Upload
ngoxuyen
View
218
Download
1
Embed Size (px)
Citation preview
Give and Take... Give...
A Glimpse into IT Security field
Take...
Spread the word of our Company
Long term recruitment...
Give and Take!?!
Spreading interest for Security
2017-02-22 Stuxnet / Advenica 2
Why am I here?
Håkan Ahrefors MS Computer Engineering, 1997
PhD, Software Engineering, 2002
Assistant Professor, 2003-2005
IT-Security, 2005-2009
IT Security Consultant, 2009-2010
Advenica 2010 -
2017-02-22 Stuxnet / Advenica 6
Håkan Ahrefors
Malicious Code Unapproved, Unwanted, Malicious Intent
Different Goals Spread, Destroy, Steal, Herd, Sabotage, $$$
1949, von Neumann, Self-replication
Early 70s, Creeper Virus (DARPA Net)
1986 – The Brain, 1988 – Morris Worm
2017-02-22 Stuxnet / Advenica 8
Malware/Worms/Trojans/Viruses
Symantec, AVG, Avast, Avira, Microsoft, ESET, McAfee, Panda, Kaspersky...
However, can't always run AV software
General rules of avoidance: NO INTERNET CONNECTION!
Limited or no local network connection
Run non-common, but trusted, software
2017-02-22 Stuxnet / Advenica 9
Anti-Virus/Protection
17th of June 2010 VirusBlokAda (Belarusian AV Company) detected and put a
signature on a new threat, “Trojan-Spy.0485”
Not that out of the ordinary (~20 million new threats, 2010, AV-TEST)
Did, however, have some “new” interesting code
2017-02-22 Stuxnet / Advenica 10
New Malware
Showed Embedded “0-days” exploit
Signed code (Certificate from RealTek)
Enormous effort Years in development, (500kB virus)
Several people, even several groups of people
QA
2017-02-22 Stuxnet / Advenica 11
First Analysis
Remote and Local updates Remote from external servers
Local from other copies
Kill date... 24 June 2012
But Wait... More exploits (4+)
Strange code strains
WinCC servers...SIEMENS Controllers, PLC
2017-02-22 Stuxnet / Advenica 12
Continued Analysis
Spreads Local LAN – Printer Spool Exploit
USB (to make air-gap jumps)
Localization India, Malaysia... and...
Iran
Industrial Espionage? Information Gathering?
2017-02-22 Stuxnet / Advenica 13
…
2017-02-22 Stuxnet / Advenica 14
Local Net
InternalNetwork
Internet
SpecificPurposeNetwork
”sneaker net”
Company X
Extra sensitive
WinCC -> SIEMENS Hardware for Controllers
STEP7 – Framework/Language (STL) for programming Controllers
Controllers PID, PLC
SCADA - supervisory controland data acquisition
2017-02-22 Stuxnet / Advenica 15
Controllers
Iran, Indonesia, India, Pakistan, US, Russia...
WinCC -> SIEMENS Controllers...
Frequency converter ID's in S7 code
Uranium enrichment... uses Centrifuges
Many plants built with Siemens equipment
2017-02-22 Stuxnet / Advenica 16
Who is the target?
?
Different sources helped the analysis
STEP7 Code showed signs of groups of structures Grouped on 4, 8, 12, 16, 20... of “something”
Even the President of Iran “helped”
On his blog in 2008 Pictures from a visit at Natanz
2017-02-22 Stuxnet / Advenica 18
.jpg Analysis
Stuxnet was Huge News during 2010
Research have continued and is still ongoing
Stuxnet code is more or less out there for the taking
2017-02-22 Stuxnet / Advenica 20
Stuxnet News
2017-02-22 Stuxnet / Advenica 21
Stuxnet – Timeline
June 17, 2010VirusBlokada reports"RootkitTmphider”
July 13, 2010Symantec adds unique
"W32.Temphid" signature.
July 16, 2010Microsoft Advisory .lnk files
Verisign revokes Realtek Cert
July 17, 2010Eset id new Stuxnet driver
Cert: Micron TechCorp.
July 19, 2010Siemens reports investigation
on WinCC SCADASymantec → W32.Stuxnet
July 22, 2010Verisign revokes
Micron TechCorp Cert
August 2, 2010Microsoft Releases MS10-046
Patch .LNK vuln.
September 14, 2010Microsoft releases MS10-061Patch of Printer Spooler vuln.
Oct 12, 2010Microsoft Releases MS10-073Patch Kernel elevation vuln.
June, 2009Earliest Stuxnet
Sample Compile date.
