 (PERIODIC CHECK) • Set an argument or Control Value in the Tricon’s Memory • Check to test ability to upload and execute code • The value (0x00008001) is used as an argument by the second-stage inject.bin • This shellcode writes the value into the « fstat » field of the Control Program (CP) Status structure.
20CNES COMET SSI - Thomas Roccia – 2018 Initial Payload - Stage 1 (PERIODIC CHECK) • Look for 2 values in the memory • 0x40 • 0x60 • If found, it overwrites the memory with the value 0x00008001 • If it doesn’t found the values, it means it is not the right target
21CNES COMET SSI - Thomas Roccia – 2018 Implant Installer (Inject.bin) – Stage2 • Main goal Inject.bin is to write the next stage (imain.bin) • The code is loaded into the memory • It can be changed during runtime (it won’t persist after a reboot). • Make sure the attacker has an active backdoor on the device even if the physical key/switch is turned to non-programming mode.
22CNES COMET SSI - Thomas Roccia – 2018 Implant Installer (Inject.bin) – Stage2 • Inject.bin assumes the argument written by the first stage payload resides at a static address and uses it as: 1. A countdown for the number of cycles to idle 2. A step counter to track and control execution progress 3. A field for writing debug information upon failure. • Attackers monitor inject.bin for problems. • If no problems are detected, the stage 3 is injected and 'Script SUCCESS' is output. • If an exception occured a dummy program containing nothing but a system_call (-1) is appended.
23CNES COMET SSI - Thomas Roccia – 2018 Backdoor Implant (imain.bin) – Stage3 • Backdoor (imain.bin) allows an attacker to have Read/Write/Execute access to the Safety Controller memory. • It allows an attacker to inject and execute a more disruptive payload by adding malicious function (OT Payload– Stage4?). • The TRITON framework can communicate with the implant with the 3 functions: • TsHi.ExplReadRam() • TsHi.ExplWriteRam() • TsHi.ExplExec()
24CNES COMET SSI - Thomas Roccia – 2018 Backdoor Protocol (imain.bin) – Stage3 • The previous three function uses TsBase.ExecuteExploit • It creates a TriStation « Get Main Processor Diagnostic Data » command with a crafted packet: • [Standard Tricon packet headers][opcode][special identifier][data] • Special identifier == 0xFF • Read == 0x17 • Write == 0x41 • Execute == 0xF9 Special Identifier READ WRITE EXECUTE
25CNES COMET SSI - Thomas Roccia – 2018 OT Payload (missing) – Stage 4 • Fourth stage payload (OT Payload) wasn’t recovered • All the investigation specified that the attack has been detected before a cyber- physical damage scenario
26CNES COMET SSI - Thomas Roccia – 2018 Demo Detection On the Network • Nozomi created a honeypot to simulate the SIS System • We modified the source code to create an alert system on a cheap material
27CNES COMET SSI - Thomas Roccia – 2018 About the Attackers • The sophistication of the attack and the resources needed could indicate the attackers had high budget to conduct it. • External sources point to different direction. • However attribution is not something easy and can lead to false conclusion. • It is still currently unclear where the attackers comes from… • And what was the end goal (disruption or destruction?) • One thing is sure, attackers are gaining more experience and increased their arsenal!
28CNES COMET SSI - Thomas Roccia – 2018 Lesson Learned / Takeaways • Devices « insecure by design » have been exposed to hyper-connected environments they were not quite designed for. • There is a lack of basic IT/OT security hygiene and early warning insights • The same technique can be used against other ICS systems/OT vendors. • Kudos to Schneider Electric to share the incident and details about the investigation and take the appropriate actions (creating a new way to detect such attacks). • The Triconex Tricons have addressed not only the vulnerability leveraged in the attack, but have also built multiple defenses against the techniques used in the attack.
29CNES COMET SSI - Thomas Roccia – 2018 References • https://blog.schneider-electric.com/cyber-security/2018/08/07/one-year-after-triton-building-ongoing-industry-wide- cyber-resilience/ • https://www.youtube.com/watch?v=f09E75bWvkk • https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20- %20Article_S508NC.pdf • https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html • https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware • https://www.nozominetworks.com/2018/07/18/blog/new-triton-analysis-tool-wireshark-dissector-for-tristation-protocol/ • https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/ • https://vimeo.com/275906105 • https://vimeo.com/248057640 • https://blog.talosintelligence.com/2017/07/template-injection.html
30CNES COMET SSI - Thomas Roccia – 2018 Thank You Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ https://securingtomorrow.mcafee.com/author/thomas-roccia/ Q/A
31CNES COMET SSI - Thomas Roccia – 2018 McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC. 3

