This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
What is Shodan?
- Search engine for the Internet connected devices by John Matherly (@achillean).
- Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
- Has a powerful API, Python & Ruby libraries
- Integration with Maltego, Metasploit & Armitage.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
Recently IoT testing becomes a popular topic in the industry and academic context. New challenges have been identified and existing test methods and techniques need to be collected, optimized and applied. Furthermore, innovative software development approaches are under consideration and partly implemented. However automated test execution still need powerful means and infrastructure. Open source projects like the Eclipse IoT-Testware project can provide valuable tools for advanced testing in IoT. The presentation gives an overview and first results with our IoT test Infrastructure.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
What is Shodan?
- Search engine for the Internet connected devices by John Matherly (@achillean).
- Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
- Has a powerful API, Python & Ruby libraries
- Integration with Maltego, Metasploit & Armitage.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
Recently IoT testing becomes a popular topic in the industry and academic context. New challenges have been identified and existing test methods and techniques need to be collected, optimized and applied. Furthermore, innovative software development approaches are under consideration and partly implemented. However automated test execution still need powerful means and infrastructure. Open source projects like the Eclipse IoT-Testware project can provide valuable tools for advanced testing in IoT. The presentation gives an overview and first results with our IoT test Infrastructure.
Analysis of exposed ICS//SCADA/IoT systems in EuropeFrancesco Faenzi
The proliferation remote accessible applications and always connected systems, including Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) networks, real-time remote control systems, IoT devices and all the distributed management technologies, means that the risk of cyber attacks and potentially dangerous threats are increasing and it can only increase in the next years.
In this report will be analyzed the distribution and the exposition of these systems, found alive inside the european cyber perimeter, and their services along with a deep analysis of evident bad configurations, easy exploitable vulnerabilities, public and private indicators of compromise and even real and known compromissions already happened.
The “Lutech Operational Intelligence - Analysis of exposed ICS, SCADA and IoT systems in Europe” report hereby presented is based on information provided by Lutech Threat Management Service for Cyber Threat Intelligence (L-TMS/CTI).
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
This presentation is an attempt to present the complex Subject of Cybersecurity in a concise format with main focus to present the core of Cybersecurity and best practises and standards to protect an enterprise Network.Comments of readers welcomed.Thank You (Wajahat Iqbal)
Email: Wajahat_Iqbal@yahoo.com
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems
In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies.
In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities.
In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers.
In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.
W32.Stuxnet has gained a lot of attention from researchers and media recently. There is good reason for this. Stuxnet is one of the
most complex threats we have analyzed. In this paper we take a detailed look at Stuxnet and its various components and particularly
focus on the final goal of Stuxnet, which is to reprogram industrial
control systems. Stuxnet is a large, complex piece of malware with
many different components and functionalities. We have already
covered some of these components in our blog series on the topic. While some of the information from those blogs is included here,
this paper is a more comprehensive and in-depth look at the threat.
Stuxnet is a threat that was primarily written to target an industrial
control system or set of similar systems. Industrial control systems are
used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion...
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
With cybersecurity threats changing rapidly, we definitely need a new set of tools to be able to prevent and address them more efficiently: malware is becoming more complex and harder to detect, malicious insider attacks are on the rise and zero-day exploits make their way to the public much quicker than before. Join this session to see how Windows Server 2016 and Windows 10 can help organizations deal with this ever-changing security ecosystem by providing them with ways to better secure their environment and data. We’ll touch on topics such as malware & threat resistance, identity & access control, virtualization-based security, configurable code integrity, remote attestation and a few others.
During the presentation, speaker told his story of software protection to ensure the router's performance. He lead the participants through all the stages, from setting up a task to a Linux configuration and Kernel for security. He shared libraries and real examples of using security tools (SSL, ciphersuites, cgroups, tomoyo etc.) and suggest alternative tools.
This presentation by Serhii Voloshynov (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv) was delivered at GlobalLogic Kharkiv Embedded TechTalk #3 on November 16, 2018.
Modern cybersecurity threats, and shiny new tools to help deal with them - T...ITCamp
With cybersecurity threats changing rapidly, we definitely need a new set of tools to be able to prevent and address them more efficiently: malware is becoming more complex and harder to detect, malicious insider attacks are on the rise and zero-day exploits make their way to the public much quicker than before. Join this session to see how Windows Server 2016 and Windows 10 can help organizations deal with this ever-changing security ecosystem by providing them with ways to better secure their environment and data. We’ll touch on topics such as malware & threat resistance, identity & access control, virtualization-based security, configurable code integrity, remote attestation and a few others.
