White Phosphorus Exploit Pack Ver 1.11 Released for Immunity Canvas

April 11, 2011, 6:42 am

≫ Next: Gleg releases Ver 1.1 of the SCADA+ Pack for Canvas

Version 1.11 of the White Phosphorus exploit pack is now ready, and contains
5 new exploit modules, including one for SCADA.

The total number of modules in the pack is now 87, with a mixture of both
remote and client side modules. For a full list of the pack contents
please contact sales@immunityinc.com

- Highlighted Modules -

They been working hard this month on a new ASLR/DEP bypass technique
that works against IE8 and IE9. Looking forward to seeing this put to use
in some modules in the coming months.

In the meantime this pack includes an exploit for RealWin SCADA Server
On_FC_RFUSER_FCS_LOGIN Remote Overflow and a recent exploit for VLC player.

(Note from SCADAhacker: This vulnerability on the RealWin SCADA Server appears to be one of the seven previously disclosed by security research Luigi Auriemma. RealWin has confirmed that these exploits only work on the demo version of the software, and are not possible with the commercial version due to the implementation of encryption between applications. SCADAhacker and Byres Security is still investigating the credibility of this claim. These links provide additional information from Digital Bond and RealFlex.)

- Want To Know More -

Existing clients can download the new version using the original
download instructions.

Check out the products page on the Immunity website
http://www.immunityinc.com/products-whitephosphorus.shtml

↧

Gleg releases Ver 1.1 of the SCADA+ Pack for Canvas

April 22, 2011, 11:53 am

≫ Next: Comments on Langner post: "ICS-CERT on Beresford Vulns: Flawed Analysis, Misleading Advice"

≪ Previous: White Phosphorus Exploit Pack Ver 1.11 Released for Immunity Canvas

Gleg Ltd. annouced the availability of Release 1.1 of the SCADA+ pack for Immunity's Canvas.

Here are the details of the release contents:

Beckhoff TwinCAT ENI Server v1.1.6.0 (zero day)
Iconics Genesis32/64 DoS via GenBroker.exe (zero day initially - patched by Iconics; click here for details)
KingView 6.53 Remote Exploit (CVE-2011-0406)

The release also includes several of the modules developed around the Luigi Auriemma disclosure:

Iconics GENESIS32/GENESIS64 - 12 of 13 covered (just PoC at this point)
Siemens Tecnomatic FactoryLink - 1 of 6 covered
7-Technologies IGSS - 7 of 8 covered
DATAC/RealFlex RealWin - 6 of 8 covered

Some additional comments:
I have provided details on my web page of how to build and exploit a test system utilizing the KingView 6.53 remote exploit. Complete instructions and download links are available in the Resources section of SCADAhacker.com.

I will be presenting a short session of how to convert one of the Luigi vulnerabilities into a working remote exploit at the upcoming U.S. Dept. of Homeland Security - Control Systems Security Program - Industrial Control System Joint Working Group (ICSJWG) Spring Conference in Dallas, TX on Tuesday, May 3. I will post this presentation on my website on the About page under "Technical Papers and Conferences", and also details in the Resources section under "SCADA/ICS System Exploits".

↧

Comments on Langner post: "ICS-CERT on Beresford Vulns: Flawed Analysis, Misleading Advice"

August 22, 2011, 6:02 am

≫ Next: Offensive Security Releases Backtrack 5 R1

≪ Previous: Gleg releases Ver 1.1 of the SCADA+ Pack for Canvas

On August 20, 2011, Ralph Langner posted a very insightful blog on the recent security work of NSS Labs' Dillon Beresford (Twitter @D1N) and the report that ICS-CERT released regarding this research. This was a very well written article, which I have to say I agree with most of the document. In particular, I am a bit disappointed in how ICS-CERT is handling these reports in general especially in the way of offering sound, practical, ICS-based guidance on dealing with these threats.

There are a couple of points that Ralph mentions that I feel deserve mention that would require more than 140 characters in a tweet to discuss!

First, I do not agree with Ralph's criticism of the ICS-CERT mitigation that states "Monitor traffic on the ISO-TSAP protocol, Port 102/TCP.” Ralph seems to think that this needs to involve deep-packet inspection (DPI) between established ICS connections. I did not interpret this requirement in this fashion, but rather, since replay attacks or other attacks that could exploit Dillon's vulns tend to be "remote attacks", that it is very important to monitor ANY TRAFFIC between UNAUTHORIZED NODES that utilize 102/tcp.

I recently presented a proof of concept paper on some research I have been evaluating in how a scaled down version of a traditional intrusion detection system (IDS) can be used to analyze network behavior and generate alerts when communication occurs between unknown or unauthorized hosts. I encourage you all to take a look at this presentation or webcast to learn more. I have submitted this abstract to ICSJWG as a potential topic to be discussed at the upcoming Fall 2011 Conference in Long Beach.

The net result is that a great deal of valuable information can be disclosed by looking for "unusual" traffic on 102/tcp. I especially want you to look at how I recommend rule generation, as I believe it is equally important to identify an "attempt on 102/tcp" as an "attack in progress on 102/tcp". This is where my strategy differs from the standard set of QuickDraw SCADA IDS signatures provided by DigitalBond, and why I look at not only established connections, but also attempted connections in the way of SYN packets destined for 102/tcp.

As many of my followers know, I am a big supporter of the implementation of both IDS and network access control (NAC) technologies within the control systems networks. Ralph's final paragraph talks about the risks associated with contractor or what I like to call "non-company" access to trusted control networks. Ralph is particularly conscience of the potential for these contractors to introduce malware due to infected hosts.

