www.isoc.org

Download Report

Transcript www.isoc.org

Stuxnet – Getting to the target
Liam O Murchu
Feb 2011
Operations Manager, Symantec Security Response
1
Agenda
1
Stuxnet Capabilities
2
Network Distribution Tactics
3
Intel & Targets
4
Sophistication & Success
5
Solutions & Lessons Learned
Stuxnet – Getting to the target
2
Stuxnet Features
• Discovery disclosed in July, 2010
• Attacks industrial control systems likely an Iranian uranium
enrichment facility
• Modifies and hides code on Siemens PLCs connected to
frequency converters
• Contains 7 methods to propagate, 4 zero day exploits, 1 known
exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens
security issues, 1 target.
• 3 versions, June 2009, March 2010, April 2010
Stuxnet - Sabotaging Industrial Control Systems
3
Stuxnet is targeted
Iranian Target
Geographic Distribution of Infections
70.00
Unique IPs Contact C&C Server (%)
60.00
58.31
50.00
40.00
30.00
17.83
20.00
9.96
10.00
3.40
5.15
1.40
1.16
0.89
0.71
0.61
0.57
MALAYSIA
USA
UZBEKISTAN
RUSSIA
GREAT
BRITAIN
0.00
IRAN
INDONESIA
Stuxnet – Getting to the target
INDIA
AZERBAIJAN PAKISTAN
OTHERS
4
PLCs
Programmable Logic Controller
• Monitors Input and Output lines
– Sensors on input
– switches/equipment on outputs
– Many different vendors
• Stuxnet seeks specific Models
– s7-300 s7-400
Stuxnet is Targeted
Targeting a Specific type of PLC
Searches for a Specific Configuration
Stuxnet & PLCs
5
Programming a PLC
Step7, STL and MC7
• Simatic or Step 7 software
– Used to write code in STL or other languages
• STL code is compiled to MC7 byte code
• MC7 byte code is transferred to the PLC
• Control PC can now be disconnected
Stuxnet Infecting PLCs
6
Attack Preparation
Stuxnet Creator
Control
PC
PLC
Stuxnet – Getting to the target
Uranium Enrichment
Facility
7
Attack Considerations
Internet Etc
Corporate LAN
Air Gap
Stuxnet – Getting to the target
8
How Stuxnet Attacks Corporations
Stuxnet uses 7 different methods to propagate!
1. USB drives – Zero Day
Control PC
2. Print Spooler Vuln – Zero Day
3. Ms08-067 Vuln
4. Network Shares
5. P2P sharing
6. Wincc Hard coded Password
7. Step7 projects
Stuxnet – Getting to the target
9
Self-Replication
Step 7 Project Files
MyProject.s7p
ApiLog
types
hOmSave7
S7HK40AX
s7hkimdb.dll
S7HK41AX
s7hkimdb.dll
…
types:
+00
count
DB
14 14WORD
00 00 00
00 00
+02 BYTE[]
00 00 00 records
00
+00 WORD count
+02 BYTE[] records
s7hkimdb.dll
xutils
links
s7p00001.dbf (Stuxnet datafile)
listen
xr000000.mdx (encrypted Stuxnet)
s7000001.mdx (Stuxnet config data file)
…
Stuxnet - Sabotaging Industrial Control Systems
• %Step7%\S7BIN
• %SYSTEM32%
• %SYSTEM%
• %WINDIR%
• project's hOmSave7/* subdirectories
10
Stuxnet Windows Rootkit
Stuxnet - Sabotaging Industrial Control Systems
11
Attack Execution
Internet Etc
1. Initial Delivery
Corporate LAN
2. Network Exploits
4. Bridge
AirGap
Stuxnet – Getting to the target
3. Reporting
Updates
Air Gap
5. Deliver Payload
12
Delivering the threat
• Stuxnet targeted specific companies in Iran
• Only 10 initial targets
• Resulting in over 14k infections
• Research was needed to identify valuable targets
• Companies connected to Uranium enrichment
• Hope to infect someone who would visit a Uranium enrichment
facility
• Someone who worked on Uranium enrichment projects
• Actual delivery method is unknown
Stuxnet – Getting to the target
13
Limited Spread
• Attackers wanted limited spread
• No Internet capable exploits used
• USB exploit only infects 3 machines
• USB exploit has deadline of 21 days
• All exploits have a deadline
