the scada that didn’t cry wolf: who’s really attacking ... · kyle wilhoit sr. threat...
TRANSCRIPT
![Page 1: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/1.jpg)
Kyle Wilhoit Sr. Threat Researcher Trend Micro
The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA Devices
1
![Page 2: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/2.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
Security Concerns- ICS vs. IT
3/17/14 !2
ICS • Correct commands issued
(Integrity) • Limit interruptions (Availability) • Protect the data (Confidentiality)
IT!• Protect the data
(Confidentiality)!• Correct commands issued
(Integrity)!• Limit interruptions (Availability)!!
![Page 3: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/3.jpg)
• HMI: Allows arbitrary command execution as well as set point modifications.
• Data Historian: Allows inbound traffic to secure network segments. (Replication of data)
• RTU: Allows remote communication ability !!
And many more…
Primary Security Concerns
![Page 4: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/4.jpg)
• First half of 2013 • Over 200 confirmed “incidents”
Incidents Exist
![Page 5: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/5.jpg)
• Google-fu • Shodan • ERIPP • Pastebin • Twitter !
SCADA Internet Facing
![Page 6: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/6.jpg)
SCADA Internet Facing
![Page 7: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/7.jpg)
• All Internet facing… • No security measures in place
Story Time!
![Page 8: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/8.jpg)
• Attacked several times- over a period of months
• Attackers gained access • Exfiltrated data • Not made public !• This is not a story… • This happened…
Attacks
![Page 9: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/9.jpg)
In my basement…
Story Time!
![Page 10: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/10.jpg)
Enter Honeypots…
![Page 11: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/11.jpg)
• 12 total honeypots • 8 different countries • Running since Jan, 2013 • Combination of *nix, Windows, and
embedded systemsPhase 1:Nov. 2012-March 2013
![Page 12: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/12.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
Physical Deployment
3/17/14 !12
• Small town in rural America • Water pump controlling water pressure/
availability • Population 18,000~
![Page 13: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/13.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
Physical Deployment
3/17/14 !13
• Fake water pressure system Internet facing • Very little security measures in place • Could cause catastrophic water pressure failures
if compromised
![Page 14: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/14.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
What They See
3/17/14 !14
![Page 15: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/15.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
Physical Deployment
3/17/14 !15
![Page 16: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/16.jpg)
• 12 total honeypots • 8 different countries • Running since Jan, 2013 • Combination of *nix, Windows, and
embedded systemsPhase 2:March. 2013-July 2013
![Page 17: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/17.jpg)
Virtualized Environment• Water pump controlling water pressure/
availability • Population combined ~50 million
![Page 18: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/18.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
Logically…
3/17/14 !18
![Page 19: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/19.jpg)
Architecture
![Page 20: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/20.jpg)
Localization• `
!20
![Page 21: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/21.jpg)
Some Tools Used
OpenDNP3 Pi-Face
Modbus.py
![Page 22: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/22.jpg)
Vulnerabilities Presented“If you can ping it, you own it” !• SNMP vulns (read/write SNMP,
packet sniffing, IP spoofing) • Specific ICS Vendor vulnerabilities • HMI (Server) Vulnerabilities • Authentication limitations • Limits of Modbus/DNP3
authentication/encryption • VxWorks Vulnerability (FTP) • Open access for certain ICS
modifications- fan speed, temperature, and utilization.
![Page 23: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/23.jpg)
What’s an Attack?• ONLY attacks that were targeted • ONLY attempted modification of pump
system (FTP, Telnet, Modbus, set points, etc.)
• ONLY attempted modification via Modbus/DNP3
• DoS/DDoS will be considered attacks
![Page 24: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/24.jpg)
Total Attacks-74 attacks
![Page 25: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/25.jpg)
Non-Critical Attack Profile- Source Countries
-63 non-critical attacks
![Page 26: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/26.jpg)
Critical Attack Profile- Source Countries
-11 critical attacks
![Page 27: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/27.jpg)
Some Attack StatsShutdown pump system
Modify temperature output
Modify pump pressure
HMI access
Modbus traffic modification
Modification of CPU fan speed
Data exfiltration attempt
0 1 2 2 3
![Page 28: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/28.jpg)
Spear PhishedTO: CITYWORKS@<HOSTNAME OF OUR CITY>.COM “ Hello sir, I am <name of city administrator> and would like the attached statistics filled out and sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you hear from you soon
....Mr. <city administrator name> ”
![Page 29: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/29.jpg)
Cityrequest.doc• Decoy doc- not much substance
![Page 30: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/30.jpg)
Cityrequest.doc
![Page 31: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/31.jpg)
Dropped Files • CityRequest.doc • File gh.exe dumps all local password hashes
– <gh.exe –w> • File ai.exe shovels a shell back to a dump server.