This problem is specifically addressed with NAC, and is why I am such a proponent of its use not only in local network access, but also as an additional layer of protection to standard virtual private networks (VPN) used when access trusted networks remotely. The strength of the NAC approach is that not only does it properly identify, authenticate and authorize hosts, but it also performs a "health assessment" which can be used to make sure that certain security features are active on the host prior to granting logical access to the network. This can include the implementation of security patches/hotfixes, current anti-virus software and associated signature files, and the use of host-based firewalls. NAC is available from the usual lineup of vendors, including Microsoft, Cisco, and my personal favorite - Enterasys.

I am going to be talking with Dale Peterson at DigitalBond this week about NAC and why I believe that it is one of the key features in helping to mitigate the growing risk of cyber attacks against control systems. I will provide an update once this podcast is available.

↧

Offensive Security Releases Backtrack 5 R1

August 22, 2011, 11:40 am

≫ Next: Gleg releases Version 1.4 of the SCADA+ Pack for Canvas

≪ Previous: Comments on Langner post: "ICS-CERT on Beresford Vulns: Flawed Analysis, Misleading Advice"

On August 18, Offensive Security released BackTrack 5 R1. This release contains over 120 bug fixes, 30 new tools and 70 tool updates. They plan to roll out new how-to's on their website's wiki in the coming weeks. Topics to be covered include VMware tool installation, alternate compat-wireless setups, etc.

The kernel was updated to 2.6.39.4 and includes the relevant injection patches.

As with Backtrack 5, choices exist for either the GNOME or KDE GUI, and include both 32- and 64-bit versions. A VMware image is available in 32-bit GNOME only.

Download available directly from SCADAhacker.com using the Tools section, or through the normal Offensive Security website.

↧

Gleg releases Version 1.4 of the SCADA+ Pack for Canvas

August 22, 2011, 11:59 am

≫ Next: Gleg releases Ver 1.5 of the SCADA+ Exploit Pack for Immunity Canvas

≪ Previous: Offensive Security Releases Backtrack 5 R1

On July 21, Gleg Ltd. annouced the availability of Release 1.4 of the SCADA+ pack for Immunity's Canvas. This confirms a trend by which Gleg appears to be offering an updated SCADA+ pack about every month. Details of v1.2 - 1.3 are also provided below.

ICS-CERT also released an alert ICS-ALERT-11-230-01 on August 18 which provides some additional details on the SCADA+ Pack. Though there were no alerts or updates for SCADA+ Versions 1.2 and 1.3, the ICS-CERT update and this blog should provide good revision control.

Here are the details of the release contents cover two (2) 0-days and one (1) public vuln:

ICSCADA blind error based SQL Injection (public, unpatched) results in admin password retrieving
Broadwin\Advantech WebAccess7.0 multiple ActiveXs vulnerabilities (zero day)
Broadwin WebAccess DoS PoC (zero day)

STEP AHEAD users receive an additional module:

Broadwin\Advantech WebAccess blind error based SQL Injection with filters bypass - allows admin's password retrieving. (zero day)

On June 23, Gleg released Version 1.3 of the SCADA+ Pack, which added the following modules:

Wintr SQL injection (zero day)
IntegraXOR 3.6.4000 SQL Injection
Broadwin\Advantech SCADA product ActiveX Control Buffer Overflow (zero day)
Advantech Studio ISSymbol ActiveX Control Buffer Overflow Multiple
Vulnerabilities

On May 17, Gleg released Version 1.2 of the SCADA Pack, which included some minor fixes and offered some added functionality. It included an exploit for old, but still frequently used ENIServer version. It is included in CoDeSys software resulting in "full pwn"! "ENIServer" Shodan search gives more than hundred systems exposed to the Internet worldwide.

Additional modules include:

Remote exploit for CoDeSys ENI Server ver 1.1.4.0. full pwn (zero day)
RealWin SCADA Memory Corruption (this time DoS against 910/tcp) (probable zero day)
CACHE database DoS (zero day)
Another vector for CACHE Database DoS (zero day)

↧

Gleg releases Ver 1.5 of the SCADA+ Exploit Pack for Immunity Canvas

August 25, 2011, 5:42 am

≫ Next: Security researcher Luigi Auriemma again discloses publicly numerous vulnerabilities targeting multiple SCADA/ICS systems

≪ Previous: Gleg releases Version 1.4 of the SCADA+ Pack for Canvas

Today (August 25, 2011), Gleg announced the availability of Version 1.5 of the SCADA+ add-on exploit pack for Immunity's CANVAS exploitation framework (much like the Metasploit Framework). As we have seen over the past few months, this release contains several new automated SCADA exploits, including several zero days.

This new release contains the following updates:

Broadwin\Advantech WebAccess - Blind-Error based SQL Injection with Filters Bypass (this was available via the Step Ahead program from Gleg about 1.5 months ago) (zero day)
Labview (version 6 and possibly others) - DoS via IPv6 Query. Based on an old bug, but commonly used Labview version.
Progea Movicon 11 - Remote DoS crashing the server.

