Apresentação Técnica - Infecções por Malware no Brasil

TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

Recent malware infections on control system networks in Brazil

Marcelo BranquinhoACS Conference – Washington DC

September of 2011

www.tisafe.comTI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

DonDon´́t t needneed to to copycopy... ... justjust download itdownload it

http://www.tisafe.com/recursos/palestras/


TI Safe TI Safe atat TwitterTwitter

• Follow us at Twitter - @tisafe


AboutAbout MyselfMyself

Marcelo [email protected]

• Electrical Engineer who specializes in computer systems, and who has an MBA in business management, is one of the founders of the ISACA chapter in Rio de Janeiro.

• A member of ISA International, and currently the director of TI Safe, where he serves as the head of security for industrial automation systems.

• With extensive experience gained over 12 years in the field of critical infrastructures and government agencies in Brazil, Marcelo is coordinating the development of the Security Automation Training , the first Brazilian in this segment.

• Actually is a collaborator of the WG5 TG2 Gap Analysis Task Group that is revising the ANSI/ISA-99 standard.


AgendaAgenda

• Malware Infections on control system networks in BrazilStudy Case 1: Automation Plants of Steel Industry “A”

• Network Architecture• Automation Systems Composition• Policies• Installed defenses• About the AHACK worm• Malware Infection• Implemented Countermeasures

Study Case 2: Power Plant of Steel Industry “B”• Network Architecture• Automation Systems Composition• Policies• Installed defenses• Malware Infection• About the Conficker worm• Implemented Countermeasures

• Conclusion and Challenges

* Due to confidentiality agreements, the Steel Industries names and all possiblereferences to their plants were removed from the presentation slides


StudyStudy Case 1Case 1

Automation Plants of SteelIndustry “A”


AboutAbout SteelSteel IndustryIndustry ““AA””

• Steel Industry “A” is one of the largest producer of steel in the Americas, withmajor steel mills in Brazil and a total capacity of about 10 million metric tons of steel per year.

• The company accounts for about ¼ of total steel output in Brazil. • The company also operates in the logistics sector through a stake in local

brazilian logistic companies. • Started operations in 1964.


Network Network ArchitectureArchitecture

• 5 Automation Networks (one for each automation area)• No documentation:

There isn´t a complete inventory for automation networks, these networks simply grew-up acoording to thebusiness needs without a consistent planningThere aren´t network diagrams for each area

• IT network connected to the Internet. There are firewalls protecting this connection• No network segmentation

No Firewalls or VLANs separating automation and IT networksAny automation network can access another automation networkAll main services are at IT serversAny computer at the corporate network have read/write access to any PLC at the automation networks

• No Windows DomainSCADA Servers (windows based) doesn´t have login (run automatically after reboot)

• Remote acess (Internet based) is spreadly used by collaborators and third party to access SCADA

A single Username/Password for ALL remote users


AutomationAutomation Systems Systems CompositionComposition

• Main applications:Siemens STEP7, DCOM and OPC ClientSiemens Wincc FlexOPC Server SCADA FactoryLinkElipseFactory Link and DCOMOracle 10g and Message QueueDEC Basestar, Cimfast and Rally

• Main SCADA ServersDEC VAX and Alpha (many servers), all running Open VMSWindows servers running Windows 2003 and 2008 (just a few)Some Windows servers still running very old operating systems like WINDOWS 95 and WINDOWS NT


PoliciesPolicies

• There´s an IT Security Policy based on ISO27001/27002 that is implemented at the IT Network

IT and Automation Network teams don´t talk to each other

• Automation and control systems aren´t compliant with international standars like ANSI / ISA TR-99

• No specific Automation Security PolicyThere are some few written procedures where the users assume all responsability in case of security incidents. They just sign a single term and are allowed to do whatever they want at the automation networks (attachlaptops, USB Sticks, Modems, etc).