Recommended

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 

Recommended

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
CODE BLUE
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdf
KhaledMohamed767546
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
InMobi Technology
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
Axel Rennoch
 

More Related Content

What's hot

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
CODE BLUE
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdf
KhaledMohamed767546
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
Cody Thomas
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
InMobi Technology
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 

What's hot (20)

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdf
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOS
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 

Similar to TRITON: The Next Generation of ICS Malware

Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
Axel Rennoch
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in Europe
Francesco Faenzi
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
Nozomi Networks
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
Alireza Ghahrood
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
Tudor Damian
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
How We Protected Our Router
How We Protected Our RouterHow We Protected Our Router
How We Protected Our Router
GlobalLogic Ukraine
 
BLOCKHUNTER.pptx
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
BhanuCharan9
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
ITCamp
 
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Nancy Nimmegeers
 
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
PROIDEA
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
Sergey Yrievich
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
Sergey Yrievich
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Generación V de ciberataques
Generación V de ciberataquesGeneración V de ciberataques
Generación V de ciberataques
Cristian Garcia G.
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
 

Similar to TRITON: The Next Generation of ICS Malware (20)

Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in Europe
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
 
How We Protected Our Router
How We Protected Our RouterHow We Protected Our Router
How We Protected Our Router
 
BLOCKHUNTER.pptx
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
 
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]
 
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Generación V de ciberataques
Generación V de ciberataquesGeneración V de ciberataques
Generación V de ciberataques
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 

More from Thomas Roccia

CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
Thomas Roccia
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
Thomas Roccia
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware Analysis
Thomas Roccia
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital Forensic
Thomas Roccia
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
Thomas Roccia
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
Thomas Roccia
 

More from Thomas Roccia (8)

CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware Analysis
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital Forensic
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 

