Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks

Transcription

1 White Paper Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks David Atch, George Lashenko and Tal Kaminker White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 1

2 Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks David Atch, George Lashenko and Tal Kaminker Table of Contents Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks...2 David Atch, George Lashenko and Tal Kaminker...2 Introduction...3 Attack vectors for industrial networks...4 Scenario Malicious USB...4 Scenario External engineering laptop...5 Scenario Malicious updates...5 Data exfiltration...5 Ladder Logic...5 Generate low radio frequency...7 Exfiltration Ladder Logic...8 PLC Frequency Detection Tool...10 Optimal frequency detection...11 Synchronization Detection...12 Receiving data...14 Bios...15 About CyberX...15 White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 2

3 Introduction Best practices for industrial and critical infrastructure networks advised to separate IT and OT networks for years. This method of separation is still used in many companies as the main security measurement, sometimes combined with more security layers and sometimes with nothing at all. Relying on only Air-Gap as a security mechanism is just not enough. In this research, we are going to show why it s not enough. One of the challenges with bypassing Air-Gap is the need for a data channel, it s needed to exfiltrate the collected data from the Air-Gapped network. We are going to demonstrate how an attacker that obtained access to the network by some means, whether it s through a USB device shared between networks or an infected technician s laptop being connected to the Air-Gapped network, can establish data channels to send data through the Air-Gap. Data which may be sent might include: Network mapping, Security products mapping, Ladder Logic from controllers needed in the case of hot patching of malicious code, etc.. We exfiltrate data by generating low radio frequencies from a PLC, using specially crafted ladder logic on devices without built-in radio transmission capabilities. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 3

4 Attack vectors for industrial networks Air gap is a security measure that is being used by OT network owners to separate their network from the internet and reduce the risk of being infected by generic and non-targeted malware. There is a large debate whether disconnecting operational network from the internet is really a security measure, this research is not intended to answer this question, we assume the operational network is air gapped. Attacking operational networks requires multiple stages, and specially crafted malware. Before attackers can achieve his goals in attacking operational networks, wheatear it s spying or causing destruction, they need to execute a reconnaissance stage. The reconnaissance stage is essential part of the targeted attack and even more crucial in industrial networks, that s because OT networks contains diversity of vendors, equipment and protocols. Also in order to harm industrial equipment, the attacker need to have specific knowledge about the device and the Ladder Logic (PLC code) it contains, and because there are so many vendors, the reconnaissance stage in OT networks is a must. We are going to focus on the reconnaissance stage. The next methods are ways to attack an air gapped network, the attack described here will drop a tool which will act as a scanner/collector and its main purpose to bring home all the interesting data about the network. The tool should collect the following data: Network device mapping Security product mapping Device types and firmware versions Ladder Logic programs Schematics and design documents to figure device importance Overall working patterns of the users/devices Scenario Malicious USB This scenario describes the usage of infected USB to infect an air gapped network. The USB might be used by one of the engineers and get infected by PC that s connected to the internet or by someone who has been payed to connect it to the air gapped network. Air gapped networks are usually hard to patch because the lack of internet connection, also OT networks are much harder to patch because they require downtime of the network components, which might cause the OT network to be inoperable and may translate to financial harm. Also OT networks have outdated and non-supported operating systems. Because of that it s likely that the auto spreading USB mechanisms below will work: autorun.inf Enabled by default on Windows XP. It s a textual file placed on the drive and executes the designated executable upon USB insertion. Widely used by malware. LNK exploits Multiple exploits in the LNK format causes shortcuts to execute code upon directory browse. Used by the Stuxnet attack on air gapped OT network. DLL Search order hijacking Windows by default searches to load DLLs from the Current Working directory folder, it means that a software vulnerable to it might execute DLLs from the USB drive. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 4

