[CLASS2014] Palestra Técnica - Franzvitor Fiorim

1Copyright © 2014 Trend Micro Incorporated. All rights reserved. 1Copyright © 2014 Trend Micro Incorporated. All rights reserved.

Como se iniciam os ataques à infraestrutura SCADA?Franzvitor FiorimEngenheiro de [email protected]

2Copyright © 2014 Trend Micro Incorporated. All rights reserved.

Cyberwar on your network

More frequent More targeted More money More sophiticated

• 2 new threat each second 1

• 1 cyber-intrusion each 5 minutes 2

• 67 % of infrastructure can’t block a custom & targeted attack 3

• 55 % of companies didn’t detected the breach 1

Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012


Security by signature is not enough

3

Basic malware

PhishingExploitation tools

Malicious website

Commonvulnerabilities

Discovery tools

SWG NGFW

Document exploit

0-DayObfuscatedJavascript

Polymorphicpayload

CryptedRAT

WateringHole Attack

SpearPhishing

C&C communications

IPS AV


Move lateralmente na rede

procurando dados valiosos

Coletam inteligência sobre

organizações e indivíduos

Copyright 2014 Trend Micro Inc.

Atacam indivíduos

utilizando engenharia social

Funcionários

Estabelece link com o

Command & Control server

Atacantes

Extrai dados de interesse – pode

não ser detectado por meses!

$$$$

Ataque: Social, Sofisticado, Silencioso


Advanced Persistent Threats

� Nem sempre os componentes são maliciosos;� O foco é ser evasivo;� Controlado por um humano;

11/13/20 5Confidential | Copyright

� Múltiplos vetores de ataque;

� Ataque contínuo, repetitivo;

� Atacantes são pacientes;

� Exploram brechas do sistema;

� Exploram brechas de segurança;

� Com recursos suficientes para ter êxito no ataque.


Riscos de Segurança aSistemas ICS (Industrial Control System )


Casos de Incidentes de Segurança

Source: IPA, http://www.ipa.go.jp/security/fy20/reports/ics-sec/rep_main_fy20.pdfIPA, http://www.ipa.go.jp/security/fy21/reports/scada/documents/scada_report.pdfThe Security Incidents Organization, http://www.securityincidents.orgJPCERT,http://www.jpcert.or.jp/ics/2011/20110210-oguma.pdf

Car Factory Steel Plant Chemical Plant13 production line stopped/

$14M loss13 production line stopped/

$14M loss

Zotob virusZotob virusCarry-on PC or Office networkCarry-on PC or Office network

Steam turbine control system stopped

Steam turbine control system stopped

DOWNAD/Conficker virusDOWNAD/Conficker virus

unknownunknown

8 hours of monitoring incapability8 hours of monitoring incapability

PE_SALITY virusPE_SALITY virus

unknownunknown

Centrifugal separator crash(according to multiple reports)

Centrifugal separator crash(according to multiple reports)

Stuxnet virusStuxnet virus

USB flash or office networkUSB flash or office network

Industrial Facility Water Treating Plant Railway Traffic Control SystemLoss of control for 3 months

(1ML of polluted water emission)Loss of control for 3 months

(1ML of polluted water emission)

Unauthorized accessUnauthorized access

Wireless linkWireless link

Shutdown of train service in the morning during rush hour

Shutdown of train service in the morning during rush hour

Blaster virusBlaster virus

unknownunknown

Impact

Cause

Path

Impact

Cause

Path

*Pictures above is not related to the contents


Tendência crescente de Incidentes de Segurança

Source: ICS-CERT Year in Review 2012 and 2013 http://ics-cert.us-cert.gov/Other-Reports

The number of incidents across critical infrastructure sectors, ICS-CERT responded, is increasing year after year. Most recently 257 incidents are reported. A big increase from 197 in 2012

39

140

197

257

0

50

100

150

200

250

300

FY2010 FY2011 FY2012 FY2013


Direção do ICS:Toward Open and Collapse of the myth of safety

Past Item Present

Closed environmentPhysically closed Environment

Toward open environmentConnection with external N/W,

using USB flash drive

Specialized OS/ApplicationSpecialized protocol Technology

General OS / ApplicationStandard protocol

(EtherNet/IP, PROFINET, CC-Link IE, etc)

Seldom Incident case Increasing trend(STUXNET)

OS External media usage

Source:*1,2 : METI http://www.meti.go.jp/committee/kenkyukai/shoujo/cyber_security/001_06_01.pdf

*1 *2


Attack Case Against Honeypot

OVERVIEW:OVERVIEW:OVERVIEW:OVERVIEW:

Develop honeypot of water

supply system and deploy on

the internet to catch attacks

against ICS.

