Bh europe 2013_wilhoit
•Als PPTX, PDF herunterladen•
0 gefällt mir•1,253 views
Blackhat Europe 2013
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (7)
Ähnlich wie Bh europe 2013_wilhoit
Ähnlich wie Bh europe 2013_wilhoit (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Bh europe 2013_wilhoit
- 1. Who’s Really Attacking Your
- 2. #WHOAMI • Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats, and vulnerabilities. • Bachelor’s and Master’s in Computer Science. Currently pursuing PhD. Normal security certifications, CISSP, GCIH, GCFE, etc… • Research: -Malware detection/reversing -Persistent Threats (Malware based espionage) -ICS/SCADA Security -Vulnerabilities and the “Underground”
- 3. This presentation will focus on: • Concerns/Overview of ICS Security • How terrible the security profiles of ICS devices are • Are ICS devices attacked? • Who attacks ICS devices?
- 4. Agenda • ICS Overview • Typical ICS Deployment • Overview of two SCADA protocols • ICS Vulnerabilities • SCADA on the Internet? • Story Time! • Findings • Attacker Profile • Recommendations
- 5. ICS Overview What are ICS devices? • Used in production of virtually anything • Used in water, gas, energy, automobile manufacturing, etc. • Notoriously insecure…in every way • Software is sometimes embedded, sometimes not • Typically proprietary
- 6. TYPICAL ICS
- 7. DNP3 • Used to send and receive messages • Complex • No authentication or encryption • Several published vulnerabilities
- 8. Modbus • Oldest ICS Protocol • Controls I/O Interfaces (MOSTLY!!!!) • No authentication or encryption! (Surprise!!!) • No broadcast suppression • Vulnerabilities are published
- 9. Security Concerns- ICS vs. Traditional IT Systems ICS • Productivity • Up-time • Reliability of data IT • Protect the data • Protect comms • Limit interruptions
- 10. ICS Vulnerabilities • In 2012, 171 unique vulnerabilities affecting ICS products. • 55 Vendors…
- 11. SCADA on the Internet??? • Google-fu • Shodan
- 12. SCADA on the Internet??? • Pastebin • ERIPP • Twitter
- 13. Story Time! • Small town in rural America • Water pump controlling water pressure/availability • Population 18,000~
- 14. • WRONG!• WRONG! Story Time! • Water pressure system Internet facing • No firewalls/security measures in place • Could cause catastrophic water pressure failures
- 15. • WRONG!• WRONG! Story Time! • Attacked several times…During Q3-Q4 • Attackers successfully gained access • Has not been made public • This is not a story… • Real life event..
- 16. • WRONG!• WRONG! Story Time! This Happened.
- 17. • WRONG! Story Time! In my basement…
- 19. • WRONG!• WRONG! Honeypot Overview • Two low-interaction • One high-interaction • Ran for 28 days in total • One Windows Server 08 • Two Ubuntu 12.04 Servers
- 20. What They See
- 21. • WRONG!• WRONG! High-Interaction Architecture
- 22. • WRONG!• WRONG! Low-Interaction Architecture
- 23. • WRONG!• WRONG! Some Tools Used
- 24. Vulnerabilities Presented “If you can ping it, you own it” • SNMP vulns (read/write SNMP, packet sniffing, IP spoofing) • Authentication limitations • Limits of Modbus/DNP3 authentication/encryption • VxWorks Vulnerability (FTP) • Open access for certain ICS modifications- fan speed, temperature, and utilization.
- 25. • WRONG! What is an “attack”? • ONLY attacks that were targeted • ONLY attempted modification of pump system (FTP, Telnet, etc.) • ONLY attempted modification via Modbus/DNP3 • DoS/DDoS will be considered attacks
- 26. • WRONG! Attack Profile Countries US, 9 LAOS, 6 UK, 4 CHINA, 17 NETHERLANDS, 1 JAPAN, 1 BRAZIL, 2 POLAND, 1 VIETNAM, 1 RUSSIA, 3 PALESTINE, 1 CHILE, 1 CROATIA, 1 NORTH KOREA, 1 • Not Just IP’s
- 27. • WRON! Attack Overview 0 2 4 6 8 10 12 14 Modification of CPU fan speed Modbus traffic modification Secured area access attempt Modify pump pressure Modify temperature output Attempt to shutdown pump system Vxworks exploitation attempt Count Count
- 28. Snort Findings • Used Digital Bond’s Quickdraw SCADA Snort Rules • Custom Snort Rules Created 1111006 Modbus TCP – Unauthorized Read Request to a PLC 1111007 Modbus TCP – Unauthorized Write Request to a PLC 1111206 / 11112061 DNP3 – Unauthorized Read Request to a PLC 1111207DNP3 – Unauthorized Write Request to a PLC 1111208 DNP3 – Unauthorized Miscellaneous Request to a PLC
- 29. • WRONG!• WRONG! Spear Phished! TO: CITYWORKX@<HOSTNAME OF OUR CITY>.COM “ Hello sir, I am <name of city administrator> and would like the attached statistics filled out and sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you hear from you soon ....Mr. <city administrator name> ”
- 31. • WRONG!• WRONG! Malware • CityRequest.doc • File gh.exe dumps all local password hashes – <gh.exe –w> • File ai.exe shovels a shell back to a dump server. – < ai.exe –d1 (Domain) –c1 (Compare IP) –s (Service) > • Malware communicating to a drop/CnC server in China. • exploiting CVE 2012-0158
- 33. • WRONG!• WRONG! Execution • Upon execution of CityRequest.docx, files leaving the server in question after 5 days. – Fake VPN config file – Network statistics dump – SAM database dump – Gain persistence via process migration • Won’t execute on Office 2010.