• There are some manual backups to tapes, but nobody never tested if they will correctlyrestore data when necessary

• PasswordsWhen exist, are weak and largely divulgated – The main idea is that systems can´t stop due to strong orunknown passordsPassword are never changed on automation systems and sometimes are hard coded (for database connections, for example)Very frequently, passwords are equal to the application name (for example, if the Database is ORACLE, thepassword is ORACLE)


InstalledInstalled DefensesDefenses

• At most of the SCADA servers, system updates are deactivated

• No Service Packs or Patches have been installed for yearsIn fact they have been completely ignored (nobody changes systems that are in production due to the fear ofstopping them)

• There´s a Symantec Endpoint Protection suite installed in the IT network and some automation network computers, what causes a false sense of security

• There aren´t Firewalls separating automation and IT networks

• There aren´t IPS in the whole network (including IT network)

• There aren´t Security Logs and Security Monitoring


AboutAbout thethe AHACK AHACK wormworm

• AHACK Worm is a worm that can secretly get into systems and steal sensitiveinformation

• If a computer was infected by Ahack Worm, the following problems may happen: Computer instant shutdownBundled TrojanSystem32 error.dll errors, .exe errors and runtime errorsComputer slow performanceDegraded system running speedDriver updated failureProgram uninstall failureBlue Screen of Death errors


MalwareMalware InfectionInfection

• Date it was discovered at the plant: June/2008• Malware: AHACK Worm• Where: Power and Blast Furnace Plant• Consequences:

The worm spreaded over all the power plant automation networkIt has flooded the network with unwanted packages and made instable thecommunication between PLCs and supervision stations, compromising the plantsupervisionIn some machines, the worm paralised some important services of the Windows Operation SystemThis lack of supervision has occasioned some stops and restarts at the SCADA systems, generating loss of production and financial injuries


ImplementedImplemented CountermeasuresCountermeasures

• Some less critical computers and SCADA Servers were disinfected with theworm removal kit

• For about 3 critical SCADA servers that couldn´t have been stopped, theautomation team wrote an internal document explaining:

What to do when the worm activates (and how to identify the activity of the worm)?Which applications and services should be restarted?Who they should call in case the procedure fails (perhaps god ☺)?

• All computers and Pen Drives now have to be scanned on a clean machine before they are inserted at the automation network.

• G3 Modems were banned from the automation network


ImplementedImplemented CountermeasuresCountermeasures (cont.)(cont.)

• A distributed Microsoft Active Directory domain was created to attend the 5 automationnetworks. This domain is composed of users and groups totally different from thecorporate domain.

• The domain was created in 5 different domain controllers (one for each automationarea) and configured on a redundant schema where each change on user or policy is automatically replicated for all domain controllers.

• To login, a user may use any of the 5 domain servers to log, in a transparent way, oreven log offline if outside the automation network.

• A Security policy was configured for this domain with some important GPOs like:Turn off AutoplayAccount Lockout after 3 attempts (Locks for 1 minute before new attempt)Prohibit new task creationProhibit user installsRemove Task ManagerProhibit access to the Control Panel


StudyStudy Case 2Case 2

Power Plant of Steel Industry “B”


AboutAbout SteelSteel IndustryIndustry ““BB””

• Steel Industry “B” products are high-quality steel slabs, which are processed in European and US plants.

• The Power Plant has installedcapacity of 550 MW to produceenergy from converter gas, blastfurnace and coke plant steam.

• Started operations in 2009.


Network Network ArchitectureArchitecture –– Power Power PlantPlant

• Approximately 180 computers compose the plant (workstations + servers). All running Windows OS.

• DocumentationThere is a complete inventory of the power plant network, documented in an excelworksheet

There are some network diagrams for the plant

• About the power plant automation networkExisting Firewalls: Cisco 800 and Hirschmann Egle

No Wireless Networks communicating to this plant

DHCP and DNS servers are inside the IT Plant

Connection with unsecure third party networks

OPC data exchange with other automation plants inside the complex


Network Network ArchitectureArchitecture –– Power Power PlantPlant (cont.)(cont.)

• No Windows DomainSCADA Servers (all windows based) doesn´t have login (run automatically afterreboot)

• Remote Access through the Internet for control and monitoringAuthentication through username and password. There´s just a single username and password for all remote users.