Surveillance Period:Surveillance Period:Surveillance Period:Surveillance Period:

Mar. – Jun. 2013

HoneypotHoneypotHoneypotHoneypot deployed placedeployed placedeployed placedeployed place：：：：

8 Countries, 12 Places

HoneypotHoneypotHoneypotHoneypot Sample Web Page:Sample Web Page:Sample Web Page:Sample Web Page:

Source:http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/white-papers/wp-the-scada-that-didnt-cry-wolf.pdf

Confirmed 74 attacks against Confirmed 74 attacks against Confirmed 74 attacks against Confirmed 74 attacks against HoneypotHoneypotHoneypotHoneypot

modification attempt water temperature and pump pressure, pump modification attempt water temperature and pump pressure, pump modification attempt water temperature and pump pressure, pump modification attempt water temperature and pump pressure, pump

shutdown, etc…shutdown, etc…shutdown, etc…shutdown, etc…


Attack Case Against Honeypot


Background of Incidents


Increasing Trend of ICS Related Vulnerability Information

2008 2009 2010 2011 2012 2013

Level III 6 6 14 64 97 80

Level II 2 4 3 28 74 49

Level I 4 1 3 2

0

20

40

60

80

100

120

140

160

180

200

SeverityLevel III (Danger : System Hijack)Level II （Alert : System Stop）

Level I （Notice：Partial Damage）

Source:http://www.ipa.go.jp/files/000036346.pdf


Malware Infection through USB Flash Drive

Source:TrendLabsSM 2013 Annual Security Roundup, http://apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/rpt-cashing-in-on-digital-information.pdf

Malware infection risk surely existseven though it’s in closed environment

Top 3 Malware by Segment, 2013

Has capability of infection through USB flash drive


Connected Devices is Easily Detected

Modbus/TCP to RTU Bridge Serial Number ********MAC address ***********Software version 01.8b3 (031021)

Press Enter to go into Setup Mode


Sandworm (CVE-2014-4114)


Special Characteristics and Security Requirements of ICS


ICS ICS ICS ICS vsvsvsvs ICTICTICTICT

*C（Confidentiality：）, I（Integrity）, A（Availability）Source：IPA, Survey about ICS of Critical Infrastructure and IT Service Continuity , Sep, 2009

Control System Security Requirement Information SystemA.I.C(Availability ) Priority for Security C.I.A

24x365 stable running（No reboot permitted）

AvailabilityBasically during working time (Reboot is acceptable)

Worst case, Damage generally becomes serious

Result of incidentPecuniary lossPrivacy damage

10 - 20 years Operating term 3-5 years

Real time response Data processing speedLess impact for

Delay responseIrregular by each control system

vendor, Quite long term(once a 1~4years)

Cycle for release patch and applying

Often and Regularly

Field Technical dept. Operation management Information System dept.Threats become reality and

occurs incident. Conscious about security Already measured basically.

Discussing with Country level Security standard Already establishedStuff （Facility, Product）

Service （continuous running）

Object for security Information

Industrial control systems are systems with special characteristics that arevery different to Information Systems


ICS ICS ICS ICS vsvsvsvs ICTICTICTICT

ICS

• Correct commands issued (Integrity)

• Limit interruptions (Availability)

• Protect the data (Confidentiality)

IT

• Protect the data (Confidentiality)• Correct commands issued

(Integrity)• Limit interruptions (Availability)


Countermeasure points in ICS

Plant

Relay/terminalServer

EWS

HMI

Internet

PLC/DCS

ICS VendorsSystem integrators

Office PCOffice PC

Field bus

HistorianOPC ServerMaintenance

Maintenance service

Plant DMZControl information network

Operation PC MES

Control network

5 55

5

44

6

6

3

1

2

2

2

7

Countermeasure points① Gateway

1

1

⑦ PCs brought to work

② Network③ Server (plant DMZ)④ Client/Server

(Control information N/W)⑤ Client/Server:

(Control N/W)⑥ External storage media

Office network


Fundamental ICS Security Requirements (e.g.)Fundamental ICS Security Requirements (e.g.)Fundamental ICS Security Requirements (e.g.)Fundamental ICS Security Requirements (e.g.)