There are also some new additional featured modules via Step Ahead:

Carel PlantVisor Pro vulnerability - Used on nuclear plants (e.g. in Canada). Exploit allows credentials steal. (zero day)
[SH comment: don't be alarmed here! Carel PlantVisor Pro is used for HVAC building control, and is not used as a primary safety or controls system]
Sunway ForceControl and pNetPower - Buffer Overflow vulnerability is known to exist (but details are not public), patch available. thousands of installations in Turkey and China (http://gleg.net/httpsrv_shodan.png shows some representative installations by country - Thanks Shodan!)

A couple of adders ... first, if you have never used Canvas by Immunity, and you are interested in obtaining your Certified Ethical Hacker certification, then you might want to consider the boot-camp course from InfoSec Institute (where I teach their SCADA Security course). The course offers each student a fully licensed copy of Canvas.

Details on the SCADA+ pack can be found on the Gleg website. Pricing was previously available on-line, and my past investigation showed a three-month subscription for Agora SCADA+ costs US$2,250, which includes updates to the exploit pack and a single license for the Canvas framework. A one-year subscription costs $5,400 and also comes with one Canvas license. For current pricing, contact sales@immunityinc.com.

↧

Security researcher Luigi Auriemma again discloses publicly numerous vulnerabilities targeting multiple SCADA/ICS systems

September 14, 2011, 2:44 pm

≫ Next: Oil and Gas Cyber Security Forum 2011 - London - Nov. 21-22

≪ Previous: Gleg releases Ver 1.5 of the SCADA+ Exploit Pack for Immunity Canvas

On September 13, 2011, Italian Security Research Luigi Auriemma (web site) disclosed a laundry list of vulnerabilities that target six (6) different Industrial Control Systems, including United States market leader Rockwell Automation.

The vulnerabilities include:

All of the disclosed vulnerabilities were accompanied with proof-of-concept (PoC) code which can be used to exploit the vulnerabilities. These vulnerabilities range from denial of service (Dos), to information disclosure, to complete remote code execution.

SCADAhacker.com has launched a new section of the webpage that will be used to post and track key information relating to vulnerabilities relating to automation and control systems. The purpose of these pages is to provide a quick set of related links which can be used to further research and explore these vulnerabilities that target the systems controlling not only our critical infrastructure, but a large portion of the manufacturing base in use today.

I encourage you to take a look at the site, and offer any suggestions via email.

↧

Oil and Gas Cyber Security Forum 2011 - London - Nov. 21-22

September 20, 2011, 4:57 am

≫ Next: Gleg releases Ver 1.6 of the SCADA+ Exploit Pack for Immunity Canvas

≪ Previous: Security researcher Luigi Auriemma again discloses publicly numerous vulnerabilities targeting multiple SCADA/ICS systems

SCADAhacker is proud to be a key member of the speaker roster at the launch of SMI's inaugural Oil and Gas Cyber Security Forum 2011. This conference takes place in London on November 21-22, bringing together cyber security professions from across the world to discuss, network and analyze key cyber security issues facing the oil and gas industry today.

SCADAhacker will chair the first day sessions, which includes a presentation by Marty Edwards from DHS-CSSP and David Lacey from ISSA. The second day includes a unique look at China as a cyber threat, as well as a live demonstration by SCADAhacker on how to hack a control system using a variety of attack vectors. Other speakers include Salem Elwi, Head of Central Engineering at Saudi Aramco, who will give a unique insight into Saudi Aramco’s security strategies and how they counter cyber security threats.

Complete details, including registration information and venue details can be found by clicking here.

I have access to discounted registration coupons. If interested, please send me an email.

↧

Gleg releases Ver 1.6 of the SCADA+ Exploit Pack for Immunity Canvas

September 26, 2011, 5:24 pm

≫ Next: SCADAhacker to Speak at Information Security Trends Meeting in Columbia

≪ Previous: Oil and Gas Cyber Security Forum 2011 - London - Nov. 21-22

On September 26, Gleg released version 1.6 of their SCADA+ exploit pack for Immunity Canvas. This release includes several new modules including many found by Luigi Auriemma. Note that Metasploit has also incorporate a large number of these exploit modules in their free framework.

Some of the modules included in version 1.6 include:

Cogent DataHub Directory traversal vulnerability. CVE-2011-3500.
DAQFactory <= v.5.85 build 1853 stack based buffer overflow. CVE-2011-3492
CarelDataServer Directory traversal vulnerability. CVE-2011-3487
Procyon Core Server stack buffer overflow. CVE-2011-3322
SCADAPRO <= v.4.0.0.0 unauthenticated remote command execution. no CVE, but public.

Step ahead SCADA+ users also receive additional 0days, including the following:

CEserver buffer overflow - 0day.
This software is available for most embedded systems.
Exploit by now covers WinXP sp3 embedded.
Carel Plant Visor Pro critical information disclosure - 0day
All scada users logins+pwds steal
Carel Plant Visor Pro critical information disclosure - Second vuln. 0day
All scada users logins+pwds steal

Details on the SCADA+ pack can be found on the Gleg website. Pricing was previously available on-line, and my past investigation showed a three-month subscription for Agora SCADA+ costs US$2,250, which includes updates to the exploit pack and a single license for the Canvas framework. A one-year subscription costs $5,400 and also comes with one Canvas license. For current pricing, contact sales@immunityinc.com.

↧

SCADAhacker to Speak at Information Security Trends Meeting in Columbia

October 4, 2011, 8:05 am

≫ Next: Son of Stuxnet has Surfaced in Europe According to Symantec Report (update 1)

≪ Previous: Gleg releases Ver 1.6 of the SCADA+ Exploit Pack for Immunity Canvas

I will be speaking on current issues facing industrial control system (ICS) cyber security issues at the Digiware Information Security Trends Meeting scheduled for October 12, 2011 at the Marriott Bogota, Columbia.

