Apresentação Técnica - Infecções por Malware no Brasil

914 views

Published on

Apresentação realizada no ACS Conference, em Washigton DC (EUA)

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
914
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Apresentação Técnica - Infecções por Malware no Brasil

  1. 1. Recent malware infections on control system networks in Brazil Marcelo Branquinho ACS Conference – Washington DC September of 2011 TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  2. 2. Don´t need to copy... just download it http://www.tisafe.com/recursos/palestras/www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  3. 3. TI Safe at Twitter • Follow us at Twitter - @tisafewww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  4. 4. About Myself Marcelo Branquinho Marcelo.branquinho@tisafe.com • Electrical Engineer who specializes in computer systems, and who has an MBA in business management, is one of the founders of the ISACA chapter in Rio de Janeiro. • A member of ISA International, and currently the director of TI Safe, where he serves as the head of security for industrial automation systems. • With extensive experience gained over 12 years in the field of critical infrastructures and government agencies in Brazil, Marcelo is coordinating the development of the Security Automation Training , the first Brazilian in this segment. • Actually is a collaborator of the WG5 TG2 Gap Analysis Task Group that is revising the ANSI/ISA-99 standard.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  5. 5. Agenda • Malware Infections on control system networks in Brazil Study Case 1: Automation Plants of Steel Industry “A” • Network Architecture • Automation Systems Composition • Policies • Installed defenses • About the AHACK worm • Malware Infection • Implemented Countermeasures Study Case 2: Power Plant of Steel Industry “B” • Network Architecture • Automation Systems Composition • Policies • Installed defenses • Malware Infection • About the Conficker worm • Implemented Countermeasures • Conclusion and Challenges * Due to confidentiality agreements, the Steel Industries names and all possible references to their plants were removed from the presentation slideswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  6. 6. Study Case 1 Automation Plants of Steel Industry “A”www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  7. 7. About Steel Industry “A” • Steel Industry “A” is one of the largest producer of steel in the Americas, with major steel mills in Brazil and a total capacity of about 10 million metric tons of steel per year. • The company accounts for about ¼ of total steel output in Brazil. • The company also operates in the logistics sector through a stake in local brazilian logistic companies. • Started operations in 1964.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  8. 8. Network Architecture • 5 Automation Networks (one for each automation area) • No documentation: There isn´t a complete inventory for automation networks, these networks simply grew-up acoording to the business needs without a consistent planning There aren´t network diagrams for each area • IT network connected to the Internet. There are firewalls protecting this connection • No network segmentation No Firewalls or VLANs separating automation and IT networks Any automation network can access another automation network All main services are at IT servers Any computer at the corporate network have read/write access to any PLC at the automation networks • No Windows Domain SCADA Servers (windows based) doesn´t have login (run automatically after reboot) • Remote acess (Internet based) is spreadly used by collaborators and third party to access SCADA A single Username/Password for ALL remote userswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  9. 9. Automation Systems Composition • Main applications: Siemens STEP7, DCOM and OPC Client Siemens Wincc FlexOPC Server SCADA FactoryLink ElipseFactory Link and DCOM Oracle 10g and Message Queue DEC Basestar, Cimfast and Rally • Main SCADA Servers DEC VAX and Alpha (many servers), all running Open VMS Windows servers running Windows 2003 and 2008 (just a few) Some Windows servers still running very old operating systems like WINDOWS 95 and WINDOWS NTwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  10. 10. Policies • There´s an IT Security Policy based on ISO27001/27002 that is implemented at the IT Network IT and Automation Network teams don´t talk to each other • Automation and control systems aren´t compliant with international standars like ANSI / ISA TR-99 • No specific Automation Security Policy There are some few written procedures where the users assume all responsability in case of security incidents. They just sign a single term and are allowed to do whatever they want at the automation networks (attach laptops, USB Sticks, Modems, etc). • There are some manual backups to tapes, but nobody never tested if they will correctly restore data when necessary • Passwords When exist, are weak and largely divulgated – The main idea is that systems can´t stop due to strong or unknown passords Password are never changed on automation systems and sometimes are hard coded (for database connections, for example) Very frequently, passwords are equal to the application name (for example, if the Database is ORACLE, the password is ORACLE)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  11. 