①②①②①②①②

Gateway/Network

Server/Client PC

⑥⑦⑥⑦⑥⑦⑥⑦

External Device/PC

③③③③ Plant DMZ④④④④ Control Information

Network

⑤⑤⑤⑤

Control Network

TMUSB

• No change system• Scan and clean with latest pattern file

even in closed network

• Prohibit unauthorized external device

• Scan external device with latest pattern before/after connect with ICS

Prevention

Detection

Cleanup

Mission-CriticalSpecific Purpose

Non Mission-CriticalGeneral Purpose

• No stop system in update or recovery time frequently.

• Secure the system even in closed network

• Secure the system that cannot patched regularly

• Keep minimum impact on system performance

• Offer easy installation/operation for non IT persons

• Secure the system that have system change frequently

• Secure the system that exchange applications and documents from outside of plant

• Secure the system that is accessed by unauthorized devices

• Monitor and control data transaction at zone boundaries

N/A

• Create network segment based on risk level as zone

• Block unauthorized access and malicious code


Raio-X APT: Ferramentas de ataqueNome Fases Típicas - Uso Description

GETMAIL Extração Typically used to ascertain mail archives and mail out of those archives.

Netbox Ataque, Extração, PersistênciaFor hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the

backend to support operational tasks. (Netbox also has valid uses, and is not a direct

indicator of compromise)

Pwdump Movimento LateralDumps password hashes from the Windows registry. Typically used to crack

passwords for lateral movement throughout the victim environment. It can also be

used in pass-the-hash attacks.

Cachedump Movimento LateralA program for extracting cached password hashes from a system’s registry. Typically

used to crack passwords for lateral movement throughout the victim environment. It

can also be used in pass-the-hash attacks.

Lslsass Persistência, Movimento LateralDumps active login session password hashes from windows processes. It is used to

crack passwords for lateral movement throughout the victim environment. It can also

be used in pass-the-hash attacks.

mapiget Persistência, Movimento LateralThis is for collecting emails directly from Outlook, prior to ever getting archived. It is

then dumped to text files.

HTRAN Ataque, Extração, Persistência

Connection bouncer, redirects TCP traffic destinted for one host to an alternate host.

It is also used to help obfuscate source IP of an attacker. It allows the attacker to

bounce through several connections in the victim country, confusing incident

responders.

Windows Credential Editor

(WCE)Persistência, Movimento Lateral

A security tool that allows to list logon sessions and add, change, list and delete

associated credentials

Lz77.exe ExtraçãoIt is used as a compression application to help exfiltrate data. This is commonly seen

in Winrar, 7zip, and Winzip.

Gsecdump Movimento LateralGrabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in

victim environment and pass-the-hash style attacks.

ZXProxy (A.K.A AProxy) Extração, PersistênciaProxy functionality for traffic redirection. This helps redirect HTTP/HTTPS

connections for source obfuscation. We have seen it used in data exfiltration.

LSB-Steganography Comprometimento Inicial, ExtraçãoUses steganography techniques to embed files into images. This helps with data

exfiltration as well as during the initial compromise of a traditional APT attack.

UPX Shell Ataque, PersistênciaUsed to help pack code for malware used in APT campaigns. This tool helps prevent

reverse engineering and code analysis.

ZXPortMap Extração, Persistência Traffic redirection tool, which helps to obfuscate the source of connections.

ZXHttpServer ExtraçãoSmall HTTP server that is deployable and extremely flexible. We have seen it used

when attempting transfer of some files.

Sdelete Persistência, CoberturaSecure deletion tool. Allows for secure deletion to make forensic recovery difficult-

therefore complicating incident response procedures.

Dbgview Persistência, Movimento LateralAn application that lets you monitor debug output on your local system, or any

computer on the network that you can reach via TCP/IP

http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

[CLASS2014] Palestra Técnica - Franzvitor Fiorim

Technology

Transcript of [CLASS2014] Palestra Técnica - Franzvitor Fiorim