bh europe 2013_wilhoit
DESCRIPTION
Blackhat Europe 2013TRANSCRIPT
Who’s Really Attacking Your
Kyle WilhoitThreat Researcher, Trend Micro
ICS Devices?
#WHOAMI
• Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats, and vulnerabilities.
• Bachelor’s and Master’s in Computer Science. Currently pursuing PhD. Normal security certifications, CISSP, GCIH, GCFE, etc…
• Research:-Malware detection/reversing-Persistent Threats (Malware based espionage)-ICS/SCADA Security-Vulnerabilities and the “Underground”
This presentation will focus on:• Concerns/Overview of ICS Security• How terrible the security profiles of ICS devices are• Are ICS devices attacked?• Who attacks ICS devices?
Agenda• ICS Overview• Typical ICS Deployment• Overview of two SCADA protocols• ICS Vulnerabilities• SCADA on the Internet?• Story Time!• Findings• Attacker Profile• Recommendations
ICS Overview
What are ICS devices?• Used in production of virtually anything• Used in water, gas, energy, automobile
manufacturing, etc. • Notoriously insecure…in every way• Software is sometimes embedded, sometimes not• Typically proprietary
TYPICAL ICS
DNP3• Used to send and receive messages • Complex• No authentication or encryption• Several published vulnerabilities
Modbus• Oldest ICS Protocol• Controls I/O Interfaces (MOSTLY!!!!)• No authentication or encryption! (Surprise!!!)• No broadcast suppression• Vulnerabilities are published
Security Concerns- ICS vs. Traditional IT Systems
ICS• Productivity• Up-time• Reliability of data
IT• Protect the data• Protect comms• Limit interruptions
ICS Vulnerabilities• In 2012, 171 unique vulnerabilities affecting ICS products.• 55 Vendors…
SCADA on the Internet???
• Google-fu• Shodan
SCADA on the Internet???• Pastebin• ERIPP• Twitter
Story Time!• Small town in rural America• Water pump controlling water
pressure/availability• Population 18,000~
• WRONG!• WRONG!
Story Time!• Water pressure system Internet facing• No firewalls/security measures in place• Could cause catastrophic water pressure
failures
• WRONG!• WRONG!
Story Time!• Attacked several times…During Q3-Q4• Attackers successfully gained access• Has not been made public• This is not a story…• Real life event..
• WRONG!• WRONG!
Story Time!
This Happened.
• WRONG!
Story Time!
In my basement…
• WRONG!• WRONG!
Enter…Honeypots…
• WRONG!• WRONG!
Honeypot Overview• Two low-interaction• One high-interaction• Ran for 28 days in total• One Windows Server 08• Two Ubuntu 12.04 Servers
What They See
• WRONG!• WRONG!
High-Interaction Architecture
• WRONG!• WRONG!
Low-Interaction Architecture
• WRONG!• WRONG!
Some Tools Used
Vulnerabilities Presented
“If you can ping it, you own it”
• SNMP vulns (read/write SNMP, packet sniffing, IP spoofing)
• Authentication limitations• Limits of Modbus/DNP3
authentication/encryption• VxWorks Vulnerability (FTP)• Open access for certain ICS
modifications- fan speed, temperature, and utilization.
• WRONG!
What is an “attack”?• ONLY attacks that were targeted• ONLY attempted modification of pump system
(FTP, Telnet, etc.)• ONLY attempted modification via Modbus/DNP3• DoS/DDoS will be considered attacks
• WRONG!
Attack Profile Countries
US; 9
LAOS; 6
UK; 4
CHINA; 17
NETHERLANDS; 1
JAPAN; 1BRAZIL; 2
POLAND; 1VIETNAM; 1
RUSSIA; 3PALESTINE, 1CHILE; 1 CROATIA; 1 NORTH KOREA; 1
• Not Just IP’s
• WRON!
Attack Overview
Modification of CPU fan speed
Modbus traffic modification
Secured area access attempt
Modify pump pressure
Modify temperature output
Attempt to shutdown pump system
Vxworks exploitation attempt
0 2 4 6 8 10 12 14
Count
Count
Snort Findings
• Used Digital Bond’s Quickdraw SCADA Snort Rules• Custom Snort Rules Created
1111006Modbus TCP – Unauthorized Read Request to a PLC
1111007Modbus TCP – Unauthorized Write Request to a PLC
1111206 / 11112061DNP3 – Unauthorized Read Request to a PLC
1111207 DNP3 – Unauthorized Write Request to a PLC
1111208DNP3 – Unauthorized Miscellaneous Request to a PLC
• WRONG!• WRONG!
Spear Phished!TO: CITYWORKX@<HOSTNAME OF OUR CITY>.COM
“ Hello sir, I am <name of city administrator> and would like the attached statistics filled out and sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you hear from you soon
....Mr. <city administrator name> ”
• WRONG!• WRONG!
CityRequest.doc
• WRONG!• WRONG!
Malware• CityRequest.doc• File gh.exe dumps all local password hashes
– <gh.exe –w>• File ai.exe shovels a shell back to a dump server.
– < ai.exe –d1 (Domain) –c1 (Compare IP) –s (Service) >• Malware communicating to a drop/CnC server in China.• exploiting CVE 2012-0158
• WRONG!• WRONG!
Execution
• WRONG!• WRONG!
Execution• Upon execution of CityRequest.docx, files leaving the server
in question after 5 days.– Fake VPN config file– Network statistics dump– SAM database dump– Gain persistence via process migration
• Won’t execute on Office 2010.
• WRONG!• Monitors reg keys for value changes• Creates guard pages• Dropped PE files• Communicates to C2 IP’s• Creates files• Creates fake document and opens it
Malware Features
Attack: Days 1-4
Attack: Days 5-17
Attack: Days 18-???
• WRONG!• WRONG!• Chose most prevalent attacker(s)• Profiled, poked, and researched who they were• Malware was code-reuse
Targeted? Who Knows…
Attacker Profile
Motivation?• Motivation is hard to establish…
Recommendations• Disable Internet access to your trusted resources. Where possible.
• Maintain your trusted resources at the latest patch levels, and ensure you are diligent in monitoring when new patches/fixes are released.
• Require username/password (two-factor if possible) combinations for all systems, including those that are not deemed “trusted”.
• Control contractor access- Many SCADA/ICS networks utilize remote contractors, and controlling how they access trusted resources is imperative.
Recommendations• Utilize SSL/TLS for all communications to web-based ICS/SCADA
systems.
• Control access to trusted devices. For instance, for access to a segmented network, use a bastion host with ACL’s for ingress/egress access.
• Improve logging on trusted environments, in addition to passing logs to SIEM devices for third party backup/analysis.
• Utilize Zones- such as “BLAN”, “WLAN”, and “SCADA”.
• Develop a threat modeling system to your organization- understand who’s attacking you, and why.
REMEMBER:• These attacks are happening… In the USA, and many other places…
ShoutTwitter: @lowcalspamEmail: [email protected]: [email protected]
Please complete the speaker feedback surveys! (m.blackhat.com)