TRITON: The Next Generation of ICS Malware

  • 1. The Next Generation of ICS Malware Overview of Triton Thomas ROCCIA Security Researcher, Advanced Threat Research
  • 2. 2CNES COMET SSI - Thomas Roccia – 2018 Whoami Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ https://securingtomorrow.mcafee.com/author/thomas-roccia/ http://troccia.tdgt.org Disclaimer: all the research presented are based on the public and internal information collected by the actors who were engaged during the investigation. A combined investigation and collaboration within the following actors: The FBI, NCCIC, Schneider Electric, McAfee, FireEye, DragosInc, Nozomi, Cyberx…
  • 3. 3CNES COMET SSI - Thomas Roccia – 2018 Agenda • Brief ICS Malware History • Safety Instrumented System (SIS) • TRITON Attack Overview • Detection Demo • About the Attackers • Take Away
  • 4. 4CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past
  • 5. 5CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • Targeted Iranian centrifuges • Spread via USB and over the network • Used four zero-day • Able to reprogram the PLC to change the rotation speed of centrifuges • Designed to control the industrial Process
  • 6. 6CNES COMET SSI - Thomas Roccia – 2018 2010 STUXNET HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • Targeted energy grids, electricity firms, petroleum pipeline operators • Spread via, spear phishing and watering hole • Detected ICS devices using OPC (Open Platform Communication) • Attackers collected a large amount of data and were able to remotely monitor the industrial system • Designed for espionage and sabotage
  • 7. 7CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • First appears in 2007 as a DDOS malware • Spread via spear phishing and weaponized Microsoft Document • Remote monitoring of SCADA system • Disabling and destroying several IT infrastructure component • Destruction of file stored on servers and workstations • 230,000 people in Ukraine were left in the dark for six hours after hackers compromised several power distribution centers
  • 8. 8CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 IRONGATE 2015 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • The malware targets a simulated Siemens control system environment • Stuxnet-like behavior • Includes evasion mechanisms (anti-vm, antiav…) • Mostly written in Python • Probably a penetration tool or a Proof of concept BLACKENERGY 2015
  • 9. 9CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 INDUSTROYER 2016 TRITON 2017 ICS Malware over the past • Targeted Ukraine’s power grid • Remote control and persistence mechanisms • Abused OPC (Open Platform Communication) • Contained a data wiper component • Shutdown for the second time Ukraine’s power grid IRONGATE 2015 BLACKENERGY 2015
  • 10. 10CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 TRITON 2017 • Targeted Middle Eastern oil and gas petrochemical facility • Interacting with a Safety Instrumented System (SIS) • Abuse of the TriStation proprietary communication protocol • Detected thanks to “an accidental shutdown” • The Triton attack is considered as unprecedented and could have done physical impact! BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 ICS Malware over the past
  • 11. 11CNES COMET SSI - Thomas Roccia – 2018 STUXNET 2010 HAVEX 2013 TRITON 2017 BLACKENERGY 2015 IRONGATE 2015 INDUSTROYER 2016 Even regular Malware can impact ICS WANNACRY: Maersk, Renault, NHS SamSam: Unnamed ICS company in the U.S NOTPETYA: Chernobyl nuclear power plant, power grid, and healthcare systems RAMNIT: German nuclear energy plant in Gundremmingen SHAMOON: Saudi and Qatari 2012 CryptoMiner: Water Utility in Europe 2018
  • 12. 12CNES COMET SSI - Thomas Roccia – 2018 Safety Instrumented Systems • Safety Instrumented System are designed to add a layer of security • Schneider Triconex safety controllers used in 18000 plants (nuclear, oil and gas refineries, chemical plants…) • Such attacks require a high level of process comprehension (analysis of acquired documents, diagrams, device configurations and network traffic). • TRITON specifically targeted a system that is designed to protect human life. Source: https://www.arcweb.com/sites/default/files/Images/blog-images/Layers-of-Protection.png
  • 13. 13CNES COMET SSI - Thomas Roccia – 2018 Attackers Collected Many Information
  • 14. 14CNES COMET SSI - Thomas Roccia – 2018 TRITON Attack OVERVIEW Customer Network Previous research from TALOS specify ICS targeted attack by phishing delivering payload via a compromise SMB server !No evidence found! IT DCS / ICS TRITON SIS Controllers SIS Engineering Workstation Physical Process TRITON Launch Cyberattack? Trilog.exe Triconex MP3008 Firmware v10.0–10.4 MPC860 PowerPC Processor Tristation Protocol UDP 1502 TRITON specifically targets this version of Triconex.
  • 15. 15CNES COMET SSI - Thomas Roccia – 2018 Triton Framework Main Modules Trilog.exe • Python files compiled in the main executable • Masquerades Triconex Trilog application • Receive IP address as argument • Python scripts • Contains attack framework Library.zip • Payload that places “imain.bin” in the memory controllerinject.bin imain.bin • Backdoor Implant Missing OT Payload • Physical impact
  • 16. 16CNES COMET SSI - Thomas Roccia – 2018 Triton Framework Main Modules Filename Description trilog.exe Python executable main module (includes script_test.py) |_PresetStatus PPC shellcode use to perform a periodic check and deploy the next stages |_DummyProgram Anti-forensic trick used to reset the memory and avoid forensic detection (clean-up) inject.bin Injector used to verify every thing and injected the next payload imain.bin Used to perform custom actions on-demand Filename Description Library.zip Python module library used by trilog.exe. |_TsLow.pyc Implement low functionalities such as UDP, TCM. Used to send, receive and parse packet. |_TsBase.pyc Basic functionalities used to interact with the Controller (upload, download, device status). |_TsHi.pyc Appending program, uploading, retrieving program table, interpreting status structures. |_Ts_cnames.pyc Strings representation of TS protocol features (message, error codes…). |_crc.pyc Implements or imports a number of standard CRC functions. |_sh.pyc Few utility functions for flipping endianness and printing out binary data with a hexadecimal representation.
