The SCADA That Didn t Cry Wolf- Who s Really Attacking Your ICS Devices- Part Deux!

Transcription

1 The SCADA That Didn t Cry Wolf- Who s Really Attacking Your ICS Devices- Part Deux!

2 #whoami Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats, and vulnerabilities. Bachelor s and Master s in Computer Science. Currently pursuing PhD. Research: -Malware detection/reversing -Persistent Threats (Malware based espionage) -ICS/SCADA Security -Offensive Exploitation

3 This presentation will focus on: Concerns/Overview of ICS Security Who attacks ICS devices? Targeted attackers

4 ICS Overview What are ICS devices? Used in production of virtually anything Used in water, gas, energy, automobile manufacturing, etc. Notoriously insecure in every way Software is sometimes embedded, sometimes not Typically proprietary

5 Glossary HMI: Human Machine Interface IED: Intelligent Electronic Device SCADA: Supervisory Control And Data Acquisition RTU: Remote Terminal Unit Historian: Data Historian Modbus: Most common ICS Protocol DNP3: Very common ICS Protocol

6 Typical ICS Deployment

7 Modbus Oldest ICS Protocol Controls I/O Interfaces (MOSTLY!!!!) No authentication or encryption! (Surprise!!!) No broadcast suppression Vulnerabilities are published

8 DNP3 Used to send and receive messages Complex No authentication or encryption Several published vulnerabilities

9 Security Concerns- ICS vs. Traditional IT Systems ICS Correct commands issued (Integrity) Limit interruptions (Availability) Protect the data (Confidentiality) IT Protect the data (Confidentiality) Correct commands issued (Integrity) Limit interruptions (Availability)

10 Vulnerabilities Are Common In 2012, 171 unique vulnerabilities affecting ICS products. 55 Vendors

11 Google-fu Shodan ERIPP Pastebin Twitter SCADA Internet Facing

12 Story Time Small towns in Australia, Brazil, America, China, Russia, Ireland, and Singapore Water pump controlling water pressure/availability Population combined ~100,000

13 All Internet facing Story Time No security measures in place

14 Attacks Attacked several times Attackers gained access Not made public This is not a story This happened

15 In my basement Attacks

16 Honeypots

17 Honeypots 12 total honeypots 8 different countries Running since Jan, 2013 Combination of *nix, Windows, and embedded systems

18 What They See

19 Architecture

20 Tools Used

21 Vulnerabilities Presented If you can ping it, you own it SNMP vulns (read/write SNMP, packet sniffing, IP spoofing) HMI (Server) Vulnerabilities Authentication limitations Limits of Modbus/DNP3 authentication/encryption VxWorks Vulnerability (FTP) Open access for certain ICS modifications- fan speed, temperature, and utilization.

22 What s an Attack? ONLY attacks that were targeted ONLY attempted modification of pump system (FTP, Telnet, etc.) ONLY attempted modification via Modbus/DNP3 DoS/DDoS will be considered attacks

23 Non-Critical Attack Profile- Source Countries

24 Critical Attack Profile- Source Countries

25 Automated Attacks 16,733 automated attacks over 5 months 16,739 HTTP methods accounted for 605 Unique IP s METHOD COUNT CONNECT 18 GET HEAD 328 INDEX 1 OPTIONS 368 POST 174 PUT 1 TRACE 1 TRACK

26 Automated Attacks Count Data exfiltration attempt Modification of CPU fan speed Modbus traffic modification HMI access Count Modify pump pressure Modify temperature output Shutdown pump system

27 Snort Findings Used Digital Bond s Quickdraw SCADA Snort Rules Custom Snort Rules Created Modbus TCP Unauthorized Read Request to a PLC Modbus TCP Unauthorized Write Request to a PLC DNP3 Unauthorized Read Request to a PLC / DNP3 Unauthorized Write Request to a PLC DNP3 Unauthorized Miscellaneous Request to a PLC

28 Spear Phished TO: OF OUR CITY>.COM Hello sir, I am <name of city administrator> and would like the attached statistics filled out and sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you hear from you soon...mr. <city administrator name>

29 Cityrequest.doc Decoy doc- not much substance

30 Cityrequest.doc

31 Dropped Files CityRequest.doc File gh.exe dumps all local password hashes <gh.exe w> File ai.exe shovels a shell back to a dump server. < ai.exe d1 (Domain) c1 (Compare IP) s (Service) > Malware communicating to a drop/cnc server in China. exploiting CVE Malware communicating to a drop/cnc server in USA Has been taken down by the US government

32 Execution Upon execution of CityRequest.docx, files leaving the server in question after 5 days. Fake VPN config file Network statistics dump SAM database dump Gain persistence via process migration Won t execute on Office 2010.

33 APT1 Report APT1 (Comment Crew) report released in Feb Included many APT variants we ve seen. One of particular interest was HACKSFASE. Commonly used in energy sector.

34 Examination

35 -Connections seen: Examination

36 IP BeEF Code Analysis Attribution

37 BeEF Usage Detect Tor Get Registry Keys Get_Physical_Location Get_System_Info Get_Internal_IP

38 Attack: Days 1-4

39 Attack: Days 5-17

40 Attacker Profile Most attacks appeared to be non-targeted One appeared to be the work of Comment Crew Many attackers were opportunists

41 Recommendations Disable Internet access to your trusted resources. Where possible. Maintain your trusted resources at the latest patch levels, and ensure you are diligent in monitoring when new patches/fixes are released. Require username/password (two-factor if possible) combinations for all systems, including those that are not deemed trusted. Control contractor access- Many SCADA/ICS networks utilize remote contractors, and controlling how they access trusted resources is imperative.

42 Recommendations Utilize SSL/TLS for all communications to web-based ICS/SCADA systems. Control access to trusted devices. For instance, for access to a segmented network, use a bastion host with ACL s for ingress/egress access. Improve logging on trusted environments, in addition to passing logs to SIEM devices for third party backup/analysis. Utilize Zones- such as BLAN, WLAN, and SCADA. Develop a threat modeling system to your organizationunderstand who s attacking you, and why.

43 Shout Non-Work: