SlideShare ist ein Scribd-Unternehmen logo

Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský

Als PPTX, PDF herunterladen
CODE BLUE
CODE BLUE

Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols. In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years. As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems. Anton Cherepanov Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation. Róbert Lipovský Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.

Geräte & Hardware
1 von 50
INDUSTROYER Anton Cherepanov / @cherepanov74 Robert Lipovsky / @Robert_Lipovsky
Robert Lipovsky Senior Malware Researcher @Robert_Lipovsky Anton Cherepanov Senior Malware Researcher @cherepanov74
ICS-targeting malware The story of INDUSTROYER: Ukrainian blackout INDUSTROYER analysis Potential impact AGENDA
ICS MALWARE OPERATOR INDUSTRIAL SITEINTERNET ICS-targeting malware
ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 23 Dec 2015
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 C&C Network Scanner File Stealer Password Stealer Keylogger Screenshots Network Discovery BlackEnergy CORE
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
Blackout in Ukraine ESET begins analysis Initial report finished Further research Industroyer report goes public 17 Dec 2016 A few days later 12 Jun 201718 Jan 2017 STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 INDUSTROYER
Main Backdoor ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service
Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Copy & upload file
MAIN BACKDOOR -> VBS -> MS SQL -> CSCRIPT -> VBS
Set cmd = CreateObject("ADODB.Command") cmd.ActiveConnection = mConnection cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE; END;" cmd.Execute cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; END;" cmd.Execute
Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Replace "Image path" registry value for specified service
Main Backdoor Main Backdoor DOS TOOL Port ScannerPort Scanner Additional Backdoor EXEC xp_cmdshell 'C:intelport.exe -ip=%IP_ADDRESS% -ports= 2404, 21845, 445, 135'; 135 - RPC Locator service 445 – SMB 2404 - IEC 60870-5-104 21845 - webphone 700 – Extensible Provisioning Protocol over TCP 701 – Link Management Protocol 1433 – MS SQL Server default port 1521 – nCube License Manager / Oracle dB
DOS TOOL Main Backdoor Main Backdoor Port ScannerPort Scanner Additional Backdoor Launcher
Malware impact: PAYLOADS
Malware impact: PAYLOADS
Malware impact: PAYLOADS
DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner 17 Dec 2016 - 22:27 (UTC) Launcher Additional Backdoor
101 Payload 104 Payload 61850 Payload • Serial • IOA (Information Object Address) ranges • single command (C_SC_NA_1) • double command (C_DC_NA_1) • OFF -> ON -> OFF OPC DA Payload
• TCP/IP • Modes: • Range • Shift • Sequence 101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload • Auto-discovery • CSW, CF, Pos, and Model • CSW, ST, Pos, and stVal • CSW, CO, Pos, Oper, but not $T • CSW, CO, Pos, SBO, but not $T
101 Payload 104 Payload 61850 Payload OPC DA Payload • Discovers OPC servers • COM interfaces: • IOPCServer • IOPCBrowseServerAddressSpace • IOPCSyncIO • ctlSelOn (Select on command) • ctlSelOff (Select off command) • ctlOperOn (Operate on command) • ctlOperOff (Operate off command) • Pos and stVal (Switch position status)
101 Payload 104 Payload 61850 Payload OPC DA Payload
101 Payload 104 Payload 61850 Payload OPC DA Payload Github: https://github.com/eset/malware-research/tree/master/industroyer • Identifies OPC Data Access LIBIDs, CLSIDs, IIDs in binary • Creates OPC DA structures and enums in IDA Pro • Can be used for general purpose reverse engineering
101 Payload 104 Payload 61850 Payload OPC DA Payload Before
101 Payload 104 Payload 61850 Payload OPC DA Payload After
Malware impact: DENIAL OF SERVICE
Malware impact: DATA WIPER
DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner Launcher Additional Backdoor Data Wiper
ABB PCM600 ABB MicroScada Signal Cross References Substation Configuration Language Substation Configuration Description Configured IED Description
! Global Threat ! Dangerous Attacker ! Unfulfilled potential TAKE AWAYS
Thank you! Questions? @cherepanov74 @Robert_Lipovsky
Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský

Empfohlen

M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat
FireEye, Inc.
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
How To Protect From Malware
How To Protect From MalwareHow To Protect From Malware
How To Protect From Malware
INFONAUTICS GmbH
 
Edward Snowden Data-Breach
Edward Snowden Data-BreachEdward Snowden Data-Breach
Edward Snowden Data-Breach
Deepak Kumar (D3)
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 

Empfohlen

M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat M-Trends® 2010: The Advanced Persistent Threat
M-Trends® 2010: The Advanced Persistent Threat
FireEye, Inc.
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
How To Protect From Malware
How To Protect From MalwareHow To Protect From Malware
How To Protect From Malware
INFONAUTICS GmbH
 
Edward Snowden Data-Breach
Edward Snowden Data-BreachEdward Snowden Data-Breach
Edward Snowden Data-Breach
Deepak Kumar (D3)
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
deepikakumari643428
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Overview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxOverview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptx
AjayKumar73315
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
Gaurav Dalvi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
Geevarghese Titus
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
SlideTeam
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
Keyloggers.ppt
Keyloggers.pptKeyloggers.ppt
Keyloggers.ppt
Chetanmalviya8
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
Chris Bailey
 
Workshop Consul .- Service Discovery & Failure Detection
Workshop Consul .- Service Discovery & Failure DetectionWorkshop Consul .- Service Discovery & Failure Detection
Workshop Consul .- Service Discovery & Failure Detection
Vincent Composieux
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 

Was ist angesagt? (20)

Overview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxOverview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptx
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Security testing
Security testingSecurity testing
Security testing
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Keyloggers.ppt
Keyloggers.pptKeyloggers.ppt
Keyloggers.ppt
 

Ähnlich wie Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský

Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
Aleksandr Tarasov
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 

Ähnlich wie Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský (20)

IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
 
Workshop Consul .- Service Discovery & Failure Detection
Workshop Consul .- Service Discovery & Failure DetectionWorkshop Consul .- Service Discovery & Failure Detection
Workshop Consul .- Service Discovery & Failure Detection
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
 
GeeCON 2017 - TestContainers. Integration testing without the hassle
GeeCON 2017 - TestContainers. Integration testing without the hassleGeeCON 2017 - TestContainers. Integration testing without the hassle
GeeCON 2017 - TestContainers. Integration testing without the hassle
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to production
 
Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menu
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEis
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
The Good Parts / The Hard Parts
The Good Parts / The Hard PartsThe Good Parts / The Hard Parts
The Good Parts / The Hard Parts
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Behind modern concurrency primitives
Behind modern concurrency primitivesBehind modern concurrency primitives
Behind modern concurrency primitives
 
Docker, OSS and Azure
Docker, OSS and AzureDocker, OSS and Azure
Docker, OSS and Azure
 
Behind modern concurrency primitives
Behind modern concurrency primitivesBehind modern concurrency primitives
Behind modern concurrency primitives
 

Mehr von CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 

Mehr von CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Kürzlich hochgeladen

Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Naicy mandal
 
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Call Girls in Nagpur High Profile
 
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
anilsa9823
 
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
amitlee9823
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
amitlee9823
 
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Call Girls in Nagpur High Profile
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
amitlee9823
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
Call Girls in Nagpur High Profile
 
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai GapedCall Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
kojalkojal131
 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
tanu pandey
 
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
MOHANI PANDEY
 
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Kürzlich hochgeladen (20)

9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
9892124323, Call Girl in Juhu Call Girls Services (Rate ₹8.5K) 24×7 with Hote...
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
 