  • 17. 17CNES COMET SSI - Thomas Roccia – 2018 Trilog.exe (Script_test.py) • Main python file that takes the target SIS IP Address • Attackers reversed the Tristation Communication Protocol ATTACKER SIS Target TS_cnames.py
  • 18. 18CNES COMET SSI - Thomas Roccia – 2018 Tristation Communication Protocol • UDP Protocol • Port 1502 • Triton checked the state of the controller • Some companies created a Wireshark Dissector (Nozomi, Fireewe, MidnightBlue) Protocol Name Kind of Answer Communication Direction Controller Information “Running State” Required by Triton
  • 19. 19CNES COMET SSI - Thomas Roccia – 2018 Initial Payload - Stage 1 (PERIODIC CHECK) • Set an argument or Control Value in the Tricon’s Memory • Check to test ability to upload and execute code • The value (0x00008001) is used as an argument by the second-stage inject.bin • This shellcode writes the value into the « fstat » field of the Control Program (CP) Status structure.
  • 20. 20CNES COMET SSI - Thomas Roccia – 2018 Initial Payload - Stage 1 (PERIODIC CHECK) • Look for 2 values in the memory • 0x40 • 0x60 • If found, it overwrites the memory with the value 0x00008001 • If it doesn’t found the values, it means it is not the right target
  • 21. 21CNES COMET SSI - Thomas Roccia – 2018 Implant Installer (Inject.bin) – Stage2 • Main goal Inject.bin is to write the next stage (imain.bin) • The code is loaded into the memory • It can be changed during runtime (it won’t persist after a reboot). • Make sure the attacker has an active backdoor on the device even if the physical key/switch is turned to non-programming mode.
  • 22. 22CNES COMET SSI - Thomas Roccia – 2018 Implant Installer (Inject.bin) – Stage2 • Inject.bin assumes the argument written by the first stage payload resides at a static address and uses it as: 1. A countdown for the number of cycles to idle 2. A step counter to track and control execution progress 3. A field for writing debug information upon failure. • Attackers monitor inject.bin for problems. • If no problems are detected, the stage 3 is injected and 'Script SUCCESS' is output. • If an exception occured a dummy program containing nothing but a system_call (-1) is appended.
  • 23. 23CNES COMET SSI - Thomas Roccia – 2018 Backdoor Implant (imain.bin) – Stage3 • Backdoor (imain.bin) allows an attacker to have Read/Write/Execute access to the Safety Controller memory. • It allows an attacker to inject and execute a more disruptive payload by adding malicious function (OT Payload– Stage4?). • The TRITON framework can communicate with the implant with the 3 functions: • TsHi.ExplReadRam() • TsHi.ExplWriteRam() • TsHi.ExplExec()
  • 24. 24CNES COMET SSI - Thomas Roccia – 2018 Backdoor Protocol (imain.bin) – Stage3 • The previous three function uses TsBase.ExecuteExploit • It creates a TriStation « Get Main Processor Diagnostic Data » command with a crafted packet: • [Standard Tricon packet headers][opcode][special identifier][data] • Special identifier == 0xFF • Read == 0x17 • Write == 0x41 • Execute == 0xF9 Special Identifier READ WRITE EXECUTE
  • 25. 25CNES COMET SSI - Thomas Roccia – 2018 OT Payload (missing) – Stage 4 • Fourth stage payload (OT Payload) wasn’t recovered • All the investigation specified that the attack has been detected before a cyber- physical damage scenario
  • 26. 26CNES COMET SSI - Thomas Roccia – 2018 Demo Detection On the Network • Nozomi created a honeypot to simulate the SIS System • We modified the source code to create an alert system on a cheap material
  • 27. 27CNES COMET SSI - Thomas Roccia – 2018 About the Attackers • The sophistication of the attack and the resources needed could indicate the attackers had high budget to conduct it. • External sources point to different direction. • However attribution is not something easy and can lead to false conclusion. • It is still currently unclear where the attackers comes from… • And what was the end goal (disruption or destruction?) • One thing is sure, attackers are gaining more experience and increased their arsenal!
  • 28. 28CNES COMET SSI - Thomas Roccia – 2018 Lesson Learned / Takeaways • Devices « insecure by design » have been exposed to hyper-connected environments they were not quite designed for. • There is a lack of basic IT/OT security hygiene and early warning insights • The same technique can be used against other ICS systems/OT vendors. • Kudos to Schneider Electric to share the incident and details about the investigation and take the appropriate actions (creating a new way to detect such attacks). • The Triconex Tricons have addressed not only the vulnerability leveraged in the attack, but have also built multiple defenses against the techniques used in the attack.
  • 29. 29CNES COMET SSI - Thomas Roccia – 2018 References • https://blog.schneider-electric.com/cyber-security/2018/08/07/one-year-after-triton-building-ongoing-industry-wide- cyber-resilience/ • https://www.youtube.com/watch?v=f09E75bWvkk • https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20- %20Article_S508NC.pdf • https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html • https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware • https://www.nozominetworks.com/2018/07/18/blog/new-triton-analysis-tool-wireshark-dissector-for-tristation-protocol/ • https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/ • https://vimeo.com/275906105 • https://vimeo.com/248057640 • https://blog.talosintelligence.com/2017/07/template-injection.html
  • 30. 30CNES COMET SSI - Thomas Roccia – 2018 Thank You Thomas ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ https://securingtomorrow.mcafee.com/author/thomas-roccia/ Q/A
  • 31. 31CNES COMET SSI - Thomas Roccia – 2018 McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC. 3