My talk will focus on the issues facing ICS/SCADA systems used to control a vast majority of a country's infrastructure, including electric generation (fossil, hydro, nuclear), water/wastewater treatment, energy distribution (pipelines), transportation (rail, traffic), process industries (pharma, oil, gas, refining), and discrete manufacturing. One point of special attention will be on recent attacks and how to address the new "insider threats" where a malicious outside gains inside access via various tools and then "poses" as a valid user with appropriate credentials! Identifying and stopping these attacks presents unique challenges that many are not completely aware.

I hope to provide live updates of the conference via my Twitter feed at @SCADAhacker.

↧

Son of Stuxnet has Surfaced in Europe According to Symantec Report (update 1)

October 19, 2011, 7:00 am

≫ Next: Microsoft and other AV Vendors offer signatures for W32.Duqu

≪ Previous: SCADAhacker to Speak at Information Security Trends Meeting in Columbia

According to a blog posted by Symantec on October 18, and as reported by Homeland Security News Wire on October 19, a research lab with "strong international connections" alerted Symantec to sample code that appears to be very similar to Stuxnet. This new threat has been named "Duqu" (pronounced dyü-kyü) because it creats files with the prefix "~DQ". (A copy of the complete Symantec report is available by clicking here). Samples given to Symantec were obtained from systems located in Europe.

According to the report, parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose as analyzed by the lab and confirmed by Symantec. Some of the similarities include the use of a driver in one of the variants that used a valid digital certificate that expires August 2, 2012 from a company headquarted in Taipei, Taiwan (same as the Realtek and JMicron certs used with the original Stuxnet). This cert was revoked on October 14, 2011.

The following figure (published by Symantec) provides some good comparisons between Stuxnet and Duqu:

Courtesy Symantec

The malware is designed as a remote access Trojan (RAT) used to gather data intelligence from various entities including ICS manufacturers. The code appears to be looking for information such as design documents that could be used to launch a future attack against a facility under the control of an ICS - including electric generation, water/wasterwater treatment, oil and gas production/distribution/refining, chemical/petrochemical processing, transportation systems, and building automation systems (just about any major building in the world!). Interesting ... all along I have postulated that the easiest way to attack a manufacturing site is to compromise the site of their ICS vendor! My theory has been confirmed!

Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server, that if you have seen my newest demonstration, is very easy through any enterprise gateway that does not utilize a proxy server. Duqu uses a custom C&C protocol which should be relatively easy to identify via an IDS/IPS once signatures are released. Interesting enough ... it is set to expire after just 36 days and remove itself from the system - another very powerful feature of the original Stuxnet code. This means that if you happened to be attacked in the early phases of this malware (estimated at December 2010), then the information has been collected and you did not detect the breach!

As you may recall, Anonymous reverse engineered and published a large quantity of the Stuxnet code after breaching the networks of security consultant HB Gary. For this reason, I wonder if the statement in the report that "the threat was written by the same authors ... and appears to have been created since the last Stuxnet file was discovered". With easy access to the source code, the actual author of the varients could be very hard to trace!

The code does not appear to be self-replicated at this point. However, people should be aware that it appears that other variants of the code exist and could be targeting other sites. This is also an interesting point, since the code that I was able to obtain from Anonymous lacked some of the code necessary for the initial infection and some propagation methods. I wonder if the authors intentionally omitted the self-replication code, or that they were unaware that some of these settings were deactivated via a setting in one of the configuration files.

If you recall, the original Stuxnet code contained a data file which kept track of each infection point, effectively producing a network "map" of how to penetrate and propagate within a multi-tier, segmented network architecture. This is why I was most alarmed when I found out that even though 40% of the critical infrastructure providers discovered Stuxnet in their environments, only 57% launched special security audits or other measures in response to the breach. These companies must have had some bad advice, because they should have known that a data file was created and communicated with other nodes that provided a roadmap of sorts on how each host was compromised.

This is obviously going to generate a lot of renewed interested in ICS security ... but I have to say that I am glad it has happened. In the months following the discovery of Stuxnet, many so-called security experts went on record saying that this could never be re-used or re-engineered. Since I focus entirely on ICS/SCADA security, and also having done a great deal of research into Stuxnet, I knew all along that it would be rather easy to modify the code to target just about any control system of your choosing.

I will try to keep up to date on these activities, and am now very excited about what DHS and ICS-CERT has to say about this next week at the Fall ICSJWG conference. Obviously, in their ICS-ALERT posted yesterday, their mitigations appear weak and ineffective. They need to read the paper I co-authored on "How Stuxnet Spreads" to see that none of these three mitigation strategies would work against Stuxnet in a typical ICS environment, which leads me to my next blog which I hope to publish later this week.

References:

↧

Microsoft and other AV Vendors offer signatures for W32.Duqu

October 19, 2011, 11:55 am

≫ Next: Gleg releases Ver 1.7 of the SCADA+ Exploit Pack for Immunity Canvas

≪ Previous: Son of Stuxnet has Surfaced in Europe According to Symantec Report (update 1)

As recently communicated via the SCADASec forum, Microsoft and others have made available anti-virus signature updates for the W32.Duqu trogan, covering at least three variants. The links below are to the Microsoft Malware Protection Center, and provide some useful background information:

Interesting enough are the details contained in the Variant "C" summary which identifies the IP addressed used for the C&C server - 206.183.111.97, which is registered to WebWerks India Pvt. in Mumbai. This should not lead you to believe that the attackers originate within India, but rather that this site could be used as a proxy.

