Upload
trantram
View
218
Download
2
Embed Size (px)
Citation preview
• Joe Slowik, Threat Intelligence & Hunter• Current: Dragos Adversary Hunter• Previous:
• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out
• Jimmy Wylie, Reverse Engineer• Current: Dragos Adversary Hunter• Previous:
• Focal Point Academy: MA Course Dev, Instructor, Researcher
• Fortego, LLC: Malware Analyst/Reverse Engineer, Developer
• University of New Orleans: B.S. & M.S. Computer Science
• Failsafe for the industrial process
• Should be independent of industrial process
• Not arbitrary: • Hazard / Operability
Studies• Process Hazard Analysis• FMEA
• Unspecified gas facility in Saudi Arabia attacked, August 2017
• Infection resulted in system shut-down during intrusion• Not assessed as shut-down due to attack
• Attack focused on Schneider Electric Triconex system, 3008 PowerPC processor version
• SIS-connected workstation compromised• Malicious compiled Python moved to
Workstation with payloads• EXE handles connectivity to and interaction
with SIS
Establish Access on SIS-
Connecting System
Transfer TRISIS
Package to System
Use TRISIS Base EXE to
Upload TristationProgram
TristationProgram
Compromises SIS
Leverage Access for ICS Disruption via
SIS
Establish Access on SIS-
Connecting System
Transfer TRISIS
Package to System
Use TRISIS Base EXE to
Upload TristationProgram
TristationProgram
Compromises SIS
Leverage Access for ICS Disruption via
SIS
Something Breaks Here!
• Deliberate targeting of SIS accepts risk:• Physical damage• Potential injury or loss of life
• New norm established in ICS targeting and operations
• Py2Exe executable masquerading as legitimate software
• Library.zip contains external python library dependencies • Artifact of the Py2Exe process• Contains attacker written libraries along
with standard libraries
• Summary1. Connects to Triconex using IP argument2. Concatenates inject.bin to imain.bin3. Tests for code upload4. Uploads inject+imain, removes if necessary.
• IMPACT: Provides a ‘documented’ procedure for uploading control programs
• TsLow.py – Socket layer implementation of Tristation/TCM Protocol
• TsBase.py –Tristation Network Commands• TsHi.py – Uses TsBase to provide Read/Write
program functionality
• Ts_cnames.py – Enumeration of TristationCode
• crc.py – Provides a variety of CRC functions • sh.py – Data dumping and changing
endianness
• Tristation Protocol defines the packet format to send network commands
• Options include uploading code, reading controller state, etc.
• TCM is the wrapper packet for a TristationProtocol message
• Communications occur over UDP/1502
MessageType LengthOfData Data CRC16
TCM Wrapper
Dir Cid Cmd MsgCount Unk Checksum LengthOfCmdData CmdData
Tristation Message
• ts_exec returns either a ts_result tuple or a Boolean• ts_result == (error_code, reply, cmd)• tcm_reconnect() -> Bool
• TsBase.py repeatedly calls the following sequence:
result = ts_exec(cmd, ex_reply)
return ts_cut_reply(result)
• Summary• Implements both TCM and Tristation protocol
messages• Includes ability to scan network for Triconex SIS
• Impact• Previously undocumented protocol now easily
re-implemented• Defenders benefit from attacker’s investment
• Documents subset of available Tristationnetwork commands• Built-in ability to upload/download
programs and functions• ”ExecuteExploit” reveals which function the
BIN files attempt to hook
• Fairly involved control flow:1. Enumerates Functions and Programs2. Reads last program in SIS’s program table3. If program contains custom TRISIS codesign,
it will overwrite that program with argument4. Otherwise, it will allocate a new program
appending the TRISIS codesign5. Runs program and checks state
• Summary• Provides semi-automated function/program
upload/download and enumeration• Can query SIS state
• Impact• Template of ordering and use of TS protocol
for SIS modification – Exploit not required!• Exploit Funcs could be used for detection
• Schneider Electric provided a deep-dive at S4x18 • Summary
• inject.bin leverages 0-day to hook a TristationCommand, likely GetMPStatus, with imain.bin
• imain.bin adds extra functionality to command allowing R/W/E
• Removal from program table does not remove rootkit - reboot required
• Current reporting suggests IMAIN is a RAT• Given that it hooks an OS command, it
functions more like a memory resident rootkit• RAT connotes more reachability than is
present• No custom C2, only TS protocol• It’s as accessible as the SIS
• Trilog.exe doesn’t support remote C2 either
• Does the rootkit bypass the keyswitchsetting once installed?
