ICS Intrusion KillChain explained with real simulation

hello um thank you very much for being here with us and i hope that you and your family are well my name is juan escobar and i work as senior security consultant in chile at the moment a lot of excellent wine and also a country of many earthquakes we are a pioneering swiss company and sort of constant innovation in the cyber security landscape with 20 years of experience in almost all sectors of the industry and with a presence in various regions of the world this talk is based on our experience in the field of security audits incident response as well as in the research of new vulnerabilities and how they are applied in the ics cyber skill chain

as a small introduction ics are devices that generally operate in critical infrastructures these are not well known since they operate in different environments than the companies that have regular information technologies also many incidents involving ics devices and ot environment have had very important geopolitical connotations which has changed the world related to the vulnerabilities existing in them which has lead governments today measures that classified them as a critical element of the nation

as many know today we are in what is called industry 4.0 which is characterized by browsing interconnectivity and data collection analysis and communication with results in the optimization of the flow and quality of the process although the benefits are many this convergency between the it and ot wars increases the actual surface and as well as the amount of new control to implement based on these spring eyes is the in the 90s uh theodore jake williams along with members of the purdue university consortium developed uh the purges enterprise reference architecture as a model for enterprise architectures where the purity model defines the different levels of critical infrastructure that are used to in production lines and the way to

secure them but as we know in reality it is very difficult to implement maintain and monitor all cyber security systems we must remember that all the companies are the same therefore the security make and some and architectures are different but at the base all the activities to be carried out by an attacker will almost always be the same and that's why michael asante and robert lee adapted the cyberkill chain model created by lockheed martin to the ics world to understand visualize and organize steps required for an adversary to reach their goal so the ics cyber kill chain consists of two phases the first one is intrusion which consists in the intrusion preparation and execution also known as i t

and the second one is attack ics attack and development and execution also known as ot so let's see what these steps are um for the stage one the first one is recognizance so recognizance is an activity to obtain information about something through observation or other detection methods this activity is divided into two phases for example are passive and active where passive is in charge of researching for the information available in public source on and the active interact directly with the target for the collection of these information okay let's continue first let's define our target and the attacker in this case the target is a nuclear power plant called macros and the attackers will be a group

called apt-666

if we search for these uh nuclear plan in google we have a result and we can see that this plan is located in switzerland and also has other energy generation project

continue with the face of recognizing um we do search in jordan and sumai where there is probably not much information with which should always be the case in league in linkedin we find one profile related to the company and not muscles in internet it is when the attackers carry out on active recognizance obviously but activity can be carried out in parallel so let's start with an active recognizance as we know the plan is located in switzerland right so we proceed to scan the entire country looking for any reference to the company one of the protocol consulted is snmp since although there are not many vulnerabilities for it i think it provides a lot of important information to carry out and

attack so for this i developed this tool called meliodas and this is an sn mp parser so it takes on the some database name to save the results and a community that usually is public or prepaid and a funding with the ip address that i want to scan

so in the result of the tool uh we can see uh the ip address the host name the version name of the device and also the date so if we search for um a string that has the name of the company macros in the result we can actually see that there is an ip address related to the company so now we will see what information these service can give us so for this we will use a different tool

as we see it gives us enough information

so now we know that someone is connected to this we can we could assume the this is someone who is a system administrator right so let's see what we find in this ip so we are launching a quick scan um to see what ports are open on this ip that has um connected to 22 port and we can see that has 4 80 open right so we are set to the browser let's see what we can find right

okay so a we find a dry tech login website right

so uh with a little more research and investigation we see that what type of devices it is in which part of the war ip address is a segment so is in united states and uh it has no vulnerabilities known so a summary of the first step we have one linkedin account one website one linux server one smp service one interesting ip and one internet border device void no no bottom liabilities so now we are done with planning recognitions step and we can move forward to preparation which contains a weaponization and targeting this can be a one or the other or we can do boot but it's not required um this basically is to prepare the tools

according to the identified objective in this case we will use two vectors better one is social engineering and better two is infrastructure we will consist on attack this dry tech router our goal for the social engineering vector is send a malicious linked to the meeting via a link in message and the beating visits the malicious website and using a browser exploit we can control uh here computer and our excuse for this will be an interview for a magazine specialized in a cyber security issues in industrial environments um for vector one we create a fake profile uh of the journalists in linkedin luisa lancaster journalists focus on critical infrastructure ics so seems legit right also we code a website

for the magazines scatter wired and we have our exploit ready to be activated when the victim visits the website so our plan for the vector 2 is also similar to the previous one we want redirect all the traffic to a malicious site use a browser exploit deploy in the website and install a command and control tool for remote access to the victim but since we don't know who is behind this device we need to hack the dry tech router in order to find some remote code execution or login bypass to change the dns server as we do not have the credentials and there is no no vulnerabilities for this device we need to find some vulnerabilities right so

normally in this type of device um command injections to the fields of the web application is very common and that we must identify the parameters where we are going to inject so we fill some fake data and with the browser console we can actually see the the parameters okay so um these are the parameters keypad and login user login password for captcha so we identify six parameters and with this information we proceed to create a phasor which will be insured of injecting commas into the previously identified parameters and concatenate the command that user input so each payload is going to inject a list of commands to be executed on the target and also we bring a which is the payload

the status code and response for headers and body so we can start with the action field and this will send all the command injection payloads to this field so we can see that we have the payload number stylus code the response headers and the response body so what we are going to search here is for example some stylus code different for 200 right for this field the action field i i don't see like any stylus called different from this one so uh we can try the next one parameter which is key user i think now is keypad so keypad

