• No results found

The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices"

Copied!
45
0
0

Loading.... (view fulltext now)

Download now ( 45 Page )

Full text

(1)

Kyle Wilhoit

Sr. Threat Researcher Trend Micro

The SCADA That Didn’t Cry Wolf: Who’s

Really Attacking Your SCADA Devices

(2)

Glossary

10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 2

HMI: Human Machine Interface

IED: Intelligent Electronic Device

SCADA: Supervisory Control And Data Acquisition

RTU: Remote Terminal Unit

Historian: Data Historian

Modbus: Common ICS Protocol

(3)

Typical ICS Deployment

(4)

Modbus

10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 4

•  Oldest ICS Protocol

•  Controls I/O Interfaces (MOSTLY!!!!)

•  No authentication or encryption!

(Surprise!!!)

•  No broadcast suppression

(5)

Security Concerns- ICS vs. IT

10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 5

ICS

•  Correct commands issued

(Integrity)

•  Limit interruptions (Availability)

•  Protect the data (Confidentiality)

IT

•  Protect the data

(Confidentiality)

•  Correct commands issued

(Integrity)

•  Limit interruptions

(6)

•  HMI: Allows arbitrary command execution as

well as set point modifications.

•  Data Historian: Allows inbound traffic to

secure network segments. (Replication of data)

•  RTU: Allows remote communication ability

And many more…

(7)

  First half of 2013

  Over 200 confirmed “incidents”

(8)

•  Google-fu •  Shodan •  ERIPP •  Pastebin •  Twitter

(9)
(10)

•  All Internet facing…

•  No security measures in place

(11)

Attacked several times- over a period of

months

Attackers gained access

Exfiltrated data

Not made public

  This is not a story…

  This happened…

(12)

In my

basement…

(13)
(14)

•  12 total honeypots

•  8 different countries

•  Running since Jan, 2013

•  Combination of *nix, Windows, and

(15)

Physical Deployment

10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 15

Small town in rural America

Water pump controlling water pressure/

availability

(16)

Physical Deployment

10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 16

• 

Fake water pressure system Internet facing

• 

Very little security measures in place

• 

Could cause catastrophic water pressure

failures if compromised

(17)

What They See

(18)

Physical Deployment

(19)

Attack Profile- Country of Origin

10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 19 19% 12% 8% 35% 2% 2% 4% 2% 2% 6% 2% 2% 2% 2% US LAOS UK CHINA NETHERLANDS JAPAN BRAZIL POLAND

(20)

•  12 total honeypots

•  8 different countries

•  Running since Jan, 2013

•  Combination of *nix, Windows, and

(21)

Virtualized Environment

•  Water pump controlling water pressure/

availability

(22)

Logically…

(23)
(24)

Some Tools Used

OpenDNP3

Pi-Face

(25)

Vulnerabilities Presented

“If you can ping it, you own it” •  SNMP vulns (read/write SNMP,

packet sniffing, IP spoofing)

•  Specific ICS Vendor vulnerabilities

•  HMI (Server) Vulnerabilities

•  Authentication limitations

•  Limits of Modbus/DNP3 authentication/encryption

•  VxWorks Vulnerability (FTP)

•  Open access for certain ICS modifications- fan speed, temperature, and utilization.

(26)

What’s an Attack?

•  ONLY attacks that were targeted

•  ONLY attempted modification of pump

system (FTP, Telnet, Modbus, set points, etc.)

•  ONLY attempted modification via

Modbus/DNP3

(27)

Total Attacks

(28)

Non-Critical Attack Profile-

Source Countries

(29)

Critical Attack Profile- Source

Countries

(30)

Some Attack Stats

0 0.5 1 1.5 2 2.5 3 3.5

Shutdown pump system Modify temperature output Modify pump pressure HMI access Modbus traffic modification Modification of CPU fan speed Data exfiltration attempt

(31)

Spear Phished

TO: CITYWORKS@<HOSTNAME OF OUR CITY>.COM

“ Hello sir, I am <name of city administrator> and

would like the attached statistics filled out and

sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you

hear from you soon

(32)

Cityrequest.doc

(33)
(34)

Dropped Files

•  CityRequest.doc

•  File gh.exe dumps all local password hashes

  <gh.exe –w>

•  File ai.exe shovels a shell back to a dump server.

  < ai.exe –d1 (Domain) –c1 (Compare IP) –s (Service) >

•  Malware communicating to a drop/CnC server in China. •  exploiting CVE 2012-0158

•  Malware communicating to a drop/CnC server in USA –  70.254.245.X

–  70.254.245.X

(35)

Execution

•  Upon execution of CityRequest.docx, files leaving

the server in question after 5 days.

–  Fake VPN config file

–  Network statistics dump

–  SAM database dump

–  Gain persistence via process migration

(36)
(37)
(38)

APT1 Report

•  APT1 (Comment Crew) report released in Feb

2013.

•  Included many APT variants we’ve seen.

•  One of particular interest was HACKSFASE.

(39)
(40)

Attribution

(41)

Attribution

• 

IP

• 

BeEF

(42)

BeEF Usage

• 

Detect Tor

• 

Get Registry Keys

• 

Get_Physical_Location

• 

Get_System_Info

(43)

Attacker Profile

•  Most attacks appeared to be non-targeted

•  Many attackers were “opportunists”

(44)

Some Takeaways

•  Red team/Blue team often

•  Perform specialized vulnerability assessments

•  Control contractors

•  Perform basic security controls

•  Network segmentation

•  Two-factor authentication

•  Patch your stuff!

•  Lockdown external media

•  Manage vulnerabilities

•  Classify your data/assets

(45)

Shout

Email:

[email protected]

Non-Work:

[email protected]

References

Download now ( PDF - 45 Page - 8.08 MB )

Related documents

Sheep genome functional annotation reveals proximal regulatory elements contributed to the evolution of modern breeds

As input we used the collection of genome features described above that included: (i) sheep H3K4me3 and H3K27ac ChIP-Seq peaks; (ii) Epigenome Roadmap predicted chromatin states;

ERNEST GUSELLA CURRICULUM VITAE Page One

1980 Visiting Artist, Meda Study Center, Rice University, Houston, Texas 1980 Visiting Artist, Film &amp; Video Department, New York University, N .Y .C. 1981 Visiting Artist,

Manual for Satellite Data Analysis ECognition Developer

- Under the Create Project Window, if you would like to add Vector file, click the Insert button on the right side of the heading; Thematic Layer Alias (as shown below).. -

The impact of COVID-19 control measures on social contacts and transmission in Kenyan informal settlements.

Based on these values, control measures would have reduced the mean estimate of R 0 to below one even if the initial R 0 had been as high as 4.36 as- suming only physical contacts

Field Survey and Collection of Traditionally Grown Crops in Northern Areas of Myanmar, 2006

A field exploration was planned and carried out to investigate and collect genetic variation of upland rice, small millets, pulses, ginger and turmeric in Kachin State in

SAFETY DATA SHEET. Revision Date: 27-Apr-2020 Revision Number: 6 1. PRODUCT AND COMPANY IDENTIFICATION. No information available

Employers should use this information only as a supplement to other information gathered by them and must make independent determination of suitability and completeness of

LLIN Evaluation in Uganda Project (LLINEUP) - Impact of long-lasting insecticidal nets with, and without, piperonyl butoxide on malaria indicators in Uganda: study protocol for a cluster-randomised trial.

We address the following research question: ‘Are com- bination LLINs (with PBO) more effective than conven- tional LLINs (without PBO) for malaria control in Uganda, an area