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
 
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
young call girls in Sainik Farm 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
Call Girls Banashankari Just Call 👗 7737669865 👗 Top Class Call Girl Service ...
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
 
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
 
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
 
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
 
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
 
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
 
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai GapedCall Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
 
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
 
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Hauz Quazi (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský

  • 1. INDUSTROYER Anton Cherepanov / @cherepanov74 Robert Lipovsky / @Robert_Lipovsky
  • 2. Robert Lipovsky Senior Malware Researcher @Robert_Lipovsky Anton Cherepanov Senior Malware Researcher @cherepanov74
  • 3.
  • 4. ICS-targeting malware The story of INDUSTROYER: Ukrainian blackout INDUSTROYER analysis Potential impact AGENDA
  • 6. ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
  • 7. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  • 8. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  • 9. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  • 10. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  • 11. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 23 Dec 2015
  • 12. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 C&C Network Scanner File Stealer Password Stealer Keylogger Screenshots Network Discovery BlackEnergy CORE
  • 13. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  • 14. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
  • 15. Blackout in Ukraine ESET begins analysis Initial report finished Further research Industroyer report goes public 17 Dec 2016 A few days later 12 Jun 201718 Jan 2017 STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 INDUSTROYER
  • 16. Main Backdoor ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
  • 17. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service
  • 18. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Copy & upload file
  • 19. MAIN BACKDOOR -> VBS -> MS SQL -> CSCRIPT -> VBS
  • 20.
  • 21. Set cmd = CreateObject("ADODB.Command") cmd.ActiveConnection = mConnection cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE; END;" cmd.Execute cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; END;" cmd.Execute
  • 22. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Replace "Image path" registry value for specified service
  • 23. Main Backdoor Main Backdoor DOS TOOL Port ScannerPort Scanner Additional Backdoor EXEC xp_cmdshell 'C:intelport.exe -ip=%IP_ADDRESS% -ports= 2404, 21845, 445, 135'; 135 - RPC Locator service 445 – SMB 2404 - IEC 60870-5-104 21845 - webphone 700 – Extensible Provisioning Protocol over TCP 701 – Link Management Protocol 1433 – MS SQL Server default port 1521 – nCube License Manager / Oracle dB
  • 24. DOS TOOL Main Backdoor Main Backdoor Port ScannerPort Scanner Additional Backdoor Launcher
  • 28.
  • 29. DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner 17 Dec 2016 - 22:27 (UTC) Launcher Additional Backdoor
  • 30. 101 Payload 104 Payload 61850 Payload • Serial • IOA (Information Object Address) ranges • single command (C_SC_NA_1) • double command (C_DC_NA_1) • OFF -> ON -> OFF OPC DA Payload
  • 31. • TCP/IP • Modes: • Range • Shift • Sequence 101 Payload 104 Payload 61850 Payload OPC DA Payload
  • 32. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  • 33. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  • 34. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  • 35. 101 Payload 104 Payload 61850 Payload OPC DA Payload • Auto-discovery • CSW, CF, Pos, and Model • CSW, ST, Pos, and stVal • CSW, CO, Pos, Oper, but not $T • CSW, CO, Pos, SBO, but not $T
  • 36. 101 Payload 104 Payload 61850 Payload OPC DA Payload • Discovers OPC servers • COM interfaces: • IOPCServer • IOPCBrowseServerAddressSpace • IOPCSyncIO • ctlSelOn (Select on command) • ctlSelOff (Select off command) • ctlOperOn (Operate on command) • ctlOperOff (Operate off command) • Pos and stVal (Switch position status)
  • 37. 101 Payload 104 Payload 61850 Payload OPC DA Payload
  • 38. 101 Payload 104 Payload 61850 Payload OPC DA Payload Github: https://github.com/eset/malware-research/tree/master/industroyer • Identifies OPC Data Access LIBIDs, CLSIDs, IIDs in binary • Creates OPC DA structures and enums in IDA Pro • Can be used for general purpose reverse engineering
  • 39. 101 Payload 104 Payload 61850 Payload OPC DA Payload Before
  • 40. 101 Payload 104 Payload 61850 Payload OPC DA Payload After
  • 42.
  • 43.
  • 45. DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner Launcher Additional Backdoor Data Wiper
  • 46. ABB PCM600 ABB MicroScada Signal Cross References Substation Configuration Language Substation Configuration Description Configured IED Description
  • 47.
  • 48. ! Global Threat ! Dangerous Attacker ! Unfulfilled potential TAKE AWAYS