• What is the nature of the exploit? • No CVE published
• What crashed the SIS?• We are currently exploring these issues
• TRISIS capability implies expert knowledge of the Triconex SIS
• Implications event was a test: ‘script_test.py’• But why test in target environment – if
hardware access required to develop TRISIS?• Why not confirm rootkit presence in TRILOG
checks?
• Unique attack:• Tied to specific Triconex System and
configuration• 3008 PowerPC-based system
• Malware is not SIS scalable• Attack capabilities do not resemble standard
Windows malware
• Standard antivirus inadequate• Heuristics are focused on Windows malware• Behavioral heuristics only applicable at EWS• Signatures are backward-looking
• Typical antivirus is not designed for threats such as TRISIS
• Anomaly detection lacks appropriate context• Scope of SIS events may be small• But baseline will be narrow• Any ‘not normal’ activity will trigger
• Anomalous SIS activity is alarming• But single anomaly data point insufficient• Lack of context and evidence impedes
investigation
• Keep keyswitch in ‘Run’ mode• Deploy SIS on isolated networks• Terminals should never be connected to any
network other than dedicated safety network• Removable media and laptops should be
scanned prior to introducing to safety network
• Unfortunately…• Uncertain if keyswitch can mitigate existing
infection• Network isolation may not be possible• Proper function likely requires some
connectivity• Scanning introduced media will use standard AV
– not effective against new, ICS-specific threats
• Adequate defense against TRISIS-like attacks requires a threat-focused approach
• Identify:• Pre-requisites for SIS access and attack• Necessary steps to impact SIS• Critical path nodes between IT, ICS, and
SIS
• TRISIS as observed will never happen again• Specific to the target environment• Will not scale or port to future attacks
• TRISIS as a potential method can be re-used• Focus on general behaviors in attack• Defend against variances and permutations
Initial Intrusion & C2
• Identify suspect items at IT-ICS link
• Minimize IT-ICS communications to known, monitored paths
ICS Intrusion & Lateral Movement
• Identify and monitor critical path links to SIS, other sensitive areas
• Know existing network communication pathways and identify new, suspicious items
SIS Activity
• Limit communication to SIS to subset of hardened, generally isolated devices
• Record and monitor firmware and configuration changes
rule compiledPython{
meta:
description = "Identify compiled Python objects - Should be rare to
non-existent in ICS environments”
author = "Dragos Inc."
strings:
$s1 = "PyImport_" nocase wide ascii
$s2 = "PyErr_" nocase wide ascii
$s3 = ".pyd" nocase wide ascii
$s4 = "py2exe" nocase wide ascii
$a1 = "cyberoam" nocase wide ascii fullword
$a2 = "plctalk" nocase wide ascii fullword
$a3 = "greenbow" nocase wide ascii fullword
$a4 = "mbnet" nocase wide ascii fullword
$a5 = "mbconnect" nocase wide ascii fullword
….
$a** = "trilog" nocase ascii wide fullword
condition:
uint16(0) == 0x5a4d and 2 of ($s*) and 1 of ($a*)}
• Any of the previous items in isolation is an anomaly
• But when correlated with other events and knowledge in the environment, yields a behavior
• Focus on identifying threat behaviors at earliest possible moment
• Identifying possible firmware binary = data point
• Proper response requires enrichment:• Source and path for binary in network• Communications path to SIS, SIS
controller• Nature and means of SIS interaction
Identify Required Adversary Behaviors
Determine Necessary Visibility to Detect Adversary
Actions
Align Defense and Monitoring to Requirements
Train and Educate Security Personnel
on Threat Environment
Emphasize Root Cause Analysis
when System Fail