Upload
hoanghanh
View
213
Download
0
Embed Size (px)
Citation preview
Agenda• Hypothesis 1: Lots of infected ICS software online (non-targeted)
• Hypothesis 2: Public reports contribute to discoveries of threats
• Hypothesis 3: ICS-themed malware/intrusions are not uncommon
• Hypothesis 4: Untrained IT security teams/product submit sensitive ICS files
Example of the knownNCCIC / ICS-CERT Year in Review (FY 2015)
6%1%
3%
6%
1%
37%
9%
37%
FY 2015 Incidents by Infection Vector (295 total)
Other Brute Force Abuse of Authorized Access
Weak Authentication SQL Injection Spear Phishing
Network Scanning Unknown
Unknown
8%0%0%1%
13%
78%
FY 2015 Observed Depth of Intrusion
Level 6 - Critical Systems Level 5 - Critical System Management
Level 4 - Critical System DMZ Level 3 - Business Network Management
Level 2 - Business Network Level 1 - Business DMZ
Level 1 – Business DMZ
MIMICS: Malware in Modern ICS
• Only public data: Virustotal.com• Malware repository used by “the Internet” to test files against 50+ antivirus vendors
• Also used google, DNS data etc
• Purpose of the research is census-like data• Explore hypothesis to give real data points without hype or fear
ICS Kill Chain
Develop
Test
Deliver
Install / Modify
Execute ICS Attack
Stage 2 – ICS Attack
Enabling Initiating Supporting
Trigger
Deliver
Modify
Inject
Hide
Amplify
Reconnaissance
TargetingWeaponization
Delivery
Exploit
Install / Modify
C2
Act
Stage 1 - Intrusion
Discovery
Capture
Movement
Collect
Install & Execute
Exfiltrate
Launch
Clean & Defend
Words matter
• Malware is not a virus but
• A virus is malware
• A virus can infect
• A trojan can compromise
Malware
Virus
Trojan
Dropper
Downloader
Virus
• Self propagating
• Functionality:
• PE Infectors
• Network / removable media
Trojan
• User interaction
• Functionality
• Command & Control
• Arbitrary command execution
(full control)
PE Infector Virus (simplified)
Header
Code
Section 1..n
Header
Code
Section 1..n
Virus
Microsoft Portable Executable
(pe or “.exe”) File StructureAddressofEntryPoint
Virus PE infector
Trojan and related activities
Dropper
Downloader
Stage 1 Payload
Stage 2 PayloadRemote Access
Trojan
Command & Control
Stage 3 Payload
Remote Access Trojan
Command & Control
Detect Rate (log)
Num
ber
of
file
s
Number of detections
count 14949.000000
mean 6.338484
std 15.635142
min 0.000000
25% 0.000000
50% 0.000000
75% 0.000000
max 57.000000
Low
hit
rate
High
hit
rate
Detect Rate with positives > 0
count 3157.000000mean 30.013937std 21.142954min 1.00000025% 2.00000050% 46.00000075% 48.000000max 57.000000
Most Common Detections
count Trojan Virus-like (PE Infector)Virus-like (storage
hopping) Approximate First Seensivis 15863 ❔ ✅ ✅ 2012lamer 6830 ❔ ✅ ✅ 2012ramnit 3716 ✅ ✅ ✅ 2011sinowal 2909 ✅ ❌ ❌ 2006cosmu 2769 ✅ ✅ ✅ 2013virut 1814 ✅ ✅ ✅ 2007
eldorado 1554 ❔ ❔ ❔ 2012skeeyah 1486 ✅ ❔ ❔ 2015androm 1471 ✅ ❌ ❌ 2013sality 1225 ❔ ✅ ✅ 2003zatoxp 1093 ❌ ✅ ✅ 2012neshta 1085 ❌ ✅ ❌ 2008nimnul 963 ✅ ✅ ✅ 2013visisig 905 ❔ ✅ ✅ 2012siggen 642 ❌ ✅ ✅ 2012graftor 586 ❌ ✅ ✅ 2012virtob 468 ✅ ✅ ✅ 2007
PE Infectors you should care about
VIRUT
• Portmanteau “Virus” + “Trojan”
• C2 via IRC
• Doesn’t need IRC to spread through environment
• Infects current processes
Sality
• Botnet / Peer2Peer C2*
• Pay per install / Downloader
• Rootkit
• Infects current processes and executables on local/removable/network drives
* http://www.christian-rossow.de/publications/p2pwned-ieee2013.pdf
Aggregated Data: Key Takeaways
• PE Infectors are a real vector• VIRUT and Sality in particular are modern PE Infectors that rarely gets discussed
FireEye Blog post
uncovering OPC
Havex
July 17 2017
(F-Secure Blog
Post)
June 23 2014
UA
June 26 2014
UA
July 2 2014
KR & UA
July 8 2014 UA
July 15 2014
KR
July 1 2014
(from US)
April 17 2014
Hav
ex
FI
(from ZZ)
June 29 2014
RU
Dec 4 2014
ES
July 2-3 2014
TrendMicro Blog
post uncovering
OPC Havex
July 14 2017
IL
Jan 06 2016
BlackEnergy
“[..] attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.”