Hinweis der Redaktion

  1. It’s good to see all of you here today… Literally. Meaning the lights are on. Because today we’re speaking about Industroyer – malware capable of causing a blackout. In fact, it caused one…in Ukraine last December. Now, that’s big, but there’s more – Industroyer is the 1st ever malware designed to attack power grids automatically, and we consider it to be the biggest threat to Industrial Control Systems since Stuxnet.
  2. My name is Robert Lipovsky, and together with my collegue Anton Cherepanov, we analyze malware and investigate cyberattacks on a daily basis, in fact, both of us have been doing it for 10 years now… but when we discovered Industroyer last December, frankly, we were blown away…
  3. We’re based in Slovakia, EU, we work as malware researchers for ESET – the company that pioneered antimalware heuristics and has been innovating antimalware solutions for 30 years.
  4. First, we’ll put Industroyer into context of other malware that targeted ICS in the past Then we’ll explain how Industroyer works
  5. First, let’s take a look at how ICS-targeting malware works… We have an industrial site, which can be anything, from a uranium enrichment plant to an automobile factory, with its specialized industrial hardware. These devices are controlled and configured by human operators from workstations [click], typically running Windows, and that was the point of infiltration for all the known ICS-targeting malware families.[click] Where the malware families differ, is in their capability – and methods – of controlling/disrupting the industrial process.
  6. Industroyer was specifically designed to attack electricity distribution substations. There’s a timer [click], in the analyzed samples set to the time of the blackout in Kiev, Ukraine last December… …that triggers Industroyer’s unique payload: controlling circuit breakers automatically through industrial communication protocols [click] in order to cut the power.
  7. Industroyer joined this “elite” club of only 3 malware families known to be used in attacks against ICS
  8. Stuxnet, which needs no introduction, was able to reprogram PLCs to change the rotation speed of centrifuges.
  9. Havex – DragonFly – Energetic Bear which infected many industrial sites Used OPC DA protocol – also used by Industroyer – but unlike Industroyer, Havex only for espionage
  10. BlackEnergy is a bit different from the other 3 families We’ve been tracking it since 2011…and there we’re many campaigns over the years – mostly spearphishing – and we even discovered they used a Powerpoint 0-day: CVE-2014-4114…
  11. … and many targets – many high value targets, including government, media, transportation… But what’s relevant to our topic today are the campaigns against the Ukrainian power grid. They started in March 2015… [click] And on December 23rd, culminated in the first known malware-enabled blackout that affected several regions in the country and left around 230000 people in the dark for several hours.
  12. As I said, BlackEnergy is different from these other malware toolsets. It wasn’t designed to target ICS specifically, but is a more “general purpose” cyberweapon. Through its network traversal and espionage modules, it paved the way for attackers Who then used Radmin …
  13. …legitimate remote access software installed at the power distribution companies to manually “pull the plug” [click] And this is an actual video taken by an operator while the attackers were remotely accessing their system
  14. …legitimate remote access software installed at the power distribution companies to manually “pull the plug” [click] And this is an actual video taken by an operator while the attackers were remotely accessing their system
  15. And now onto the main topic… On December 17, 2016, almost exactly one year after the previous blackout, we we’re struck with a sense of deja-vu There was another blackout and we started analyzing samples of malware, which became the main suspect – Industroyer We sent our analysis to Ukraine, and then waited, not to interfere with ongoing investigations… And then received the green light to publish in June
  16. We already mentioned what Industroyer can do…and did, (or “Industroyer’s principal functionality) Now let’s look under the hood It starts with the main backdoor, which takes care of C&C communication and launches other components
  17. It’s not super interesting, typical malware, the kind we analyze thousands of every day. Here’s the list of commands it supports. We while Industroyer doesn’t focus on espionage functionality like BlackEnergy, it does provide attackers the capability of downloading and executing additional modules…