Bob Radvanovsky also provided a link which highlights the updates of a large number of AV vendors relating to Duqu. This list is available by clicking here.

↧

Gleg releases Ver 1.7 of the SCADA+ Exploit Pack for Immunity Canvas

October 20, 2011, 6:08 am

≫ Next: Does Anyone Want the Source Code to Stuxnet? Come and Get It!!! (update 1)

≪ Previous: Microsoft and other AV Vendors offer signatures for W32.Duqu

On October 20, Gleg released version 1.7 of the SCADA+ Exploit Pack for the Immunity Canvas framework, though this time around, I do not see a lot of unique value in the code updates.

Modules of interest in this release represent the bulk of the ICS/SCADA vulnerabilities disclosed in September, including:

Rockwell's RSLogix5000 DoS
SCADAPRO buffer overflow / DoS
Cogent Datahub
Sunway httpsvr.exe unauthenticated remote command execution
Sunway AngelServer DoS
Sunway SNMP NetDBServer stack-based buffer overflow

Step ahead users in addition receive a 0-day:

Advantech Web Studio DoS 0-day

I would like to comment that several of these vulnerabilities were disclosed with public PoC code, including:

In addition, the SCADAPro vulnerability with allows remote code execution via directory traversal has been included with the Metasploit Framework in SVN 13967.

I have created a new list of new SCADA/ICS vulnerabilites, complete with PoC (if available) and additional references at SCADAhacker.com. I am about a week behind, but intend to keep this current and up to date as new vulnerabilities are disclosed.

As always, please post your comments or suggestions to improve the usefulness of this information.

↧

Does Anyone Want the Source Code to Stuxnet? Come and Get It!!! (update 1)

October 20, 2011, 6:47 am

≫ Next: Duqu: ICS experts weigh in on protecting against zero-day threats - Oct. 25, 2011 Webcast

≪ Previous: Gleg releases Ver 1.7 of the SCADA+ Exploit Pack for Immunity Canvas

After reading report-after-report, blog-after-blog during the past 24 hours, I have decided that rather than comment to each of these individually to offer some additional information which should help set the record straight on who the author is ... or maybe better ... who it is NOT ... in this new variant to our old friend Stuxnet.

It all began back in January when Egyptian student Amr Thabet first announced that he had decompiled and reversed engineered the MRxNet.sys file used by Stuxnet. As you may recall, this was one of the digitally signed files that was placed in the windows\system32\drivers directory used as a rootkit to hide the presence of the Stuxnet malware on its victims.

If you have not taken a look at the work from Amr, I suggest you visit his writeup on Stuxnet, as he actually provides some very good insight into the code, and how it is used.

The list below is a summary of the key files used with the original Stuxnet codebase after infection:

     c:\windows\system32\drivers\mrxnet.sys (Windows rootkit)
     c:\windows\system32\drivers\mrxcls.sys (load point)
     c:\windows\inf\oem7A.PNF (main payload)
     c:\windows\inf\mdmeric3.PNF (90-byte data file)
     c:\windows\inf\mdmcpq3.PNF (configuration data)
     c:\windows\inf\oem6C.PNF (log file)
     c:\windows\help\winmic.fts (25-byte data file)
     c:\windows\system32\s7otbxdx.dll (PCS7 DOS driver)

Shortly after in February of 2011, you may recall that the hacktivist group Anonymous successfully hacked into the computers at security company HBGary. Within the data they "stole", were a series of emails that contained a "decrypted translation" of the code that HBGary was working on. This was widely covered in the media (FoxNews, Homeland Security News Wire, and many others).

"There is the real potential that others will build on what is being released," said Michael Gregg, chief operating officer of cybersecurity firm Superior Solutions. Gregg was quick to clarify that the group hasn't released the Stuxnet worm itself, but rather a decrypted version of it HBGary had been studying -- which could act almost like a building block for cybercrooks.

On February 13, 2011, Anonymous published their work at this site. Though this code does not reflect true "source code", it does provide the malware in a high-level language which can be re-purposed and re-compiled for another purpose.

I reviewed much of the code, and though it did not contain 100% of the Stuxnet functionality, it did contain a large portion of the working malware. One piece that I noticed was missing was the initial dropper and infection algorithms. After reading many of the articles this week, this seems to be one of the pieces missing from this new codebase, and is why I believe that the authors of this attack were in fact using the Anonymous published code. If we use September as the date upon which this was initially launched, a new attacker would have had six (6) months to develop this new malware, which is a lot of time. The real point of interest is the fact that this may have surfaced as early as December 2010. If this was in fact the case, we may actually be dealing with more than one author - or a group of "copycats".

Today, I listened in on Symantec's webcast on Duqu, and Kevin Haley was pretty convinced these authors did in fact use the Stuxnet source code. He went on to say that this does not mean that the original authors were also the authors of Duqu, but that the code could have been "stolen" or "misplaced". Kevin went on to say that Stuxnet source code was not available on the Internet. I have received comments about my position, and agree that even though the Anonymous files are not pure, original source code, they are high-level language translations of the original binaries that could be re-written for another purpose.

Comments, debates, arguments, or compliments always appreciated!