KillDisk (sha1: f3e41eb94c4d72a98cd743bbb02d248f510ad925)
Datetime (UTC+2) File name Source Country
2015-12-24 00:34:19 tsk.exe 73805832 (web) UA
2015-12-24 08:28:39 tsk.exe 883db971 (web) UA
2015-12-24 11:00:52 E:\Дмитрий\sample\tsk.exe 725be15c (api) UA
Hash – SHA1 upload date (GMT) country of origin
f3e41eb94c4d72a98cd743bbb02d248f510ad925 12/23/15 UA
8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569 11/10/15 UA *u
16f44fac7e8bc94eccd7ad9692e6665ef540eec4 10/25/15 UA & FR * n
2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1 11/6/15 UA *u
0B4BE96ADA3B54453BD37130087618EA90168D72 11/10/15 UA *u
KillDisk and BlackEnergy Are Not Just Energy Sector Threats. Trend Micro. February 11, 2016.
Hypothesis 3
• There are ICS themed intrusions/malware currently undiscovered or underreported by non-ICS security companies
Siemens themed downloader
• Downloader with Siemens theme
embedded in vs_versioninfo
• In wild since at least 2013
• Last observed March 2017
• Over 10 binaries located
Behavior
Execute Stage 1 Payload
Get /vip.htm HTTP/1.1
Content-Type: text/html
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Decrypt/read Stage 1
Download / execute
/vip.htm/vip.htm
/vip.htm/vip.htm
/vip.htmStage 2 Payload(s)
Manual.exe
• SerialLineUseManual.exe …………………………(Serial comms?)
• Air precision elt 96 maintenance manual.exe …….(avionics)
• syncmemanual.exe ……………………………….(?)
• baofeng uv_100 manual.exe ……………………..(talk radios)
• Breville bb290 manual.exe ………………………(bread oven)
• Steris_harmony_lc_manual.exe …………………(medial equipment)
• garmin_gps_48_12_channel_manual.exe ………(GPS)
• bendix_westinghouse_ba-921_manual.exe …….(air brake system compressor)
Mass Mailer
www.download.windowsupdate.c
om
abs-wi.com
accolades-inc.com
acs-hro.com
ca.abb.com
[...]
carlyle.com
cat.com
cma.ca
comcast.net
e2etec.com
ct.gov
districtoffice.org
dcrsystems.net
entoend.com.mx
erinsystems.com
emerson.com
fi.fujitsu.com
MassMailerHeavily obfuscatedGenerates litigimate trafficModifies proxy settingsRelaxes firewall settingsBeacons out to hosts on subnet 91.220.131.0/24 via encrypted UDP traffic
Reasons why to mass mail:
• Viagra and similar unsolicited spam
• Pay per Install, Malicious attachments (banking crimeware, adware)
Hypothesis 4
• Non-ICS security trained teams and IT security products are submitting legitimate ICS software and files to public databases
Weird hypocrisy: you don’t trust your AV but you do trust 50 other AV companies?
Project files
~ 120 project files over course of ~ 90 days
• Speed Control BOM.rfq
• LogixDiagnostics.ACD
• LCS24.RSS
• DRIVE_CONTROL_ML1100_PF4CLASS-EN-DRV_CTRL-C0_07.RSS
• Rizhao_tertiary.RSS
• H:\Simple Systems\PBR\PB&R_ML1100_PF40-EN-PBR_PF40-C0_07.RSS
• C:\Users\Wu.Charlene\Downloads\8110409835_HMI_PAR_Line9_v1_04.mer
• Untitled.RSS
Scan your public content
One electric utility, starting in 2012 began routinely uploading
their entire public website starting in 2012 to VirusTotal. 136
files indexed on VT
Program Files
In Conclusion
Virus propagation in ICS: ICS Themed: ICS Tailored:
Measured in 10^4 Measured in 10^1 3 (still)
Key Takeaways
• You’re more likely to be impacted with Virut than Stuxnet
• ICS themed malware (but not enabled) is definitely a thing
• VirusTotal is useful to shed light on specific campaigns post facto
• Supply chain weakness through legit binaries
Practices
Things to do
• Use VT as a data source
• Have suspected and confirmed malware handling guidance/processes
Things NOT to do
• Treat VT as a whitelist
• Treat VT as a blacklist
• Use VT to validate your AV
• Allow your outsourced teams (IT security or AV) to make decisions about your data