- 34. • WRONG!• Monitors reg keys for value changes • Creates guard pages • Dropped PE files • Communicates to C2 IP’s • Creates files • Creates fake document and opens it Malware Features
- 35. Attack: Days 1-4
- 38. • WRONG!• WRONG! • Chose most prevalent attacker(s) • Profiled, poked, and researched who they were • Malware was code-reuse Targeted? Who Knows… Attacker Profile
- 39. Motivation? • Motivation is hard to establish…
- 41. Recommendations • Disable Internet access to your trusted resources. Where possible. • Maintain your trusted resources at the latest patch levels, and ensure you are diligent in monitoring when new patches/fixes are released. • Require username/password (two-factor if possible) combinations for all systems, including those that are not deemed “trusted”. • Control contractor access- Many SCADA/ICS networks utilize remote contractors, and controlling how they access trusted resources is imperative.
- 42. Recommendations • Utilize SSL/TLS for all communications to web-based ICS/SCADA systems. • Control access to trusted devices. For instance, for access to a segmented network, use a bastion host with ACL’s for ingress/egress access. • Improve logging on trusted environments, in addition to passing logs to SIEM devices for third party backup/analysis. • Utilize Zones- such as “BLAN”, “WLAN”, and “SCADA”. • Develop a threat modeling system to your organization- understand who’s attacking you, and why.
- 43. REMEMBER: • These attacks are happening… In the USA, and many other places…
- 44. Shout Twitter: @lowcalspam Email: kyle_wilhoit@trendmicro.com Non-Work: kylewilhoit@gmail.com Please complete the speaker feedback surveys! (m.blackhat.com)
Hinweis der Redaktion
- today I'm going to be talking about who's really attacking your ICS devices. There is a lot of hype about ICS devices, and are they attacked, and I felt this needed more research to prove or disprove the data behind this. This talk isn’t going to cover 0-days of ICS devices, nor is it going to cover some new tool to exploit ICS devices- it’s to cover who’s really attacking your ICS devices. Before we get started, I'm going to share a little bit about who I am.
- I’m part of a team called “Future Threat Research”. We look at threats from the current to five years out.
- -Likewise, I will also be discussing the security profiles of ICS, and how terrible they are.-In addition, I will cover how ICS devices are traditionally attacked, and who would usually do the attacking.
- Before we get started on our talk today, let's quickly cover what I'm going to discuss. This is a full talk, so we're going to have breeze through these slides quickly- covering a lot of topics in a short period of time.A.) First, were going to cover what in the hell ICS devices are, and where they are used.B.)Second, I'm going to give an overview of the two most widely used SCADA protocols- Modbus and DNP3.
- So…what are ICS devices? Typically proprietary based on manufacturer/function!!!!
- This is a typical ICS deployment. A few things to take note of here:A.) The SCADA network sits on top, under "Supervisory Network" You would typically see these in office locations of a mining site for instance.B.) The Control networks sit below, labled "Control systems". These control systems are typically found in remote areas of an industrial site, and can seen as controllers on an assembly belt for instance.C.) There are no security devies anywhere to be found. THIS IS TYPICAL!!!!TYPICAL ICS DEVICES HAVE NO SECURITY WHATSOEVER.
- The assumption exists that DNP3 traffic comes from the same subnet…TRUST FLAW!!!!!!!!!!!A DNP3 frame consists of a header and data section. The header specifies the frame size, contains data link control information and identifies the DNP3 source and destination device addresses. The data section is commonly called the payload and contains data passed down from the layers above. The assumption exists that DNP3 traffic comes from the same subnet…TRUST FLAW!!!!!!!!!!!A DNP3 frame consists of a header and data section. The header specifies the frame size, contains data link control information and identifies the DNP3 source and destination device addresses. The data section is commonly called the payload and contains data passed down from the layers above.
- Used to read/write input/output interfaces. Very simple and usage is limited in nature.
- 26% of incidents revolved around Internet-facing and Water…
- -Many ICS devices are Internet facing, and have VERY little security-Target Rich environment-THESE DEVICES THAT ARE INTERNET FACING BRING ME TO OUR STORY TIME.
- ----- Meeting Notes (3/8/13 16:08) -----Recent water plant in IL FOR INSTANCE
- This is where the presentation gets fun. I’m not going to talk about how I exploited a vulnerability in an ICS or SCADA device, nor am I going to talk about a zero-day affecting SCADA devices. What I’m going to do is share a story about a small town in rural Missouri, in the US.