11. Installed Defenses • At most of the SCADA servers, system updates are deactivated • No Service Packs or Patches have been installed for years In fact they have been completely ignored (nobody changes systems that are in production due to the fear of stopping them) • There´s a Symantec Endpoint Protection suite installed in the IT network and some automation network computers, what causes a false sense of security • There aren´t Firewalls separating automation and IT networks • There aren´t IPS in the whole network (including IT network) • There aren´t Security Logs and Security Monitoringwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  12. 12. About the AHACK worm • AHACK Worm is a worm that can secretly get into systems and steal sensitive information • If a computer was infected by Ahack Worm, the following problems may happen: Computer instant shutdown Bundled Trojan System32 error .dll errors, .exe errors and runtime errors Computer slow performance Degraded system running speed Driver updated failure Program uninstall failure Blue Screen of Death errorswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  13. 13. Malware Infection • Date it was discovered at the plant: June/2008 • Malware: AHACK Worm • Where: Power and Blast Furnace Plant • Consequences: The worm spreaded over all the power plant automation network It has flooded the network with unwanted packages and made instable the communication between PLCs and supervision stations, compromising the plant supervision In some machines, the worm paralised some important services of the Windows Operation System This lack of supervision has occasioned some stops and restarts at the SCADA systems, generating loss of production and financial injurieswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  14. 14. Implemented Countermeasures • Some less critical computers and SCADA Servers were disinfected with the worm removal kit • For about 3 critical SCADA servers that couldn´t have been stopped, the automation team wrote an internal document explaining: What to do when the worm activates (and how to identify the activity of the worm)? Which applications and services should be restarted? Who they should call in case the procedure fails (perhaps god ☺)? • All computers and Pen Drives now have to be scanned on a clean machine before they are inserted at the automation network. • G3 Modems were banned from the automation networkwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  15. 15. Implemented Countermeasures (cont.) • A distributed Microsoft Active Directory domain was created to attend the 5 automation networks. This domain is composed of users and groups totally different from the corporate domain. • The domain was created in 5 different domain controllers (one for each automation area) and configured on a redundant schema where each change on user or policy is automatically replicated for all domain controllers. • To login, a user may use any of the 5 domain servers to log, in a transparent way, or even log offline if outside the automation network. • A Security policy was configured for this domain with some important GPOs like: Turn off Autoplay Account Lockout after 3 attempts (Locks for 1 minute before new attempt) Prohibit new task creation Prohibit user installs Remove Task Manager Prohibit access to the Control Panelwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  16. 16. Study Case 2 Power Plant of Steel Industry “B”www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  17. 17. About Steel Industry “B” • Steel Industry “B” products are high-quality steel slabs, which are processed in European and US plants. • The Power Plant has installed capacity of 550 MW to produce energy from converter gas, blast furnace and coke plant steam. • Started operations in 2009.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  18. 18. Network Architecture – Power Plant • Approximately 180 computers compose the plant (workstations + servers). All running Windows OS. • Documentation There is a complete inventory of the power plant network, documented in an excel worksheet There are some network diagrams for the plant • About the power plant automation network Existing Firewalls: Cisco 800 and Hirschmann Egle No Wireless Networks communicating to this plant DHCP and DNS servers are inside the IT Plant Connection with unsecure third party networks OPC data exchange with other automation plants inside the complexwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  19. 