CONFidence 2018: Defending Microsoft Environments at Scale (Vineet Bhatia)PROIDEA
Defending a Microsoft Environment at Scale looks at the innovations made in Windows 10 and the capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. The talk is based on a direct mapping of the MITRE ATTACK framework to the defense classes within the Microsoft offering. Detailed Description: This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the MITRE ATTACK framework and how it has been used by us internally to build a defense model. We then expand to talk about specific capabilities of the Windows subsystem to detect and respond to the following: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2). As we continue, we describe a working defense model that extrapolates the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation. This goes beyond traditional SIEM implementations and talks about specific use cases that address the MITRE ATTACK framework. During the second half of the talk, we explain how to scale this to geographically dispersed machines and build correlation and response when physical / remote access might not be available. A high-level overview of the native Windows Defender engine is provided and how the expanded Windows Defender ATP product allows us to perform frequency analysis, look at process trees and generally identify malicious behavior on the endpoint. In closing, we round up some of the capabilities of the Azure and Office365 cloud to talk about credential sync and cloud app security engines. This explains the protections offered to the end user and their access to any data source. The expectation is to address normal vs. abnormal user behavior and proactively identify users with weak credentials.
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
Principal Industrial Pentester, Austin Scott, presents at S4x20 on how to map ICS incidents to the MITRE ATT&CK Framework.
View the webinar here: https://dragos.com/resource/introducing-mitre-attck-for-ics-and-why-it-matters/
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
TRITON: The Next Generation of ICS Malware
1. The Next Generation of ICS Malware
Overview of Triton
Thomas ROCCIA
Security Researcher, Advanced Threat Research
2. 2CNES COMET SSI - Thomas Roccia – 2018
Whoami
Thomas ROCCIA
Security Researcher, Advanced Threat Research
@fr0gger_
https://securingtomorrow.mcafee.com/author/thomas-roccia/
http://troccia.tdgt.org
Disclaimer: all the research presented are based on the public and internal information collected by the
actors who were engaged during the investigation. A combined investigation and collaboration within the
following actors: The FBI, NCCIC, Schneider Electric, McAfee, FireEye, DragosInc, Nozomi, Cyberx…
3. 3CNES COMET SSI - Thomas Roccia – 2018
Agenda
• Brief ICS Malware History
• Safety Instrumented System (SIS)
• TRITON Attack Overview
• Detection Demo
• About the Attackers
• Take Away
4. 4CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
BLACKENERGY
2015
IRONGATE
2015
INDUSTROYER
2016
TRITON
2017
ICS Malware over the past
5. 5CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
BLACKENERGY
2015
IRONGATE
2015
INDUSTROYER
2016
TRITON
2017
ICS Malware over the past
• Targeted Iranian centrifuges
• Spread via USB and over the network
• Used four zero-day
• Able to reprogram the PLC to change the rotation speed of
centrifuges
• Designed to control the industrial Process
6. 6CNES COMET SSI - Thomas Roccia – 2018
2010
STUXNET HAVEX
2013
BLACKENERGY
2015
IRONGATE
2015
INDUSTROYER
2016
TRITON
2017
ICS Malware over the past
• Targeted energy grids, electricity firms, petroleum pipeline
operators
• Spread via, spear phishing and watering hole
• Detected ICS devices using OPC (Open Platform Communication)
• Attackers collected a large amount of data and were able to
remotely monitor the industrial system
• Designed for espionage and sabotage
7. 7CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
BLACKENERGY
2015
IRONGATE
2015
INDUSTROYER
2016
TRITON
2017
ICS Malware over the past
• First appears in 2007 as a DDOS malware
• Spread via spear phishing and weaponized Microsoft Document
• Remote monitoring of SCADA system
• Disabling and destroying several IT infrastructure component
• Destruction of file stored on servers and workstations
• 230,000 people in Ukraine were left in the dark for six hours
after hackers compromised several power distribution centers
8. 8CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
IRONGATE
2015
INDUSTROYER
2016
TRITON
2017
ICS Malware over the past
• The malware targets a simulated Siemens control system
environment
• Stuxnet-like behavior
• Includes evasion mechanisms (anti-vm, antiav…)
• Mostly written in Python
• Probably a penetration tool or a Proof of concept
BLACKENERGY
2015
9. 9CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
INDUSTROYER
2016
TRITON
2017
ICS Malware over the past
• Targeted Ukraine’s power grid
• Remote control and persistence mechanisms
• Abused OPC (Open Platform Communication)
• Contained a data wiper component
• Shutdown for the second time Ukraine’s power grid
IRONGATE
2015
BLACKENERGY
2015
10. 10CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
TRITON
2017
• Targeted Middle Eastern oil and gas petrochemical facility
• Interacting with a Safety Instrumented System (SIS)
• Abuse of the TriStation proprietary communication protocol
• Detected thanks to “an accidental shutdown”
• The Triton attack is considered as unprecedented and could
have done physical impact!