January 25, 2010Stuxnet Driver signed
With Realtek cert
March, 2010First Version to
exploit MS10-061.
November, 2008Trojan.Zlob (MS10-046)
April 2009
Magazine Hakin9
(MS10-061)
2017-02-22 Stuxnet / Advenica 22
”Worm Stalking”
July 20th 2010, Symantec started to monitor the C & C traffic Each Stuxnet sample kept a log of its own events Stuxnet was a targeted attack on five organizations Organizations were targeted in June 2009, July 2009, March 2010,
April 2010, and May 2010. Three organizations were targeted once, one was targeted twice, and another was targeted three times.
12,000 infections originated from these initial 10 infections. All targeted organizations have a presence in Iran. The shortest span between compile time and initial infection was 12 hours.
In November 2014 Kaspersky lab published the name of the domains.
2017-02-22 Stuxnet / Advenica 23
4 Exploits!
CVE ref. Patched
CVE-2008-4250 Oct 23, 2008
MS08-067
Vulnerability in Server Service
Could Allow Remote Code
Execution
CVE-2010-2568 Aug 2, 2010
MS10-046
Vulnerability in Windows Shell
Could Allow Remote Code
Execution
CVE-2010-2729 Sept 14, 2010
MS10-061
Vulnerability in Print Spooler
Service Could Allow Remote
Code Execution
CVE-2010-2743 Oct 12, 2010
MS10-073
Vulnerabilities in Windows
Kernel-Mode Drivers Could
Allow Elevation of Privilege
2017-02-22 Stuxnet / Advenica 24
CVE-2010-2568
CVE-2010-2568 Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista
SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.
.LNK Files
2017-02-22 Stuxnet / Advenica 25
…Gets Iffy
… and then extract the icon from the loaded .cpl (dll) file...
...but...
Link to a .cpl
What Icon to Show?
.cpl = .dll
2017-02-22 Stuxnet / Advenica 26
…
We load what ever dll is in the ~WTR4141.tmp file... (on Removable Media) = BAD! And as msdn.microsoft.com can tell us about the LoadLibrary function... "...If the specified module is a DLL that is not already loaded for the calling process, the system calls the
DLL's DllMain function with the DLL_PROCESS_ATTACH value. ..." = WORSE!!
…but if it looks like this
OK if it looks like this
NOTE,... No AutoRun needed... the display of the icon triggers the exploit!
Took just days before this vulnerability was added to Metasploit... But with some added feature...
2017-02-22 Stuxnet / Advenica 27
”Holy Exploit, Batman!”
Remote malicious .dll loading!
2017-02-22 Stuxnet / Advenica 28
What happened here?
August 2, 2010Microsoft Releases MS10-046
Patch .LNK vuln.
September 14, 2010Microsoft releases MS10-061Patch of Printer Spooler vuln.
November, 2008Trojan.Zlob (MS10-046)
April 2009
Magazine Hakin9
(MS10-061)
1-1½ year!
2017-02-22 Stuxnet / Advenica 29
Hard-coded Wonders!
Posted on Siemensforums since 2008...have since beenremoved... but... it's still "out there"
uid=WinCCConnect;pwd=2WSXcde
Of course can't change it at db... ...program would stop
Loginuid/pwd?WinCC
Software
MS SQL
Glimpse of the future?
Directed attacks far more difficult to handle
SCADA systems Just one of many huge areas where “IT” security are not
implemented
Not only about the “I” of IT anymore
2017-02-22 Stuxnet / Advenica 30
Stuxnet
What happened then...?
2011 Duqu
2012 Flame
Gauss
Shamoon (Wiper) – Retailation?
2017-02-22 Stuxnet / Advenica 31
And then what?
Spread across LAN or via USB stick.
Created for Information Gathering
Record audio, screenshots, keyboard activity and network traffic
Also records Skype conversations
Can turn infected computers into Bluetooth beacons
harvest information about nearby Bluetooth-enabled devices
2017-02-22 Stuxnet / Advenica 32
Flame
Data sent to world wide net of C&C Servers
Found initially in May 2012
Spread mostly in the Middle-East
Iran, Israel, Sudan, Syria, Lebanon etc.