19. Network Architecture – Power Plant (cont.) • No Windows Domain SCADA Servers (all windows based) doesn´t have login (run automatically after reboot) • Remote Access through the Internet for control and monitoring Authentication through username and password. There´s just a single username and password for all remote users. • Governance and Monitoring Plant has geographically distant locations without very difficult access to the RTUs Firewall and network logs are not analyzed There´s an updated McAffee Antivirus running inside the automation plant, but it didn´t stop the infection or avoided it to spread Windows Servers doesn´t have updated patches and service packs SCADA applications not patched (manufacturers charge and take a long time to execute this service)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  20. 20. Automation Systems Composition • Main Systems: ALSPA P320 PLC ABB EGATROL ABB MicroSCADA ABB 800xA System, version 5.0 Rev D. TDMS Siemens PCS7 WinCC Siemens STEP7 S7-400 Intouch • Main SCADA Servers The plant has only 2 years of operation and all systems are based on Windows Servers running Windows 2003 R2 SP2 • All Workstations running Windows XP SP2 • Main OPC Servers OPC – Energy Management System – KepServer 5 OPC Matrikom - OPC Explorer version 3.5.0.0 / OPC Explorer version 3.2.1.150 OPC – PI OSIwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  21. 21. Policies • There´s an IT Security Policy based on ISO27001/27002 that is not fully implemented at the IT Network IT and Automation Network talk to each other. Teams are very small for the size of the plant and security tasks have very low priority. • Automation and control systems aren´t compliant with international standars like ANSI / ISA TR-99 • No specific Automation Security Policy Free use of laptops, removable USB medias and G3 Modems inside the automation networks and even directly connected to SCADA servers Automation team never had automation security trainings • No Backup Policy. There are some manual backups to external Hard Disks managed through an Excel Worksheet. • Passwords When exist, are weak and largely divulgated – The main idea is that systems can´t stop due to strong or unknown passords Password are never changed on automation systems and sometimes are hard coded (for database connections, for example). Very frequently, passwords are equal to the application namewww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  22. 22. Malware Infection • Date it was discovered: 02/06/2011 • Malware: Conficker • Where: Power Plant • What happened: In 02/06/2011 the ALSPA System stopped. After check was identified virus (Conficker) in all machines (ALSPA System). • The worm spreaded over the whole power plant automation network (and probably in other automation networks, but the investigation was limited to the power plant due to lack of budget) • It has flooded the network with unwanted packages and made instable the communication between PLCs and supervision stations, freezing most of the supervision systems. – WYSINWYG (What you see in NOT what you get ☺ ) The automation team cleaned the infected machines, but the worm infected the machines again. The Alston team installed the Windows Service Pack II in all machines (only in ALSPA System), cleaned them and the system returned to work well, disconnected from PI. The worm infected the PI machine and the “SGE” network, but was removed without problems. All Systems returned to work well while the external networks are disconnected. When these networks are reconnected, the malware “wakes up” and increases the network traffic, freezing the supervision station screens. Due to this, the automation team decided to keep these external networks disconnected. • Since the infection began the company is paying monthly fines to government because some important reports (such as environmental control, for example) are not being sent. • Internal reports for production planning are being prejudicated • Chaos is stablished always when it happens – operator loose control of the plantwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  23. 23. How Conficker spreads? Due to self-propagation mechanisms, the worm uses the following vectors and probably are infected when in contact with infected hosts: USB removable media like hard drives, USB flash drives, DVDs, CDROMs, etc. Network hosts with out of date pathes or without antivirus Other network hosts correctly patched and with AV, but with weak or default passwords Other networks that communicate with the power plant (via OPC, for instance)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  24. 