↧

Duqu: ICS experts weigh in on protecting against zero-day threats - Oct. 25, 2011 Webcast

October 20, 2011, 6:51 am

≫ Next: SCADAhacker to Offer ICS / SCADA "Blue Team" Security Training and Awareness Course in 2012

≪ Previous: Does Anyone Want the Source Code to Stuxnet? Come and Get It!!! (update 1)

On October 18, 2011, ICS-CERT issued an advisory related to the discovery of new malware – W32.Duqu – targeting industrial control systems. One year after revelations of Stuxnet came to light, the emergence of Duqu points to the continued need for vigilance in protecting critical infrastructure.

What does Duqu – and future zero-day threats – mean to your organization? Join an interactive panel discussion with experts from Industrial Defender, Red Tiger Security and The SCADAhacker on Tuesday, October 25, 2011 at 11 am ET. In this session, you'll gain insight into how you can ready your organization to sustain security in the face of today's threat environment.

Webcast Panelists

Jonathan Pollet, founder and principal consultant for Red Tiger Security
Joel Langill, The SCADAhacker
Walt Sikora, vice president of security solutions at Industrial Defender

Click here to register for this Webcast
Tues., October 25, 2011 at 11 am ET

Click here to read the ICS-CERT advisory

Click here to submit a question for our panelists

Panelist Biographies

	Jonathan Pollet, founder and principal consultant for Red Tiger Security, has over 10 years of experience researching vulnerabilities and conducting field security assessments of Industrial Process Control Systems, SCADA Systems, Automated Meter Reading systems, and Smart Grid technology. After graduating from the University of New Orleans with honors and receiving a B.S. degree in Electrical Engineering, he was hired by Chevron and worked in the SCADA and Automation Team for the Upstream Exploration & Production division. Pollet designed and implemented PLC and SCADA systems for several offshore and onshore facilities.

	Joel Langill is The SCADAhacker. His expertise was developed over more than 25 years through in-depth, comprehensive industrial control systems architecture, product development, implementation, upgrade and remediation in a variety of roles covering manufacturing of consumer products, oil and gas including petroleum refining, automation solution sales and development, and system engineering. His employers include major companies such as General Electric, Shell Oil Company, Honeywell Process Solutions, and ENGlobal Automation, offering him a rare and insightful expertise in the risks and mitigation of cyber vulnerabilities in industrial control systems.

	Walt Sikora, vice president of security solutions at Industrial Defender, brings more than 27 years of industrial experience with SCADA, DCS and PCS systems, and security. Prior to Industrial Defender, Sikora spent 21 years with Invensys, Inc. as Director of Service Engineering and Development, where he was responsible for developing services and tools for UNIX and Windows NT as well as security solutions for Foxboro Intelligent Automation customers. He holds an Associate Degree in Engineering Technology from Massasoit Community College, a B.S. degree in Electrical Engineering from Northeastern University, and is currently an MBA candidate at the Gordon Institute of Tufts University.

Industrial Defender is the global leader in security & compliance management for automation systems. Our technology empowers customers to sustain security and compliance, while enhancing operational excellence by protecting against breaches that might threaten availability, performance, health and safety. Industrial Defender's portfolio of defense-in-depth security, sustainable compliance management, and policy and reporting solutions enable customers to monitor, manage and protect their vital assets, while easing the audit process.

For nearly a decade, Industrial Defender has focused exclusively on building solutions for automation environments, delivering low operational impact and tight integration with systems and protocols core to your business. Over 350 companies in 21 countries rely on Industrial Defender technology to help secure their critical infrastructure. To find out more, visit www.industrialdefender.com.

Industrial Defender, Inc., 16 Chestnut Street, Suite 300, Foxborough, MA USA 02035
T: +1-508-718-6700 F: +1-508-718-6701 E: info@industrialdefender.com

↧

SCADAhacker to Offer ICS / SCADA "Blue Team" Security Training and Awareness Course in 2012

October 26, 2011, 9:27 am

≫ Next: SCADAhacker publishes Duqu Reference Page

≪ Previous: Duqu: ICS experts weigh in on protecting against zero-day threats - Oct. 25, 2011 Webcast

Having been involved in the industry for several years, I have realize that there is a lack of specific training to address "how to secure" industrial control systems. There are several very good courses currently available, including those offered by InfoSec Institute (which I will teach until early 2012), Red Tiger Security, Digital Bond, SANS and Idaho National Labs. However, when reviewing the syllabi of these courses, I feel that they tend to focus too much on either (1) theoretical aspects of the problem, or (2) the "hacking" or "red team" side of ICS security.

Knowing this, and not trying to duplicate what is currently available, I have decided to launch my own course entitled "Understanding and Security Industrial Control Systems". This course will be primarily focused on "securing" or "blue teaming" the ICS and will involve several labs that reinforce the selection and implementation of security controls relating specifically to ICS.

The preliminary agenda is as follows:

Understanding the Unique Threat Landscape of Industrial Control Systems
Understanding Current Standards and Best Practices from a Security and Compliance Point of View (ISA, IEC, ISO, NERC-CIP, CFATS, NIST, CPNI)
Risk Identification, Classification, and Threat Modeling
Understanding and Identifing ICS Vulnerabilities
Selecting and Implementing Administrative Security Controls
Selecting and Implementing Technical Controls
Auditing and Accessing ICS Security

I expect the first one or two classes to be offered in the Chicago area (near ORD airport). Future classes will be offered in manufacturing epicenters such as Houston, Los Angeles, Detroit, Pittsburgh, New Orleans, Washington D.C. and Calgary (others will be available based on customer interest).