  18. as well as to exfiltrate files off the infected machine. Output produced by this command also gave us a glimpse into the command execution chain and lateral movement during the attack
  19. Multiple stages – staying under the radar SQL DB
  20. /not published/ Got hold of in-house custom application that stores environment layouts, ICS process logs & telemetry RE’d it, discovered that data stored in MSSQL server, hardcoded credentials. (Shows skill of attackers) Abused the DB to execute a number of shell commands during the reconnaissance phase of attack
  21. In order to do that, they 1st enabled the DB’s capability to execute these commands through xp_cmdshell
  22. Here are a few commands executed from that machine Benefit – stealth – shell commands executing from context of DB, also DB stored malicious binaries – measure to avoid AV detection
  23. The last command in the list is used for persistence, to ensure the malware survives a reboot. It does that by pointing the Image Path Registry value of a chosen existing Windows service to a more obfuscated version of itself.
  24. There’s also a secondary backoor, used as a backup mechanism, in case the main backdoor gets detected or disabled. It’s interesting because it masquerades as a trojanized (and otherwise fully functional) version of Windows Notepad, which it replaces in the system. SIMILAR TECHNIQUE USED BY DRAGONFLY 2017 There are a few additional tools – noteworthy is a custom port scanner which the attackers chose instead of nmap, for example, And DoS tool, which actually impacts the ICS, and I’ll talk about it later.
  25. And now we’re getting to the interesting part…
  26. We identified 3 distinct ways Industroyer attacks the electricity substation. Firstly, and most importantly, it can directly control the industrial hardware on site… So what is this “hardware”? They’re called Remote Terminal Units, commonly protection relays – on these photos you can see them from 2 vendors – Siemens and ABB. There are many types but basically their function is to open and close circuit breakers – for the purposes of protection, balancing the power grid, and so on…
  27. These devices are configured and monitored via specialized SCADA software on regular workstations, typically running Windows
  28. And the communication happens through one of several industrial communication protocols….there are several, some are regionally specific, some operate over a serial connection, others over TCP/IP but overall idea is the same… It’s important to note that Industroyer “abuses” them… there are no “exploits”, no software vulnerabilities, it uses the protocols in the way they were designed to be used…decades ago, without security in mind.
  29. Now I pass the microphone to Anton, the lead in the Industroyer analysis, to walk you through the payloads…
  30. Robert mentioned the exact timing of an Industroyer attack. That’s the job of the {click} launcher component The launcher samples we analyzed would launch the individual payload modules on {click} December 17, 2016 – shortly before the power outage. We identified modules capable of controlling devices through 4 communication protocols: IEC 101, IEC 104, 61850, OPC DA. Most of them are DLLs, with their own configuration files
  31. Requires a configuration file – here’s an example 101 communicates over a serial connection – the COM ports to use are specified in config 1st thing it does – kills legitimate process on the workstation responsible for controlling the devices and takes over The devices operate on something called IOA – Information Object Address – think of them as network ports, or… registers There are several different IOA types, but the payload is only interested in two specific ones, which can accept commands. It goes over a range of IOAs, defined in the config, and sends the command sequence “OFF -> ON -> OFF”
  32. The idea in the 104 payload is very similar to 101, in that it sends ON or OFF commands to the devices But there are a few differences: - Works over TCP/IP instead of serial Many more configuration options As you can see here, possible to specify multiple STATION entries  work in parallel threads 3 modes of operation – range / shift / sequence Both for 101 and 104, attackers don’t know the types of IOAs, so they have to do a kind of “bruteforce” to find out which will accept commands – “trial & error” Range & shift used to discover the right IOAs, Sequence used once they’re known