• Governance and MonitoringPlant has geographically distant locations without very difficult access to the RTUsFirewall and network logs are not analyzedThere´s an updated McAffee Antivirus running inside the automation plant, but it didn´t stop the infection or avoided it to spreadWindows Servers doesn´t have updated patches and service packsSCADA applications not patched (manufacturers charge and take a long time to execute this service)


AutomationAutomation Systems Systems CompositionComposition

• Main Systems:ALSPA P320 PLCABB EGATROLABB MicroSCADAABB 800xA System, version 5.0 Rev D.TDMSSiemens PCS7 WinCCSiemens STEP7 S7-400Intouch

• Main SCADA ServersThe plant has only 2 years of operation and all systems are based on Windows Servers running Windows 2003 R2 SP2

• All Workstations running Windows XP SP2• Main OPC Servers

OPC – Energy Management System – KepServer 5OPC Matrikom - OPC Explorer version 3.5.0.0 / OPC Explorer version 3.2.1.150OPC – PI OSI


PoliciesPolicies

• There´s an IT Security Policy based on ISO27001/27002 that is not fullyimplemented at the IT Network

IT and Automation Network talk to each other. Teams are very small for the size of the plant and security tasks have very low priority.

• Automation and control systems aren´t compliant with international standarslike ANSI / ISA TR-99

• No specific Automation Security PolicyFree use of laptops, removable USB medias and G3 Modems inside the automation networks and even directly connected to SCADA serversAutomation team never had automation security trainings

• No Backup Policy. There are some manual backups to external Hard Disks managed through an Excel Worksheet.

• PasswordsWhen exist, are weak and largely divulgated – The main idea is that systems can´t stop due to strong or unknown passordsPassword are never changed on automation systems and sometimes are hard coded (for database connections, for example). Very frequently, passwords are equal to the application name


MalwareMalware InfectionInfection

• Date it was discovered: 02/06/2011• Malware: Conficker• Where: Power Plant• What happened:

In 02/06/2011 the ALSPA System stopped. After check was identified virus (Conficker) in all machines (ALSPA System).

• The worm spreaded over the whole power plant automation network (and probably in other automationnetworks, but the investigation was limited to the power plant due to lack of budget)

• It has flooded the network with unwanted packages and made instable the communication between PLCsand supervision stations, freezing most of the supervision systems.

– WYSINWYG (What you see in NOT what you get ☺ )

The automation team cleaned the infected machines, but the worm infected the machines again.The Alston team installed the Windows Service Pack II in all machines (only in ALSPA System), cleaned them and the system returned to work well, disconnected from PI.The worm infected the PI machine and the “SGE” network, but was removed without problems.All Systems returned to work well while the external networks are disconnected. When these networks are reconnected, the malware “wakes up” and increases the network traffic, freezing the supervision station screens. Due to this, the automation team decided to keep these external networks disconnected.

• Since the infection began the company is paying monthly fines to government because some importantreports (such as environmental control, for example) are not being sent.

• Internal reports for production planning are being prejudicated• Chaos is stablished always when it happens – operator loose control of the plant


HowHow ConfickerConficker spreads?spreads?

Due to self-propagation mechanisms, the worm uses thefollowing vectors and probably are infected when in contactwith infected hosts:

USB removable media like harddrives, USB flash drives, DVDs, CDROMs, etc.

Network hosts with out of date pathes or without antivirus

Other network hosts correctlypatched and with AV, but with weakor default passwords

Other networks thatcommunicate with the power plant(via OPC, for instance)


ConfickerConficker VariantsVariants

- Updates local copy of Conficker C to Conficker D- Downloads and installs malware payload: Waledac spambot, SpyProtect 2009 scareware- Removes self on 3 May 2009 (but leaves remaining copy of ConfickerD)

- Blocks certain DNS lookups- Disables AutoUpdate- Kills anti-malware: Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals

- HTTP pull: Downloads daily from any 500 of 50000 pseudorandom domains over 110 TLDs- P2P push/pull: Uses custom protocol to scan for infected peers via UDP, then transfer via TCP

