The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your SCADA Devices Kyle Wilhoit Sr. Threat Researcher Trend Micro 1 Glossary HMI: Human Machine Interface IED: Intelligent Electronic Device SCADA: Supervisory Control And Data Acquisition RTU: Remote Terminal Unit Historian: Data Historian Modbus: Common ICS Protocol DNP3: Common ICS Protocol 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 2 Typical ICS Deployment 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 3 Modbus • Oldest ICS Protocol • Controls I/O Interfaces (MOSTLY!!!!) • No authentication or encryption! (Surprise!!!) • No broadcast suppression • Vulnerabilities are published 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 4 Security Concerns- ICS vs. IT ICS • Correct commands issued (Integrity) • Limit interruptions (Availability) • Protect the data (Confidentiality) 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 5 IT • Protect the data (Confidentiality) • Correct commands issued (Integrity) • Limit interruptions (Availability) Primary Security Concerns • HMI: Allows arbitrary command execution as well as set point modifications. • Data Historian: Allows inbound traffic to secure network segments. (Replication of data) • RTU: Allows remote communication ability And many more… Incidents Exist • First half of 2013 • Over 200 confirmed “incidents” SCADA Internet Facing • • • • • Google-fu Shodan ERIPP Pastebin Twitter SCADA Internet Facing Story Time! • All Internet facing… • No security measures in place Attacks • Attacked several times- over a period of months • Attackers gained access • Exfiltrated data • Not made public • This is not a story… • This happened… Story Time! In my basement… Enter Honeypots… • • • • 12 total honeypots 8 different countries Running since Jan, 2013 Combination of *nix, Windows, and Nov. 2012-March 2013 embedded systems Phase 1: Physical Deployment • Small town in rural America • Water pump controlling water pressure/ availability • Population 18,000~ 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 15 Physical Deployment • Fake water pressure system Internet facing • Very little security measures in place • Could cause catastrophic water pressure failures if compromised 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 16 What They See 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 17 Physical Deployment 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 18 Attack Profile- Country of Origin 2% 2% 2% 2% 2% 2% US 19% 6% LAOS UK 4% 2% 2% 12% CHINA NETHERLANDS 8% JAPAN BRAZIL 35% POLAND 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 19 • • • • 12 total honeypots 8 different countries Running since Jan, 2013 Combination of *nix, Windows, and March. 2013-July 2013 embedded systems Phase 2: Virtualized Environment • Water pump controlling water pressure/ availability • Population combined ~50 million Logically… 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 22 Architecture Some Tools Used Modbus.py OpenDNP3 PiFace Vulnerabilities Presented “If you can ping it, you own it” • SNMP vulns (read/write SNMP, packet sniffing, IP spoofing) • Specific ICS Vendor vulnerabilities • HMI (Server) Vulnerabilities • Authentication limitations • Limits of Modbus/DNP3 authentication/encryption • VxWorks Vulnerability (FTP) • Open access for certain ICS modifications- fan speed, temperature, and utilization. What’s an Attack? • ONLY attacks that were targeted • ONLY attempted modification of pump system (FTP, Telnet, Modbus, set points, etc.) • ONLY attempted modification via Modbus/DNP3 • DoS/DDoS will be considered attacks Total Attacks -74 attacks Non-Critical Attack ProfileSource Countries -63 non-critical attacks Critical Attack Profile- Source Countries -11 critical attacks Some Attack Stats Data exfiltration attempt Modification of CPU fan speed Modbus traffic modification HMI access Modify pump pressure Modify temperature output Shutdown pump system 0 0.5 1 1.5 2 2.5 3 3.5 Spear Phished TO: CITYWORKS@<HOSTNAME OF OUR CITY>.COM “ Hello sir, I am <name of city administrator> and would like the attached statistics filled out and sent back to me. Kindly Send me the doc and also advise if you have questions. Look forward you hear from you soon ....Mr. <city administrator name> ” Cityrequest.doc • Decoy doc- not much substance Cityrequest.doc Dropped Files • CityRequest.doc • File gh.exe dumps all local password hashes – <gh.exe –w> • File ai.exe shovels a shell back to a dump server. – < ai.exe –d1 (Domain) –c1 (Compare IP) –s (Service) > • Malware communicating to a drop/CnC server in China. • exploiting CVE 2012-0158 • Malware communicating to a drop/CnC server in USA – 70.254.245.X – 70.254.245.X – Has been taken down…by the US government Execution • Upon execution of CityRequest.docx, files leaving the server in question after 5 days. – Fake VPN config file – Network statistics dump – SAM database dump – Gain persistence via process migration • Won’t execute on Office 2010. Exfiltration: Days 1-4 Exfiltration: Days 5-17 APT1 Report • APT1 (Comment Crew) report released in Feb 2013. • Included many APT variants we’ve seen. • One of particular interest was HACKSFASE. • Commonly used in energy sector. Examination Attribution 10/31/13 Confidential | Copyright 2012 Trend Micro Inc. 40 Attribution • IP • BeEF • Code Analysis BeEF Usage • • • • • Detect Tor Get Registry Keys Get_Physical_Location Get_System_Info Get_Internal_IP Attacker Profile • Most attacks appeared to be non-targeted • Many attackers were “opportunists” • Some were targeted… Some Takeaways • • • • Red team/Blue team often Perform specialized vulnerability assessments Control contractors Perform basic security controls • Network segmentation • Two-factor authentication • Patch your stuff! • Lockdown external media • Manage vulnerabilities • Classify your data/assets • etc. Shout Email: [email protected] Non-Work: [email protected] Twitter @lowcalspam