24. Conficker VariantsVar Detectian ion Infection vectors Update propagation Self-defense End action t date HTTP pull: -Downloads from NetBIOS: Exploits MS08-067A 11/08 vulnerability in Server service trafficconverter.biz None Updates self to Conficker B, C or D - Downloads daily from any of 250 pseudorandom domains over 5 TLDs - NetBIOS: Exploits MS08-067 vulnerability in Server service. - HTTP pull: Downloads daily from any - Dictionary attack of 250 pseudorandom domains over 8 -Blocks certain DNS lookupsB 12/08 on ADMIN$shares[32] TLDs Updates self to Conficker C or D - NetBIOS push: Patches MS08-067 to - Removable media: Creates - Disables AutoUpdate open reinfection backdoor in Server DLL-based AutoRun trojan on service attached removable drives NetBIOS: - HTTP pull: Downloads daily from any - Exploits MS08-067 of 250 pseudorandom domains over 8 vulnerability in Server service TLDs -NetBIOS push: - Blocks certain DNS lookupsC 02/09 - Dictionary attack -Patches MS08-067 to open reinfection Updates self to Conficker D on ADMIN$shares backdoor in Server service - Disables AutoUpdate •Removable media: Creates - Creates named pipe to receive URL DLL-based AutoRun trojan on from remote host, then downloads from attached removable drives URL -Blocks certain DNS lookups: Does an in-memory patch - HTTP pull: Downloads daily from any of DNSAPI.DLL to block lookups of anti-malware 500 of 50000 pseudorandom domains related web sitesD 04/09 None over 110 TLDs - Disables Safe Mode - Downloads and installs Conficker - P2P push/pull: Uses custom protocol - Disables AutoUpdate E to scan for infected peers via UDP, - Kills anti-malware: Scans for and terminates processes then transfer via TCP with names of anti-malware, patch or diagnostic utilities at one-second intervals - Updates local copy of Conficker C - HTTP pull: Downloads daily from any to Conficker D - Blocks certain DNS lookups 500 of 50000 pseudorandom domains - Downloads and installs malware - Disables AutoUpdateE 07/09 NetBIOS: Exploits MS08-067 over 110 TLDs - Kills anti-malware: Scans for and terminates processes payload: Waledac spambot, vulnerability in Server service - P2P push/pull: Uses custom protocol SpyProtect 2009 scareware with names of anti-malware, patch or diagnostic utilities to scan for infected peers via UDP, - Removes self on 3 May 2009 (butwww.tisafe.com then transfer via TCP at one-second intervals leaves remaining copy of Conficker D) TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  25. 25. Antivirus diagnostic is not precise..• Antivirus doesn´t tell which variant of Conficker is infecting the plant• Antivirus doesn´t guarantee that this is really a Conficker infection (may bestuxnet)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  26. 26. Conficker or Stuxnet? Similar attack vectors It is speculated that the latest variants of Conficker have been the first variants of Stuxnet Exploit the same vulnerability (even if coded differently) Some similar symptoms Both advanced cyberweapons Conficker is sometimes regarded as proof-of-test Stuxnet You need a diagnosis oriented Stuxnet to differentiate one from the other malwarewww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  27. 27. Persistence o Conficker “kills” anti-virus or anti-malwares that hasn´t detected it so they won´t receive new signatures and will never detect it. The worm tries to spread to other machines at the network and keep an internal protocol that advises other peers when it is being exterminated, so these peers will reinfect the host – This causes the increase of network traffic Turn patched machines vulnerable by corruping the server service of the machine.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  28. 28. Countermeasures (under deployment) c) Board Security b) Cleaning Desinfection Cycle a) Malware d) Systems and Isolation and Connectivity restore DiagnoseStart: AutomationSecurity Training (20hs) e) Governance and Monitoringwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  29. 29. Malware Isolation and Diagnose • Identification of all points of infection and contamination vectors using nmap and other tools • Checked that the attacker is the Conficker worm. • Identified which variant of Conficker that is attacking the plant. • Identified the “Mark 0” of the infection. • Disconnected all external networks that communicate with the power plant. • Removed all computers that were not part of the power plant automation network (including third parties and consultants).www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  30. 30. Cleaning • Tested the effectiveness of current Antivirus • For SCADA Servers: • Triggered the manufacturer to install the MS08-067 patch. • Turned autorun off. • Disconnected service that listens on port 445 (will loose file sharing) • For other hosts: • Disinfected using steps above and applied the same solutions used to clean SCADA servers without the need of wait for manufacturers.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  31. 