5 Scenario External engineering laptop Many OT network owners use external engineers to programmer their software and controllers, also some engineers use their laptops to connect to the internet. If engineer s laptop is infected with malware, once it connects to the air gap network it might infect it as well. Again, this is also highly likely because of the lack of security updates in air gapped networks. Scenario Malicious updates This is based on past events where software vendors were explicitly targeted by attackers. The attackers will infect the main distribution of the software or it s updates, this is extremely hard to detect. Some OT vendors are not even signing digitally their updates and their software. The previous attacks have been seen in NotPetya which targeted financial software updates, and dragonfly which targeted industrial vendor software. Data Exfiltration Important key aspect of the reconnaissance stage is the data exfiltration part, in order to for the attacker to analyze the data that has been collected he need to bring it back. There are some methods how it can be done, most of them will require the malicious USB or the infected laptop to connect back to the network, which can take some time. During this time the reconnaissance tool might be discovered and terminated. We propose a new way of data exfiltration which involves injecting a Ladder Logic into PLC and using the PLC as low frequency radio transmitter. Ladder Logic It s the program that runs on a PLC, it s intended to process inputs from various IO devices connected to the PLC. PLC in very high level, looks like this: Hardware These are the components that the PLC uses, it is really similar to a regular PC and contains components such as RAM, CPU and Storage. Storage The PLC stores it s operating system and the Ladder Logic byte code itself. Firmware The operating system of the PLC, responsible for interacting with the various hardware components and executes the Ladder Logic bytecode. Ladder Logic This is usually written by standard Ladder Logic language, such as STL (Like an assembly language) or FBD (diagram representation of STL), Ladder Logic is compiled to bytecode by the vendor programming software and executed by the PLC. Because Ladder Logic has progressed during the years, today it s more than just a language to interact with IO components, it also contains API functions like socket recv/send. This gives the Ladder Logic developer much more power, previous research (PLC Blaster) showed that Ladder Logic might be used as a worm and network scanner. Ladder Logic consists of block, these are the main block types: FC Regular functions FB Function Blocks, like functions but uses storage to save its state DB Data Blocks, store variables for the Ladder Logic OB Organizational Block, Cyclic blocks which executed every x seconds or by some trigger White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 5

6 The basic block of a ladder logic program is the rung. This block is equivalent to the following code. An average ladder logic file contains tens of different rungs split among different OB, FB and FC blocks. The rungs are executed from left to right almost simultaneously, rungs written in OB blocks are executed cyclically all the time. Some OB blocks may be configured to execute in a reaction to an event or every x seconds using a timer. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 6

7 Generate low radio frequency Our research on generating low radio frequencies is based on the NSA paper TEMPEST. In this research they show how electricity powered devices can generate radio frequencies, which might be translated to data. We tried a few things to make the PLC generate frequencies using only Ladder Logic without any radio transmitter, these is our trials and errors: Execute heavy calculations to increase the electricity usage of the CPU. Didn t produce anything, that s because the PLC always executes code and uses the CPU, whether it calculates something or just in idle mode. Connect and disconnect an RJ45 cable from the onboard ethernet port, we assumed the network card might generate EM frequencies. The PLC did shift its frequency, but this method requires physical access and not practical for data exfiltration. Send and receive network traffic. Didn t produce anything. Use the Ladder Logic to write values to the memory. Produces shift in the EM frequency, that s because writing to the memory involves sending electricity on the bus to the memory chip. This is the idle PLC frequency, best strength around 363 HZ on multiple frequencies. This is how it looks when memory is being written. Every shift in the frequency space corresponds to a memory block being written. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 7

8 Exfiltration Ladder Logic Once we found a way to control the frequency shift we had a way to encode data, from here onward we had to develop a protocol that will allow one way transmission. We wrote our ladder logic in OB blocks, this way it is executed alongside any other ladder logic present on the device. The ladder logic is designed to work as a state machine the state variable is advanced every second in an OB block configured to be executed every second, these are the various states: 1. Initialization state a. all the variables are initialized to their initial values b. Upon completion it moves to state 2 2. Synchronization state a. Transmits a special synchronization sequence b. In the current implementation it lasts for 10 seconds, this may be changed to reflect transmission quality (a longer sequence makes the transmission slower, however, allows when the signal is less clear) c. The synchronization sequence is a simple sequences d. Upon completion it moves to state 3 3. Data transmission state a. The data we plan to transmit resides inside an array b. A bit is transmitted every second, however this is configurable and should be configured according to the signal strength c. Upon completion it moves to state 1 White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 8

9 send_bit Controls the current frequency, the rest of the program will manipulate bit variable to encode data If bit == 1: Memmove(dummy_src, dummy_dst, 10000) Else: Dummy_var = dummy_var * 123 sync A sync pattern is needed to detect the signal on the listening side If sync_start <= state <= sync_end: If state % 2 == 0: send_bit(1) Else: send_bit(0) extract_cur_bit The program sends data from a global array, we allow 5 bits per data char, we determine the current transmission bit using the state If sync_end <= state <= data_end: cur_bit = (data_arr[(state sync_end) / 8] >> ((state sync_end) % 8)) & 1 send_cur_bit We send the current bit If sync_end <= state <= data_end: If cur_bit == 1: send_bit(1) Else: send_bit(0) main The main execution while(true) if sync_start <= state < sync_end: sync() elif sync_end <= state < data_end: extract_cur_bit send_cur_bit() counter_advancement While (true) state += 1 state %= 60 sleep(1 sec) White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 9