BLACKENERGY
2015
IRONGATE
2015
INDUSTROYER
2016
ICS Malware over the past
11. 11CNES COMET SSI - Thomas Roccia – 2018
STUXNET
2010
HAVEX
2013
TRITON
2017
BLACKENERGY
2015
IRONGATE
2015
INDUSTROYER
2016
Even regular Malware can impact ICS
WANNACRY: Maersk, Renault, NHS
SamSam: Unnamed ICS company in the U.S
NOTPETYA: Chernobyl nuclear power plant, power grid, and healthcare systems
RAMNIT: German nuclear energy plant in Gundremmingen
SHAMOON: Saudi and Qatari
2012
CryptoMiner: Water Utility in Europe
2018
12. 12CNES COMET SSI - Thomas Roccia – 2018
Safety Instrumented Systems
• Safety Instrumented System are designed to add a layer of
security
• Schneider Triconex safety controllers used in 18000 plants
(nuclear, oil and gas refineries, chemical plants…)
• Such attacks require a high level of process comprehension
(analysis of acquired documents, diagrams, device
configurations and network traffic).
• TRITON specifically targeted a system that is designed to
protect human life.
Source: https://www.arcweb.com/sites/default/files/Images/blog-images/Layers-of-Protection.png
13. 13CNES COMET SSI - Thomas Roccia – 2018
Attackers Collected Many Information
14. 14CNES COMET SSI - Thomas Roccia – 2018
TRITON Attack OVERVIEW
Customer Network
Previous research from TALOS
specify ICS targeted attack by
phishing delivering payload via
a compromise SMB server
!No evidence found!
IT DCS / ICS
TRITON
SIS Controllers
SIS Engineering
Workstation
Physical Process
TRITON
Launch Cyberattack?
Trilog.exe
Triconex MP3008
Firmware v10.0–10.4
MPC860 PowerPC
Processor
Tristation Protocol
UDP 1502
TRITON specifically targets
this version of Triconex.
15. 15CNES COMET SSI - Thomas Roccia – 2018
Triton Framework Main Modules
Trilog.exe
• Python files compiled in the main executable
• Masquerades Triconex Trilog application
• Receive IP address as argument
• Python scripts
• Contains attack framework
Library.zip
• Payload that places “imain.bin” in the memory controllerinject.bin
imain.bin • Backdoor Implant
Missing OT
Payload
• Physical impact
16. 16CNES COMET SSI - Thomas Roccia – 2018
Triton Framework Main Modules
Filename Description
trilog.exe Python executable main module (includes script_test.py)
|_PresetStatus PPC shellcode use to perform a periodic check and deploy the next stages
|_DummyProgram Anti-forensic trick used to reset the memory and avoid forensic detection (clean-up)
inject.bin Injector used to verify every thing and injected the next payload
imain.bin Used to perform custom actions on-demand
Filename Description
Library.zip Python module library used by trilog.exe.
|_TsLow.pyc Implement low functionalities such as UDP, TCM. Used to send, receive and parse packet.
|_TsBase.pyc Basic functionalities used to interact with the Controller (upload, download, device status).
|_TsHi.pyc Appending program, uploading, retrieving program table, interpreting status structures.
|_Ts_cnames.pyc Strings representation of TS protocol features (message, error codes…).
|_crc.pyc Implements or imports a number of standard CRC functions.
|_sh.pyc Few utility functions for flipping endianness and printing out binary data with a hexadecimal
representation.
