The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

Size: px

Start display at page:

Download "The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices"

Harriet Jacobs
8 years ago
Views:

1 The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices Kyle Wilhoit Sr. Threat Researcher Trend Micro 1

2 Glossary HMI: Human Machine Interface IED: Intelligent Electronic Device SCADA: Supervisory Control And Data Acquisition RTU: Remote Terminal Unit Historian: Data Historian Modbus: Common ICS Protocol DNP3: Common ICS Protocol 10/31/13 2 Confidential Copyright 2012 Trend Micro Inc.

Terminal Unit Historian: Data Historian Modbus: Common ICS Protocol

4 Modbus Oldest ICS Protocol Controls I/O Interfaces (MOSTLY!!!!) No authentication or encryption! (Surprise!!!) No broadcast suppression Vulnerabilities are published 10/31/13 4 Confidential Copyright 2012 Trend Micro Inc.

!!) No broadcast suppression Vulnerabilities are

5 Security Concerns- ICS vs. IT ICS Correct commands issued (Integrity) Limit interruptions (Availability) Protect the data (Confidentiality) IT Protect the data (Confidentiality) Correct commands issued (Integrity) Limit interruptions (Availability) 10/31/13 5 Confidential Copyright 2012 Trend Micro Inc.

(Availability) Protect the data (Confidentiality) IT Protect the data

6 Primary Security Concerns HMI: Allows arbitrary command execution as well as set point modifications. Data Historian: Allows inbound traffic to secure network segments. (Replication of data) RTU: Allows remote communication ability And many more

Data Historian: Allows inbound traffic to secure network

7 Incidents Exist First half of 2013 Over 200 confirmed incidents

8 SCADA Internet Facing Google-fu Shodan ERIPP Pastebin Twitter

9 SCADA Internet Facing

10 Story Time! All Internet facing No security measures in place

11 Attacks Attacked several times- over a period of months Attackers gained access Exfiltrated data Not made public This is not a story This happened

12 Story Time! In my basement

13 Enter Honeypots

14 12 total honeypots 8 different countries Running since Jan, 2013 Phase 1: Combination of *nix, Windows, and embedded Nov March systems 2013

pressure/ availability Population 18,000~

16 Physical Deployment Fake water pressure system Internet facing Very little security measures in place Could cause catastrophic water pressure failures if compromised 10/31/13 16 Confidential Copyright 2012 Trend Micro Inc.

cause catastrophic water pressure failures if

20 12 total honeypots 8 different countries Running since Jan, 2013 Phase 2: Combination of *nix, Windows, and embedded March July systems 2013

21 Virtualized Environment Water pump controlling water pressure/ availability Population combined ~50 million

23 Architecture

24 Some Tools Used Modbus.py OpenDNP3 Pi- Face

25 Vulnerabilities Presented If you can ping it, you own it SNMP vulns (read/write SNMP, packet sniffing, IP spoofing) Specific ICS Vendor vulnerabilities HMI (Server) Vulnerabilities Authentication limitations Limits of Modbus/DNP3 authentication/encryption VxWorks Vulnerability (FTP) Open access for certain ICS modifications- fan speed, temperature, and utilization.

26 What s an Attack? ONLY attacks that were targeted ONLY attempted modification of pump system (FTP, Telnet, Modbus, set points, etc.) ONLY attempted modification via Modbus/DNP3 DoS/DDoS will be considered attacks

27 -74 attacks Total Attacks

28 Non-Critical Attack Profile- Source Countries -63 non-critical attacks

29 Critical Attack Profile- Source -11 critical attacks Countries

30 Some Attack Stats Data exfiltration attempt Modification of CPU fan speed Modbus traffic modification HMI access Modify pump pressure Modify temperature output Shutdown pump system

31 Spear Phished TO: OF OUR CITY>.COM Hello sir, I am <name of city administrator> and would like the attached statistics filled out and sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you hear from you soon...mr. <city administrator name>

32 Cityrequest.doc Decoy doc- not much substance

33 Cityrequest.doc

34 Dropped Files CityRequest.doc File gh.exe dumps all local password hashes <gh.exe w> File ai.exe shovels a shell back to a dump server. < ai.exe d1 (Domain) c1 (Compare IP) s (Service) > Malware communicating to a drop/cnc server in China. exploiting CVE Malware communicating to a drop/cnc server in USA X X Has been taken down by the US government

35 Execution Upon execution of CityRequest.docx, files leaving the server in question after 5 days. Fake VPN config file Network statistics dump SAM database dump Gain persistence via process migration Won t execute on Office 2010.

36 Exfiltration: Days 1-4

37 Exfiltration: Days 5-17

38 APT1 Report APT1 (Comment Crew) report released in Feb Included many APT variants we ve seen. One of particular interest was HACKSFASE. Commonly used in energy sector.

39 Examination

41 IP BeEF Code Analysis Attribution

42 BeEF Usage Detect Tor Get Registry Keys Get_Physical_Location Get_System_Info Get_Internal_IP

43 Attacker Profile Most attacks appeared to be non-targeted Many attackers were opportunists Some were targeted

44 Some Takeaways Red team/blue team often Perform specialized vulnerability assessments Control contractors Perform basic security controls Network segmentation Two-factor authentication Patch your stuff! Lockdown external media Manage vulnerabilities Classify your data/assets etc.

45 Shout Non-Work:

ICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro

ICS, SCADA, and Non-Traditional Incident Response Kyle Wilhoit Threat Researcher, Trend Micro 1 $whoami Threat Researcher, FTR, Trend Micro Threat Researcher at Trend Micro- research and blogger on criminal