31. Network Security - Implemented Solutions • IBM-ISS NIPS GX4004 (for board security of automation network) 2 GX4004 configured on critical communication paths to the corporate network, working together with Firewalls that already existed at the infrastructure and that were hardened SiteProtector console configured at the CMI • TOFINO (for internal security of the automation network and also OPC Enforcing) 9 Tofino Argon Security Appliances configured with SAM, Firewall and OPC Enforcer LSMs Tofino Argon Central Management Platform configured at the CMI • IBM TSM (Automated Backup) Agents installed at the main servers of the power plant Incremental Backup to Server Tape Management Console installed at CMIwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  32. 32. Systems and Connectivity restore • Hardened all SCADA and OPC Servers of the power plant • Performed a complete and clean backup of the plant. • Turned IBM-ISS NIPS mode to block and log Conficker attacks. • Reconnected one by one all external networks. • Checked if the Conficker attack (or any other attack) was coming from the external networks that were reconnected.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  33. 33. Governance and Monitoring • Develop and implemented an specific security policy according to ANSI/ISA-99 best pratices, that includes: • Access control policy for critical network devices such as PLCs and RTUs • VPN external access with strong passwords and independent users • Internal training and Endomarketing • Created an automation domain based on Microsoft Active Directory • Added machines and users to this domain and implemented transparent logon on stations, when applicable • Configured GPOs for USB and Logical port control • Built an internal monitoring station (CMI)www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  34. 34. The CMI – “Central de Monitoramento Interna” • Central server for security monitoring • Installed inside the automation network and managed by the automation team • Integration point between the customer security team and TI Safe remote support team (24 X 7) • Through the CMI are monitored and managed: IBM-ISS NIPS Tofino Appliances IBM TSM Automated Backup Existing Firewalls UPSs Environment variables of main servers (Processor, Memory, Disk, etc) Network trafficwww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  35. 35. Conclusion and Challengeswww.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  36. 36. Conclusion and Challenges On both study cases, we are not talking about Stuxnet. I don´t have knowledge of any comproved case of a Stuxnet infection in a Brazilian automation plant (what doesn´t mean that it could not exist in Brazil because industries may take too long to detect they are infected and commonly hide those facts). Common worms that have very low impact on home computers or IT networks can completely paralise automation networks causing financial loss and exposing human lifes to risk. The ANSI/ISA-99 Zones and Conduit model has never been deployed on an automation plant in Brazil. Is very hard for a company to implement this model after the plant is on production. Who would change the network architecture of a plant in production? In this case the ANSI/ISA-99 is unuseful because it doesn´t mention a subset of best pratices for the ones who cannot apply the defense-in-depth model to their networks. With the confusion, automation managers get lost. ANSI/ISA-99 is not clear on the indication of security solutions. How can a user know which security solution should be used in each specific situation.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  37. 37. Conclusion and Challenges (cont.) Anti-Virus on automation networks generate a false sense of security They are not ready for Cyberweapons They dont protect computers with old operating systems In some cases they don´t determine the worm variant and confuse users In other worst cases, they indicate the contamination of a wrong malware They are not able to detect some SCADA Malware developed on 2 stages (Tests using Metasploit on TI Safe Labs – check video at http://www.youtube.com/watch?v=DmHxFiCivi8 ) Correctly diagnose an infection is hard and must be done by experts It´s fundamental to know who are we fighting against It´s very important to discover the mark zero of the infection SCADA application patching is a problem because the manufacturers take too long to patch Operating Systems updates are frequently disabled on SCADA servers, whate leads to na insecure environment. There isn´t a ceritified methodology to help industries to recover infected automation networks. Security managers use what they think is the best countermeasure and frequently believe that they cleaned the plant, but the malware reappears. There are other automation plants contaminated in Brazil.www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  38. 38. Thank You! Marcelo Branquinho marcelo.branquinho@tisafe.com +55 21 2173-1159 / +55 21 9400-2290www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

×