17. 17CNES COMET SSI - Thomas Roccia – 2018
Trilog.exe (Script_test.py)
• Main python file that takes the target SIS IP Address
• Attackers reversed the Tristation Communication Protocol
ATTACKER
SIS Target
TS_cnames.py
18. 18CNES COMET SSI - Thomas Roccia – 2018
Tristation Communication
Protocol
• UDP Protocol
• Port 1502
• Triton checked the state of the controller
• Some companies created a Wireshark
Dissector (Nozomi, Fireewe,
MidnightBlue)
Protocol Name
Kind of Answer
Communication Direction
Controller Information
“Running State” Required by Triton
19. 19CNES COMET SSI - Thomas Roccia – 2018
Initial Payload - Stage 1 (PERIODIC CHECK)
• Set an argument or Control Value in the Tricon’s Memory
• Check to test ability to upload and execute code
• The value (0x00008001) is used as an argument by the second-stage inject.bin
• This shellcode writes the value into the « fstat » field of the Control Program (CP)
Status structure.
20. 20CNES COMET SSI - Thomas Roccia – 2018
Initial Payload - Stage 1 (PERIODIC CHECK)
• Look for 2 values in the memory
• 0x40
• 0x60
• If found, it overwrites the memory
with the value 0x00008001
• If it doesn’t found the values, it means
it is not the right target
21. 21CNES COMET SSI - Thomas Roccia – 2018
Implant Installer (Inject.bin) – Stage2
• Main goal Inject.bin is to write the next stage (imain.bin)
• The code is loaded into the memory
• It can be changed during runtime (it won’t persist after a reboot).
• Make sure the attacker has an active backdoor on the device even if the physical
key/switch is turned to non-programming mode.
22. 22CNES COMET SSI - Thomas Roccia – 2018
Implant Installer (Inject.bin) – Stage2
• Inject.bin assumes the argument written by the first stage payload resides at a static address and
uses it as:
1. A countdown for the number of cycles to idle
2. A step counter to track and control execution progress
3. A field for writing debug information upon failure.
• Attackers monitor inject.bin for problems.
• If no problems are detected, the stage 3 is injected and 'Script SUCCESS' is output.
• If an exception occured a dummy program containing nothing but a system_call (-1) is appended.
23. 23CNES COMET SSI - Thomas Roccia – 2018
Backdoor Implant (imain.bin) – Stage3
• Backdoor (imain.bin) allows an attacker to have
Read/Write/Execute access to the Safety Controller memory.
• It allows an attacker to inject and execute a more disruptive
payload by adding malicious function (OT Payload– Stage4?).
• The TRITON framework can communicate with the implant with
the 3 functions:
• TsHi.ExplReadRam()
• TsHi.ExplWriteRam()
• TsHi.ExplExec()
24. 24CNES COMET SSI - Thomas Roccia – 2018
Backdoor Protocol (imain.bin) – Stage3
• The previous three function uses TsBase.ExecuteExploit
• It creates a TriStation « Get Main Processor Diagnostic Data » command with a crafted packet:
• [Standard Tricon packet headers][opcode][special identifier][data]
• Special identifier == 0xFF
• Read == 0x17
• Write == 0x41
• Execute == 0xF9
Special Identifier
READ
WRITE
EXECUTE
25. 25CNES COMET SSI - Thomas Roccia – 2018
OT Payload (missing) – Stage 4
• Fourth stage payload (OT Payload) wasn’t recovered
• All the investigation specified that the attack has been detected before a cyber-
physical damage scenario
26. 26CNES COMET SSI - Thomas Roccia – 2018
Demo Detection On the Network
• Nozomi created a honeypot to simulate the SIS System
• We modified the source code to create an alert system on a cheap material
27. 27CNES COMET SSI - Thomas Roccia – 2018
About the Attackers
• The sophistication of the attack and the resources needed could
indicate the attackers had high budget to conduct it.
• External sources point to different direction.
• However attribution is not something easy and can lead to false
conclusion.
• It is still currently unclear where the attackers comes from…
• And what was the end goal (disruption or destruction?)
• One thing is sure, attackers are gaining more experience and
increased their arsenal!
28. 28CNES COMET SSI - Thomas Roccia – 2018
Lesson Learned / Takeaways
• Devices « insecure by design » have been exposed to hyper-connected
environments they were not quite designed for.
• There is a lack of basic IT/OT security hygiene and early warning insights
• The same technique can be used against other ICS systems/OT vendors.
• Kudos to Schneider Electric to share the incident and details about the
investigation and take the appropriate actions (creating a new way to detect such
attacks).
• The Triconex Tricons have addressed not only the vulnerability leveraged in the
attack, but have also built multiple defenses against the techniques used in the
attack.