– < ai.exe –d1 (Domain) –c1 (Compare IP) –s (Service) > • Malware communicating to a drop/CnC server in China. • exploiting CVE 2012-0158 • Malware communicating to a drop/CnC server in USA
– 70.254.245.X – 70.254.245.X – Has been taken down…by the US government
![Page 32: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/32.jpg)
!32
Firmware Rippage• Firmware was ripped off 3 times total • Done in 3 separate intervals • Used binwalk • Viewed strings • Exfiltrated unpacked firmware
$ strings MX1A4d.lod ... XlatePhySec, h[Sec],[NumSecs] XlatePhySec, p[Sec],[NumSecs] XlatePlpChs, d[Cyl],[Hd],[Sec],[NumSecs] XlatePlpChw, f[Cyl],[Hd],[Wdg],[NumWdgs] XlateSfi, D[PhyCyl],[Hd],[Sfi],[NumSfis] XlateWedge, t[Wdg],[NumWdgs] ChannelTemperatureAdj, U[TweakTemperature],[Partition],[Hd],[Zone],[Opts] WrChs, W[Sec],[NumSecs],,[PhyOpt],[Opts] EnableDisableWrFault, u[Op] WrLba, W[Lba],[NumLbas],,[Opts] WrLongOrSystemChs, w[LongSec],[LongSecsOrSysSec],[SysSecs],[LongPhySecOpt],,[SysOpts] RwPowerAsicReg, V[RegAddr],[RegValue],[WrOpt] WrPeripheralReg, s[OpType],[RegAddr],[RegValue],[RegMask],[RegPagAddr] WrPeripheralReg, t[OpType],[RegAddr],[RegValue],[RegMask],[RegPagAddr]
![Page 33: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/33.jpg)
Execution • Upon execution of CityRequest.docx, files leaving
the server in question after 5 days. – Fake VPN config file – Network statistics dump – SAM database dump – Gain persistence via process migration
• Won’t execute on Office 2010.
![Page 34: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/34.jpg)
Exfiltration: Days 1-4
![Page 35: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/35.jpg)
Exfiltration: Days 5-17
![Page 36: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/36.jpg)
APT1 Report • APT1 (Comment Crew) report released in Feb
2013. • Included many APT variants we’ve seen. • One of particular interest was HACKSFASE. • Commonly used in energy sector.
![Page 37: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/37.jpg)
Examination
![Page 38: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/38.jpg)
!38
“APT1” is Still Active!• Operation Siesta- Published last week • Uses “sleep” functionality • Uses valid looking download links • Uses targeted documents (Sometimes)
• CVE 2012-0158 • CVE 2013-3906
![Page 39: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/39.jpg)
!39
![Page 40: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/40.jpg)
Confidential | Copyright 2012 Trend Micro Inc.
Attribution
3/17/14 !40
![Page 41: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/41.jpg)
Attribution !!• IP • BeEF • Code Analysis
![Page 42: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/42.jpg)
BeEF Usage !!• Detect Tor • Get Registry Keys • Get_Physical_Location • Get_System_Info • Get_Internal_IP
![Page 43: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/43.jpg)
Attacker Profile
• Most attacks appeared to be non-targeted • Many attackers were “opportunists” • Some were targeted…
![Page 44: The SCADA That Didn’t Cry Wolf: Who’s Really Attacking ... · Kyle Wilhoit Sr. Threat Researcher Trend Micro The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA](https://reader033.vdocuments.net/reader033/viewer/2022042122/5e9d1633ae88997f3e742606/html5/thumbnails/44.jpg)
Some Takeaways • Red team/Blue team often • Perform specialized vulnerability assessments • Control contractors • Perform basic security controls
• Network segmentation • Two-factor authentication • Patch your stuff! • Lockdown external media • Manage vulnerabilities • Classify your data/assets • etc. !!!!
!