After exposure, “kill” command was sent
2017-02-22 Stuxnet / Advenica 33
Flame II
20 MB of Malware!
Modules
LUA, C++
SQLite db
Anti-”Anti-Virus” depending on what AV-software was installed
Active since at least 2010
2017-02-22 Stuxnet / Advenica 34
Huge Flame is Huge
Signed with a fraudulent Microsoft Certificate
Used a highly advanced attack against MS Terminal Services Licensing Server to generate a “valid” but fraudulent certificate
Utilize MD5 collision attacks
Made Man-In-The-Middle attack possible on Windows Update
2017-02-22 Stuxnet / Advenica 35
Certificates Again
Red October (Jan, 2013)
Miniduke (27th Feb, 2013)
NetTraveler (4th Jun, 2013)
Careto (11th Feb, 2014)
Regin (23rd Feb, 2014)
Duqu 2.0 (Jun, 2015)
Shamoon 2 (Nov, 2016)
… and…
2017-02-22 Stuxnet / Advenica 36
And then what II?
Symantec revealed new information about early versions of Stuxnet
v0.5 Less developed but more aggressive
Designed to modify the pressure valves of centrifuges of Uranium-rich gas.
2017-02-22 Stuxnet / Advenica 37
…Stuxnet 0.5
2017-02-22 Stuxnet / Advenica 38
Even Further Back!
C&C Servers Registered 2005
Sample of Code
2007
5 years!
Equation Group! <cough!> NSA <cough!>
”Threat Actor” Highly sophisticated
Engaged in network exploitation since (at least) 2001
…perhaps even further back (1996)
Multipe malware platforms
Hightly advanced tools
Uses lots of encryption
2017-02-22 Stuxnet / Advenica 40
Kaspersky labs -- 2015-02-16
Module present in several of their malware To stay persistent
Re-programs HDD firmware
Samsung, WD, Hitachi, Seagate, Toshiba…
Fanny Worm created 2008
Used 2 zero-day exploits
Stuxnets ’infamous’ .LNK exploit
Mapping of airgapped networks…
2017-02-22 Stuxnet / Advenica 41
Equation Group II
Speculations 24 Sept 2010, The Guardian
1 June 2012 – New York Times
23rd June 2013, – Associated Press (Cartwright pardoned by Obama 2017)
June 2013, Edward Snowden Tailored Access Operations (TAO)
42
Olympic Games
Stuxnet "W32.Stuxnet Dossier" / Symantec
"Stuxnet under the microscope" / ESET
“Stuxnet 0.5 – The missing Link” / Symantec
“Stuxnet: Zero Victims” / Kaspersky (Nov-2014)
”Countdown to Zero Day – Stuxnet and the Launch of the World’s first Digital Weapon” / Kim Zetter (2014)
Ralph Langner On Vimeo, search for Ralph Langner
TED talks, Ralph Langner (Feb, 2011)
Documentary. Zero Days (Jul, 2016, www.imdb.com/title/tt5446858/)
Equation Group ”Equation Group FAQ v1.5” / Kaspersky Labs (Feb-2015)
2017-02-22 Stuxnet / Advenica 43
Sources
The end…
Håkan Ahrefors
2017-01-17 Advenica Public 44
advenica.com/
digitaltansvar.se/
WinCC -> SIEMENS Hardware for Controllers
STEP7 – Framework/Language (STL) for programmingControllers
Controllers PID, PLC
SCADA - supervisory controland data acquisition
2017-02-22 Stuxnet / Advenica 46
Controllers
Different sources helped the analysis
STEP7 Code showed signs of groups of structures Grouped on 4, 8, 12, 16, 20... of “something”
Even the President of Iran “helped”
On his blog in 2008 Pictures from a visit at Natanz
2017-02-22 Stuxnet / Advenica 48
.jpg Analysis
2017-02-22 Stuxnet / Advenica 49
Stuxnet – Timeline
June 17, 2010VirusBlokada reports"RootkitTmphider”
July 13, 2010Symantec adds unique
"W32.Temphid" signature.
July 16, 2010Microsoft Advisory .lnk files
Verisign revokes Realtek Cert
July 17, 2010Eset id new Stuxnet driver
Cert: Micron TechCorp.
July 19, 2010Siemens reports investigation
on WinCC SCADASymantec → W32.Stuxnet
July 22, 2010Verisign revokes
Micron TechCorp Cert
August 2, 2010Microsoft Releases MS10-046
Patch .LNK vuln.
September 14, 2010Microsoft releases MS10-061Patch of Printer Spooler vuln.
Oct 12, 2010Microsoft Releases MS10-073Patch Kernel elevation vuln.
June, 2009Earliest Stuxnet
Sample Compile date.
January 25, 2010Stuxnet Driver signed
With Realtek cert
March, 2010First Version to
exploit MS10-061.
November, 2008
Trojan.Zlob (MS10-046)
April 2009
Magazine Hakin9
(MS10-061)