Students will use their own computers and supplied with a bootable external drive which contains the testing environment and other tools studied during the week. Many labs will utilize physical ICS equipment providing a realistic scenario to that actually existing in the field. The course will also stress many new leading edge security technologies that will form the basis of a comprehensive overall ICS security program.

I am also open to nesting this curriculum in existing vendor and supplier training programs. please feel free to contact me for additional details.

All of this is very exciting, and i hope that this material will allow me to write and publish a much needed book on this topic in the 2012-2013 timeframe. The end goal is to offer a textbook in addition to the standard PowerPoint slide deck used to teach the class.

Please stay tuned for more details. i expect the first course to be available in the April-May timeframe, with registration beginning after the start of the year.

↧

SCADAhacker publishes Duqu Reference Page

October 26, 2011, 9:38 am

≫ Next: Are Web Services a Dumb Idea???

≪ Previous: SCADAhacker to Offer ICS / SCADA "Blue Team" Security Training and Awareness Course in 2012

Based on the success of the Stuxnet Resource Page on SCADAhacker.com, today I launched a similar page consolidating the useful information and material relating to the new "Son of Stuxnet" malware known as "Duqu".

There are currently multiple researchers analyzing this relatively unknown piece of malware, and all of them appear to be coming up with different conclusions. I felt that it would be useful to share my bookmarks and some of the interesting references that I come across in performing my own open-source research and analysis.

Please bookmark your browser and visit this page often.

I am currently consolidating information. If you have anything you would like to share, please pass it along.

↧

Are Web Services a Dumb Idea???

November 9, 2011, 1:02 pm

≫ Next: UPDATED: Hackers Independently Attack Two Different Water Utility Districts

≪ Previous: SCADAhacker publishes Duqu Reference Page

I recently read a blog post by Reid Wightman on the @DigitalBond site entitled "When Web Services are a Dumb Idea". It seems that the folks at Digital Bond are on some kind of mission to create a list of "insecure ICS products" which might not necessary be a bad idea, but at least we need to be sure that everyone is being evaluated against the same criteria.

First off, I have to apologize to Dale in my comment to this post, as I did not see that it was written by Reid, and incorrectly referenced Dale in my response. I have copied my "edited" response from the @DigitalBond site below:
After reading Reid’s interesting post, I thought it would be nice to bring in two useful points for conversation.

First, you need to expand your concept of an “embedded web server” beyond something that a user would use when launching a browser and entering a URL for the device. Vendors actually use embedded web servers for a number of reasons, and many of these vendors are leaders in the industry – both from a functional and security point of view!

Point in case … Honeywell … clearly one of the leaders in terms of their commitment to security and one of the market leaders in ICS utilizes the embedded SafeNet Sentinel License Monitor embedded app which provides an http daemon on their Experion nodes (R31x was the last I verified that this was still present) for “internal use”. Vulnerabilities with this app were originally disclosed by Luigi Auriemma, and when I mentioned to Honeywell that they were using a vulnerable service on 6002/tcp, their response was that it was “hidden” behind the Windows Firewall and that they did not need to provide any further patches. Poor response considering that some of their “default accounts” allowed me to disable the firewall and expose this vulnerable service!

I also disclosed this exact same vulnerability to Iconics in their Genesis32 HMI package this past March after reviewing some of the exploits that were disclosed by Luigi Auriemma.

So, it is clear that there are a lot more web servers or better said http daemons running than one might expect! During your next assessment, see if you can find any of these services running!

Next point is that I initially was drawn to this post because of the term “web services” in the title. After reading, however, it was clear that Dale was not talking about “web SERVICES” but rather “web SERVERS”.

Vendors have been using web “services” for some time now, because they offer a fairly secure means of inter-application communication both locally and remotely across firewalls when integration is required with enterprise applications using the eXtensible Markup Language (XML) following the SOAP standard. (Of course, the recent news that researchers have been able to exploit the XML encryption standard does add a slight twist here!)

Vendors have been moving more and more to a service oriented architecture (SOA) to support better communication between applications from different vendors. One such implementation was the OPC XML-DA standard released in 2004, and more recently, the OPC Unified Architecture (UA) standard which is also based on XML/SOAP via web services! Now, remember that one of the drivers behind OPC-UA was improved integration with “non-Microsoft” platforms, including … process level devices. So it is not that difficult to see that most leading ICS vendors will have some form of web SERVICE running inside the ICS application framework, and in the near future, as OPC-UA is released in more devices, this will include L0 and L1 devices as well. OPC Foundation used the phrase “From the Controller to the Cloud” to describe OPC-UA, and when I just visited their product page, I saw there they are currently testing OPC-UA for QNX and VxWorks– so expect it to show up in controllers soon! There were also several leading ICS vendors who have tested or are in the process of testing their OPC-UA interfaces for their ICS L2 hosts.

↧

UPDATED: Hackers Independently Attack Two Different Water Utility Districts

November 21, 2011, 4:23 am

≫ Next: Gleg releases Ver 1.8 of the SCADA+ Exploit Pack for Immunity Canvas

≪ Previous: Are Web Services a Dumb Idea???