NetBIOS: Exploits MS08-067 vulnerability in Server service

07/09E

- Downloads and installs ConfickerE

-Blocks certain DNS lookups: Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites- Disables Safe Mode- Disables AutoUpdate- Kills anti-malware: Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals

- HTTP pull: Downloads daily from any 500 of 50000 pseudorandom domains over 110 TLDs- P2P push/pull: Uses custom protocol to scan for infected peers via UDP, then transfer via TCP

None04/09D

Updates self to Conficker D- Blocks certain DNS lookups

- Disables AutoUpdate

- HTTP pull: Downloads daily from any of 250 pseudorandom domains over 8 TLDs-NetBIOS push: -Patches MS08-067 to open reinfectionbackdoor in Server service- Creates named pipe to receive URL from remote host, then downloads from URL

NetBIOS:- Exploits MS08-067 vulnerability in Server service- Dictionary attack on ADMIN$shares•Removable media: Creates DLL-based AutoRun trojan on attached removable drives

02/09C

Updates self to Conficker C or D-Blocks certain DNS lookups

- Disables AutoUpdate

- HTTP pull: Downloads daily from any of 250 pseudorandom domains over 8 TLDs- NetBIOS push: Patches MS08-067 to open reinfection backdoor in Server service

- NetBIOS: Exploits MS08-067 vulnerability in Server service.

- Dictionary attack on ADMIN$shares[32]

- Removable media: Creates DLL-based AutoRun trojan on attached removable drives

12/08B

Updates self to Conficker B, C or DNone

HTTP pull:-Downloads from trafficconverter.biz- Downloads daily from any of 250 pseudorandom domains over 5 TLDs

NetBIOS: Exploits MS08-067 vulnerability in Server service11/08A

End actionSelf-defenseUpdate propagationInfection vectorsDetect

ion date

Varian

t


AntivirusAntivirus diagnosticdiagnostic is is notnot precise..precise..

• Antivirus doesn´t tell which variant of Conficker is infecting the plant

• Antivirus doesn´t guarantee that this is really a Conficker infection (may bestuxnet)


ConfickerConficker oror StuxnetStuxnet??

Similar attack vectorsIt is speculated that the latest variants of Conficker have been thefirst variants of StuxnetExploit the same vulnerability (even if coded differently)Some similar symptomsBoth advanced cyberweaponsConficker is sometimes regarded as proof-of-test StuxnetYou need a diagnosis oriented Stuxnet to differentiate one from theother malware


PersistencePersistence

Conficker “kills” anti-virus or anti-malwares that hasn´t detected it sothey won´t receive new signatures and will never detect it.The worm tries to spread to other machines at the network and keepan internal protocol that advises other peers when it is beingexterminated, so these peers will reinfect the host – This causes theincrease of network trafficTurn patched machines vulnerable by corruping the server service ofthe machine.

o


c) Board Security

a) MalwareIsolation and

Diagnose

b) Cleaning

d) Systems and

Connectivity restore

e) Governanceand Monitoring

CountermeasuresCountermeasures ((underunder deploymentdeployment))

Desinfection Cycle

Start: AutomationSecurity Training (20hs)


MalwareMalware IsolationIsolation andand DiagnoseDiagnose

• Identification of all points of infection and contaminationvectors using nmap and other tools

• Checked that the attacker is the Conficker worm.• Identified which variant of Conficker that is attacking the

plant.• Identified the “Mark 0” of the infection.• Disconnected all external networks that communicate with

the power plant.• Removed all computers that were not part of the power

plant automation network (including third partiesand consultants).


CleaningCleaning

• Tested the effectiveness of current Antivirus• For SCADA Servers:

• Triggered the manufacturer to install the MS08-067 patch.

• Turned autorun off.• Disconnected service that listens on port 445 (will

loose file sharing)• For other hosts:• Disinfected using steps above and applied the

same solutions used to clean SCADA servers without theneed of wait for manufacturers.