- -THE HONEYPOT ARCHITECTURE IS FAIRLY STRAIGHT FORWARD, I USED TWO LOW-…-YOU SEE IN TEH SCREENSHOTS THAT THE FIELDS ARE IDENTICLE TO WHAT YOU WOULD SEE IN A TRADITIONAL ICS DEVICE CONTROL PAGE.
- WHAT THESE ATTACKERS SEE IS WHAT AN ATTACKER WOULD SEE IN A TRADITIONAL ICS SETUP. HAVING PEN TESTED ICS/SCADA ENVIRONMENTS, I REPLICATED THIS HONEYPOT ARCHITECTURE TO DIRECTLY MIMIC COMMONLY FOUND ICS DEVICE DEPLOYMENTS.EXTERNAL IP COULD BE CONSIDERED “HMI”PLC IS WHAT DIRECTLY MIMCS THE WATER PRESSURE PLANT.
- THESE ADMINSTRATIVE FUNCTIONS WOULD BE CONSIDERED MODBUS AND DNP3.THESE SALTED DOCUMENTS ARE WHAT YOU WOULD TRADITIONALLY FIND ON ICS BOXES…SUCH AS ENGINEERING DOCUMENTS, GEO SPATIAL INFORMATION, LOAD CONTROL DOCUMENTS, ETC.
- THIS HONEYWALL ALLOWS US TO DO SEVERAL THINGS. FIRST, IT ALLOWS US TO PASS TRAFFIC TO TWO DIFFERENT AMAZON EC2 INSTANCES, THAT MAY NOT BE LOGICALLY OR PHYSICALLY CONNECTED.Again, “External IP” would be considered the HMI. (Human Machine Interface)SECOND, IT ALLOWS TO HAVE A SECONDARY POINT OF LOGGING SHOULD THE ATTACKER GAIN ACCESS
- Snort (Digital Bond Modbus TCP Rules)]BeEFDionaneaTcpdumpHoneydNano-10Siemens SIMATIC S7-1200 CPU 1212CDell DL360Amazon EC2SMTPSalted sample data
- AUTHENTICATION LIMITATIONS- WE SET THE USERNAME/PASSWORD MORE COMPLEX THEN ADMIN/ADMIN TO ENSURE WE WERE SEEING WHAT WE CONSIDERED "TARGETED" ATTACKS. WE WERE REALLY ONLY INTERESTED IN "TARGETED ATTACKS"
- Not port scans, or non-targeted attacks.Not automated attacksNot drive-byWE ARE ONLY CONCERNED WITH TARGETED ATTACKS AGAINST ICS DEVICES. WE SAW MULTIPLE ATTACK ATTEMPTS VIA THE STANDARD DRIVE-BY'S AND AUTOMATED ATTACKS, Think of these classifications:Information DisclosureCommunications WeaknessAccess Control and Permission ErrorsConfiguration ErrorsInput Validation Errors
- 49 attacks in total. 17 were considered “catastrophic” the rest were considered “attacks” that “could” cause massive issues.1.) CHINA2.) USA3.) LAOSAN INTERESTING COUNTRY OF ATTACK ORGIN: NORTH KOREA - MORE INFORMATION ON THAT IN A SECOND
- THERE WAS A LOT OF ATTACKERS INTERESTED IN NOT PROVIDING WATER TO THE PEOPLE OF ARNOLD DURING OUR TESTING.ALSO INTERESTED IN HAVING PEOPLE DRINK WARM WATER. (NORTH KOREA- MODBUS TRAFFIC MOD)----- Meeting Notes (3/8/13 16:08) -----Authenticated realm- PUMP SYSTEM AND TEMP OUTPUT
- Custom rules created for SCADA controllers, vulnerabilities, and protocols. Highly effective for low-interaction honeypots. In addition, it works well for high-interaction honeypots.----- Meeting Notes (3/5/13 13:17) -----DIRECT MODIFICATIONS TO MODBUS AND DNP3. THESE WOULD BE CONSIDERED THE MOST TARGETED OF ALL ATTACKS WE SAW DURING OUR TESTING PERIOD.AS IF ALL THAT INFORMATION ISN'T INTERESTING ENOUGH, IT'S ABOUT TO GET EVEN MORE INTERESTING.
- IT GOT WEIRD WHEN I CHECKED OUR EMAIL AT CITYWORKX@<HOSTNAME OF OUR CITY>.COMHAD AN ATTACHMENT, NAMED CITYREQUEST.DOC
- Document dropped two PE files- gh.exe and ai.exeNOTE (NOT TO DISCLOSE): THIS IS COMMENT CREW HACKSFASE. CONFIRMED.
- Will execute on Office 03/07 with various Service Packs
- -Mutexes created-process migration-IOC’s available
- Attacker days 1-4
- Attacker days 5-17
- Just a super sweet venn to show “WHO” could be interested in pwnage of water goodness.