Updated: November 23, 2011

News reports broke on November 18, 2011 (Attack on City Water Station Destroys Pump - Wired) when fellow security specialist Joe Weiss blogged about a report released on November 8, 2011 that a water utility district in Springfield, IL (later identified as Curran-Gardner Public Water District) suffered what looked like a "blended attack". The first phase focused on compromising a supplier's internal system which contained remote access credentials not only the target, but several other yet "unnamed" sites. The second phase allowed the attackers to simply "turn the key and walk in the front door" gaining complete access to the industrial control system. The end result was a failure of one of the process pumps.

DHS, and possibly even the FBI, downplayed the attack, and stated "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety" in their report. This outraged many, including a twenty-something hacker only known as "pr0f" or @pr0f_sys. As reported on November 18, 2011 (Hacker says he broke into Texas water plant, others - CNET), this attacker then used a completed unrelated attack vector to easily gain access to another water utility in South Houston, TX where he posted several screenshots of the control system on PasteBin. Obviously, he knew what he was doing, and intentionally left the system unafffected. In addition to his initial post, he also wrote a second article on PasteBin providing some insight into what he calls "SCADApocalypse". Interestingly enough, I also came across an interesting PasteBin post on November 3, 2011 by pr0f entitled "Water Metering SCADA" complete with passwords.

So ... when are people going to let us ICS security specialists perform some "light" penetration testing to be an accurate assessment of one's security posture?

Many people were quick to jump on the "disclosure" bandwagon blaming either the control system vendor for not disclosing critical security vulnerabilities, or DHS / ICS-CERT for not disclosing information of the breach. Unfortunately, it is SCADAhacker's view with the limited information that is available that both of these attacks had little to do with the ICS / SCADA vendor, but rather poor security implementation practices by either the owner-operator or the system integrator responsible for commissioning these systems. This is obviously not the end of these types of attacks, and SCADAhacker will continue to provide timely, relevant information to help protect the ICS and SCADA systems used to control our critical infrastructure and manufacturing processes.

All of this information is going to be placed into a case study that will make an excellent module in my 2012 course offered entitled "Understanding and Security Industrial Control Systems".

UPDATES:
Threat Post was able to get an interview with pr0f and released a very informative article on November 20, 2011 (Hackers says Texas Town Town used Three Character Password to Secure Internet Facing SCADA System) which provided additional details regarding the target ICS vendor and the poor "3-letter" password which was used to compromise the system(s).

Elinor Mills from CNET posted a new story on November 22, 2011 (DHS Denies Report on Water Utility Hack) in advance of the official DHS announcement that followed the next day in their Information Bulletin ICSB-11-327-01 on the Illinois Water Pump Failure incident, finding no evidence of a cyber breach at the facility. Conveniently enough, it still lacks an explanation of the second attack on the facility in South Houston. In an email to the ICSJWG member, "ICS-CERT is assisting the FBI to gather more information about this incident", which leads me to believe that they have uncovered enough information to further investigate what is most likely an easy penetration of the target systems. Elinor interviewed me, and I provided her with numerous examples of the lack of "urgency" I see when looking at security in the manufacturing sector.

What is most disturbing when reading reports like that from DHS ICS-CERT are comments like "ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events." It appears that they have not uncovered the vulnerability used by pr0f in his attack, and also does not have the enumeration data which shows several other potential targets! I believe there is a lot more to come regarding this breach.

What appears to be even more interesting in a related event that occurred in New Jersey and published by Homeland Security News Wire on November 21, 2011 that talks about yet another attack on the West Milford water system that has resulted in "shut off power to water systems, opened valves that should have been shut, and thrown a plank of wood into a sewage filtration system." This appears to be a physical attack, but details are still not official.

This story is far from over ... stay tuned for more !!!

↧

Gleg releases Ver 1.8 of the SCADA+ Exploit Pack for Immunity Canvas

November 27, 2011, 1:44 pm

≫ Next: Hackers accessed city infrastructure via SCADA

≪ Previous: UPDATED: Hackers Independently Attack Two Different Water Utility Districts

On November 24, Gleg released version 1.8 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.7 of the Agora Exploit Pack.

In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma. Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.

SCADAhacker has noticed that the vulnerabilities included with Gleg SCADA+ 1.8 regarding the Optima APIFTP Server SCADA HMI application have not yet been disclosed by ICS-CERT. I will be posting an out-of-band advisory on this vulnerability set within the next 24 hours, and will update this blog accordingly.

The Gleg Step Ahead customers receive some additional exploit modules, including one which allows them to decrypt users credentials in Promotic SCADA and an additional SCADA-related ActiveX exploit.

SCADA+ 1.8 modules include:

Beckhoff TwinCAT <= 2.11.0.2004
Optima <= 1.5.2.13 Denial of Service
OPC Systems.NET <= 4.00.0048 Denial of Service
Data Archiver service in GE Intelligent Platforms Proficy Historian <= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 Stack Overflow Proof of Concept & Denial of Service
Atvise webMI2ADS <= 1.0 Denial of Service
another Atvise webMI2ADS <= 1.0 Denial of Service
Atvise webMI TestServer Directory Traversal
PcVue <= 10.0, SVUIGrd.ocx <= 1.5.1.0 Code Execution
PROMOTIC <= 8.1.3 Directory Traversal leveraged to user credentials disclosure

It is worth mentioning that the SCADAhacker Vulnerability Reference List contains a great deal of information for most of these vulnerabilities and includes any publically-disclosed PoC code.

Other SCADA/ICS vulnerabilities disclosed by Luigi Auriemma covered in the SCADAhacker Vulnerability Reference List but not included in Gleg SCADA+ include:

As always, please post your comments or suggestions to improve the usefulness of this information.

↧