Network Network SecuritySecurity -- ImplementedImplemented SolutionsSolutions

• IBM-ISS NIPS GX4004 (for board security of automation network)

2 GX4004 configured on critical communication paths to the corporatenetwork, working together with Firewalls that already existed at theinfrastructure and that were hardened

SiteProtector console configured at the CMI

• TOFINO (for internal security of the automation network and also OPC Enforcing)

9 Tofino Argon Security Appliances configured with SAM, Firewall andOPC Enforcer LSMs

Tofino Argon Central Management Platform configured at the CMI

• IBM TSM (Automated Backup)

Agents installed at the main servers of the power plant

Incremental Backup to Server Tape

Management Console installed at CMI


Systems and Connectivity restore

• Hardened all SCADA and OPC Servers of the power plant

• Performed a complete and clean backup of the plant.

• Turned IBM-ISS NIPS mode to block and log Conficker attacks.

• Reconnected one by one all external networks.

• Checked if the Conficker attack (or any other attack) wascoming from the external networks that were reconnected.


GovernanceGovernance andand MonitoringMonitoring

• Develop and implemented an specific security policy according to ANSI/ISA-99 best pratices, that includes:• Access control policy for critical network devices such as PLCs

and RTUs• VPN external access with strong passwords and independent

users• Internal training and Endomarketing

• Created an automation domain based on Microsoft Active Directory• Added machines and users to this domain and

implemented transparent logon on stations, when applicable• Configured GPOs for USB and Logical port control• Built an internal monitoring station (CMI)


TheThe CMI CMI –– ““Central de Monitoramento InternaCentral de Monitoramento Interna””

• Central server for security monitoring• Installed inside the automation network and managed by

the automation team• Integration point between the customer security team and

TI Safe remote support team (24 X 7)• Through the CMI are monitored and managed:

IBM-ISS NIPSTofino AppliancesIBM TSM Automated BackupExisting FirewallsUPSsEnvironment variables of main servers (Processor, Memory, Disk, etc)Network traffic


ConclusionConclusion andand ChallengesChallenges


ConclusionConclusion andand ChallengesChallenges

On both study cases, we are not talking about Stuxnet. I don´t have knowledge of anycomproved case of a Stuxnet infection in a Brazilian automation plant (what doesn´t meanthat it could not exist in Brazil because industries may take too long to detect they are infected and commonly hide those facts).

Common worms that have very low impact on home computers or IT networks cancompletely paralise automation networks causing financial loss and exposing human lifesto risk.

The ANSI/ISA-99 Zones and Conduit model has never been deployed on an automationplant in Brazil.

Is very hard for a company to implement this model after the plant is on production. Who wouldchange the network architecture of a plant in production?

In this case the ANSI/ISA-99 is unuseful because it doesn´t mention a subset of best pratices for the ones who cannot apply the defense-in-depth model to their networks. With the confusion, automation managers get lost.

ANSI/ISA-99 is not clear on the indication of security solutions. How can a user know which security solution should be used in each specific situation.


ConclusionConclusion andand ChallengesChallenges (cont.)(cont.)

Anti-Virus on automation networks generate a false sense of securityThey are not ready for CyberweaponsThey dont protect computers with old operating systemsIn some cases they don´t determine the worm variant and confuse usersIn other worst cases, they indicate the contamination of a wrong malwareThey are not able to detect some SCADA Malware developed on 2 stages (Tests usingMetasploit on TI Safe Labs – check video at http://www.youtube.com/watch?v=DmHxFiCivi8 )

Correctly diagnose an infection is hard and must be done by expertsIt´s fundamental to know who are we fighting againstIt´s very important to discover the mark zero of the infection

SCADA application patching is a problem because the manufacturers take too long to patchOperating Systems updates are frequently disabled on SCADA servers, whate leads to na insecure environment.There isn´t a ceritified methodology to help industries to recover infected automationnetworks. Security managers use what they think is the best countermeasure andfrequently believe that they cleaned the plant, but the malware reappears.There are other automation plants contaminated in Brazil.


ThankThank YouYou!!

Marcelo Branquinho

[email protected]

+55 21 2173-1159 / +55 21 9400-2290

Technology

Apresentação Técnica - Infecções por Malware no Brasil