  33. Payload constructs packets on the fly Thankfully, WireShark can dissect them As you can see, this example is a “single command type” on IOA #10
  34. The payload can also write to the console – here’s an example
  35. It supports not only console output but also logging This example demonstrates the capability of the payload – it tries to switch circuit breakers to ON or OFF in an infinite loop The exact logic depends on the config: either ON, or OFF, continuously or flipping back & forth between iterations
  36. 61850 is a bit different, and a bit more advanced. Like 104, it operates over TCP/IP but it can function even if IP addresses are not specified in the configuration - it can auto-discover devices on the network Doesn’t operate on IOAs but named elements. It looks for these hardcoded names – they correspond to circuit breakers and switches. So it’s a different approach but, again, same purpose - to OPEN or CLOSE circuit breakers.
  37. The last payload is a step above the rest. Not that it’s more advanced but it operates on a higher software abstraction level. Technically, OPC Data Access can be built on top of 101, 104, or 61850. It uses Distributed COM to discover all OPC servers running in the network. Obtains all their named items, searching for these specific tags Then it addresses the byte value 1 to items with these tags. But what does that mean? Let’s take a look in the documentation.
  38. Those tags are associated with ABB. Their type is ABBCommandBitmask…
  39. And writing the value 1 on bit position 0, results in normal execution of that command
  40. And this OPC Process Object Lists Tool by ABB helps us translate the commands into a better human-readable form… So again, the purpose is the same – opening circuit breakers.
  41. Analyzing the Industroyer payloads are a piece of cake for a skilled reverse-engineer, because they’re not obfuscated in any way. The only thing that can…and will slow you down…is this annoying COM stuff So to help analyze any future malware that would use OPC DA, we’re releasing this IDA Python script
  42. This is what the code looks like before the script
  43. Robert: Well, that looks much better. Thank you Anton. All 4 payloads serve a similar purpose – to open and close circuit breakers. De-energizing a substation is the most obvious one. But there are other theoretical possibilities and the 2007 Aurora generator test demonstrated how out-of-sync closing of protective relays can lead to physical hardware destruction.
  44. The second type of functionality we found in the Industroyer framework, is rendering protection relays irresponsive. This is done by the Denial of Service tool…
  45. And it does it by exploiting the vulnerability in Siemens SIPROTEC devices described in this Advisory.
  46. The module sends specially crafted UDP packets to port 50000. ”Knocking these devices out” serves to amplify the impact of the payloads Anton talked about. Siemens did patch the vulnerability in a firmware update, but you can imagine how regularly these devices are updated 
  47. The third and final type of payload functionality in the Industroyer samples we analysed is the Data Wiper module – [click] its purpose is to make recovery from the attack harder - goes not after the RTUs but after the workstations used to configure them
  48. it’s executed by the launcher module - either 1-2 hours after the ICS-payload modules
  49. Remember the configuration software we showed you earlier? This module wipes files belonging to SCADA software, as you can see on the screen… Furthermore, it renders the machine unbootable by corrupting the Registry and finally crashes it by killing all, including system processes. Substation operator…circuit breakers being reopened, protection relays irresponsive, when you sit down to fix the problem, SCADA SW gone Another demonstration of the importance of backups 
  50. Some modules Vendor-agnostic others specific to Siemens/ABB… also discovered GE firmware
  51. As you’ve seen, Industroyer’s capabilities are rather versatile. It was malware that caused the Ukraine blackout – but it’s also configurable, and can be re-purposed to attack power grids around the {click} world. It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet. But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.
  52. configurable, and can be re-purposed to attack power grids around the {click} world. It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet. But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.