10 PLC Frequency Detection Tool The PLC s ladder logic will transmit the data cyclically all the time, on the receiving side with need code that will: Detect the optimal frequency to extract the data from The PLC signal is visible across a range of frequencies Sometimes a nearby electrical device might cause distraction on certain frequencies Synchronize itself to the clock of the PLC The PLC will send a bit every second The receiving side has no information about the clock of the device, when does a signal end and when does the next signal begin The sync sequence is used to determine the ticks of the clock and to know when the data begins Receive the data bit by bit and rebuild words Once the program is synced to the PLC clock it known when a bit begins and when it ends Detect Optimal Frequency Sync Receive Data White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 10

11 Optimal frequency detection The PLC controlled frequencies are repeated in a certain sub spectrum however some frequencies are easier to work with then others because: A nearby device might cause a constant interference Some frequency in general have more noise Some frequencies are stronger At this stage we wish to find the optimal frequency to work with, this may be done by: 1. Extract the potential spectrum we use [350Khz, 420Hz] 2. Correlate the spectrum to a basic pattern of the synchronization block a. The purple is 1 indicating bright b. The yellow is -1 indicating dark c. The green is zero indicating we don t care about the value 3. We pick the frequency with the highest correlation (Making sure it s better than some threshold) 4. The correlating is especially significant during a sync White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 11

12 Synchronization Detection At this stage we work with a single frequency that seemed optimal in the previous stage. To illustrate what we see: Now we wish to detect a sync pattern which is a pattern of dark / light We focus on one side of the optimal frequency which leaves us with a simple decision whether we see light or dark pattern We shrink along the y axis by taking the average of the whole line, which gives us a 2D vector of the brightness White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 12

13 Again we use correlation this time it is a 2D correlating, but the pattern we look for is dark, light, dark, We correlate the previous pattern to The correlation will reach its pick during a perfect synchronization with the sync signal. At this stage we know the PLC is in its sync state We also know that we are perfectly synchronized to the PLC s clock and that the data will start arriving soon White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 13

14 Receiving Data At this point we are synchronized with the PLC s clock and we want to receive the actual data: We work with a 2D signal Every second we have to determine if this was a 1 or a zero Example of It s easy to see the ones and the zero s chunks. We know that the PLC will transmit the data for a certain amount of time and later will return to the synchronization state. Therefore, will we receive data for the same amount of time and then return to the Synchronization Detection to receive the next chunk. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 14

15 Bios David Atch, VP Research David is a world-class cybersecurity expert with many years of real-world experience in malware analysis, threat hunting, and incident response. He has contributed multiple submissions to ICS-CERT including for zero-day vulnerabilities in commercial ICS devices [see: search.usa.gov/search?utf8=%e2%9c%93&affiliate=us-cert-cs&query=atch&commit=search] and tracking malware campaigns targeting critical infrastructure [see: Targeting-Ukrainian]. Prior to CyberX, David had a military career in the IDF where he led a team of programmers and reverse engineers who continuously hunted and mitigated complex cyber-intrusions targeting the country's critical national infrastructure. He has also received multiple awards for technological innovation. Most recently, David was invited to present at the SANS ICS Security Summit in March CyberX is a Boston-based industrial cybersecurity company founded in 2013 by IDF cyber experts. George Lashenko, Security Researcher An experienced Security Researcher, George Lashenko brings to CyberX vast experience working with mathematical algorithms and developing large scale software development projects. Spending over 4 years in the Israel Defense Forces (IDF), George served in an elite unit, as a software engineer in teams in charge of protecting the IDF's critical infrastructure. Tal Kaminker, Machine Learning Researcher Tal is an experienced researcher and developer of Algorithms, with broad knowledge in statistical analysis and modeling of data. During his military career in the Israel Defense Forces (IDF), Tal served in an elite unite, responsible for securing the IDF s critical infrastructure and power grid, developing and implementing new algorithms and data res. About CyberX CyberX provides the most widely-deployed industrial cybersecurity platform for continuously reducing ICS risk. Supporting all OT vendors and seamlessly integrating with all existing IT security tools, CyberX s platform combines a deep understanding of industrial protocols, devices, and applications with ICS-specific asset discovery, continuous monitoring and incident forensics, risk and vulnerability management, automated threat modeling, and threat intelligence. With a long history of innovation, CyberX recently published the first-ever Global ICS & IIoT Risk Report, a DBIR-like analysis of real-world vulnerabilities found in 375 production ICS networks worldwide. Additionally, CyberX is the only OT security firm selected for the SINET Innovator Award sponsored by the US DHS and DoD; the only one recognized by the International Society of Automation (ISA); and the only one selected by the Israeli national consortium providing critical infrastructure protection for the Tokyo 2020 Olympics. For more information visit CyberX-Labs.com. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 15

16 White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 16