so in this case we identify some error is status code right

and we identify some body interesting body response right so the payload um that we sent to to the device was um id command between semicolons and the device uh respond with with the user and that is running in the system which is root we can't say that the vulnerable parameter is keypad right so now we can proceed to ride an exploit in order to automate the queries and as we are root we can consult the password file and try to crack the hash so as a root user also we could modify the content of the file

so we launch hashcat and get the password and now we can proceed to test it and look where the configuration for the dns is located

okay so back to the stage one summary the planning phase are done the preparation phase are done so we can now move to the next phase so in this step there are three phases one is cyber intrusion where you try to gain access to a network or system the management in enablement phase where a persistent communication is the bleach figure of command and control for example and finally the sustainment entrancement development and execution phase where different activities are carry out that will help to fulfill the goals of the attackers in this step the three phases mentioned above can be automated for this stall we will use meta exploit to summarize the faces so first we will send the message to the

victim and wait for she to enter into the page but first we need to activate our exploit we can do this removing the command line save the change and now if we change a to the victim machine so if the building click on the link or just google it display will be executed so now if i change to my meta exploit console i can see that i already have access to here computer i got some credentials right with um with mimikat and now i'm searching for uh useful information in like some common extension like obpn right and now i i can see that i i found one results so macros vpn may be interesting right

and so i can on search for um keep keep us uh file station right so and i found another result for for this extension file work and also um microsoft excel files so now we will continue with the second vector vector 2 and we proceed with the chain of the dns server on this target in order to do this we need to run a dns server on the attacker machine and also redirect all the traffic from the beginning to our malicious website so now that the fake dns server are running we can go to the draytek device log in with the administration password that we got with the remote code execution so we can see that the file

dns server is is google ip so we change with the attacker dns server apply the change so we can change to the other victim machine and see which dns server he has configured

he already have the fake dns server that we just run this means that any request made in this browser in the victim process will be redirected to the malicious website so he can ask for example for gmail website

and the fake dns server to redirect the bit into our malicious website so if i change to the meter preparer session i have a second meta practice session right now we have the windows user and password for for the big team for json right and we are basically doing the same that we did before with with lisa so it's important to know that this process can be automated to perform more file search excel files with information on the infrastructure vpn connection password managers etc so as we can see this computer apparently belongs to an external technique called the manage the id area of the plan and connects remotely to manage it this including uh vpn for example

um for berlin power generator oil is company we can also take a screenshot from the computer of the victim also we can download the password manager and try to a run a keylogger to extract the password for key pass right um search and look at the sensitive files and all these process can be also done with the user lisa right the operator user

so as a summary in this stage stage 1 we obtain the information and the sufficient means to access the infrastructure of the plant without the need to carry out other activities that could attract attention here and a stage one where part of the information obtained it will be useful to complete the stage two as the it intrusion part is very similar to stage one in the stage two we will focus on the ics devices continuing with the ics cyber kill chain both this is a second stage attack development and tuning so in the development phase the attacking group tries to create a new offensive capability using the information of the previous stage like stage one this is possible because

the attackers have discovered documents with a list of devices and in this case we can see plc from schneider electric using modbus protocol first it's necessary to understand the protocol looking for us this protocol is very simple we are going into more details the first seven bytes of the packet the one in red respond to fields of the header continue with one byte reserved to the clare a function this can be between 1 and 127 in hexadecimal notation so the following table here show some common modbus functions right for example uh this is a very common function read device identification in the function code is 43 as you can see the request is very simple this one for

example is a valid request using function one function wild means read coils if the rookies is valid the response will keep the function filled with the same value so for example you can see here and here but what happens when the request is not valid for example contains an error in this case the answer will return two bytes reset for two type of exceptions exception function code and exception code the first exception function code is equal to the total sum of the value or number of the function used plus 80 in hexadecimal notation since function code is 1 the exception function code value is 81 and the second exception deception code is represented by a numerical value that

will depend on the following flow if a request can pass the first condition the function is valid in other words if the exception code is different for one the function is valid based on the error messages it is possible to determine the existency of the implemented function and this is very useful for blueberry attacks it should be considered that an enabled model function is always a possible attack vector with this knowledge it is possible to boil a tool that can list implemented functions this tool sends valid module friends always trying to force error messages in list all the possible functions their attack vectors to continue our simulation we the attackers will focus on functions 43

read device identification and function 19 umas both discovered it with our new enumeration tool what is that function 43 in summary if this function is implemented it will provide information about the device here are some first tests with the script using function 43 and we can see some information about the project for example in here here here the other interesting function of schneider electric device is knighting among the many functionalities available at the moment we are interested in the following three start stop and read memory block for the final attack we look for a request that can easily generate a stop on the target devices for which in our controlled environment request has been sent

to our plc using only function 19 but with random data the intention is to generate denial of service or the os finally it was possible to get a denial of services by sending two null bytes a tool is developed for this attack we call modbus killer the next step for stage 2 is validation in the validation phase in the validation phase the aim is to certify the new capabilities or development in a controlled environment with a specific hardware all tests has been performed in a lab environment such as the one show below as it was possible to observe the resulting denial observance tour of all the functionalities of the plc and also disconnects it from the network

forcing you to restart it physically social exploitation of this vulnerability makes the device unresponsive requiring a physical reset of the plc in the following demo a deal of service is evidenced with the modbus killer tool

and the final phase is called ics attack this phase corresponds to the deployment of the new offenses capacity zero day

[Music] and this is ics cyber kill chain complete and just in case uh we already report these vulnerabilities and discover it and they are already have their security update you can see some recommendations overview so thank you very much for your attention and please visit us in our ics blog at dreamlab.net or in our github repositories industrial army we have all the tools that we present in this talk in our github repository if you have any doubt or want more information about this topic you can contact us at linkedin so thank you