70.00
60.00
• Large configuration file
• ~430 different settings
• Why did it spread so far?
58.31
50.00
40.00
30.00
20.00
10.00
17.83
9.96
3.40
1.40
1.16
0.89
5.15
0.71
0.61
0.57
0.00
Stuxnet – Getting to the target
14
Why did it spread so far?
• Zero .lnk vulnerability wildly successful
• Step7 project infection very successful
• Misunderstanding of how contractors interact
• Misunderstanding of how connected companies are
• Intended?
• Needed to be more aggressive to succeed?
Stuxnet – Getting to the target
15
Was Stuxnet Successful
• We don’t know.
• 1 year in the wild undiscovered
• Over 100k infections
• Majority in Iran
• Natanz shut down
• Industrial Companies Infected
• Reports of infections at Natanz and Busheir
• IAEA report states 1000 centrifuges offline in Nov 2009
Stuxnet – Getting to the target
16
Was Stuxnet Successful
• We don’t know.
• Discovered 3 months after USB zero day added
• No report of centrifuges out of action since March
• Gained high media attention
• Analysis performed
• Iranian authorities aware
Stuxnet – Getting to the target
17
Sophistication
• First threat to target hardware
• Targets Uranium Enrichment
• Large amount of code
• Very configurable
• 4 zero days
• Long Reconnaissance phase
• Needed Hardware for testing
• Targets 95/98,Win2k,Winxp,Vista,Win7…
• 3 Rootkits
• PLC programming knowledge
Stuxnet – Getting to the target
18
Sophistication
• It was discovered
• No advanced encryption
• C&C infrastructure easily taken down
• Infection information stored
• Blue screens?? (unconfirmed)
• P2P not protected
• Escaped outside of Iran
Stuxnet – Getting to the target
19
New Version
• Not simple to create new version
• Cannot just drop in new zero days
• Target specific information required
• PLC programming knowledge
• Exploit knowledge
• Real danger is the idea
• Now people know it can be done
• People can start their own projects knowing it is possible
Stuxnet – Getting to the target
20
Solutions & lessons learned
• Insider threat is significant – Employees are major risk
• IP is extremely valuable, protect it at all costs
• Monitor systems and networks
• Watch for red flags
• Implemented real air gaps
• Or accept this is not possible and protect computers inside the
air gap more vigorously
• White listing, behavior blocking and reputation based solutions
can mitigate threat.
• Device blocking – USBs, contractor laptops, etc..
• Vigilance is key
Stuxnet – Getting to the target
21
Response
• Need dedicated resources in place in advance that can switch
focus to a new threat quickly
• Need engineers who are familiar with the latest developments
in the threat landscape
• Need to respond quickly – critical infrastructure may be at risk
• Private public partnership will be important
• Growing market
• We will see more of these types of threats in the future, need to
prepare for that.
Stuxnet – Getting to the target
22
Summary
• Stuxnet is the first publicly known malware to intend real-world
damage
• Required resources at the level of a nation-state
• While as a whole extremely sophisticated, the technique to
inject code into PLCs is not
• Enterprises should assume attackers know how these systems
work
• Has changed our job at Symantec
• We expect to see more of these threats
Stuxnet – Getting to the target
23
White Paper Available
W32.Stuxnet Dossier
• Stuxnet Technical Details Available here:
• http://www.symantec.com/content/en/us/enterprise/media/se
curity_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet – Getting to the target
24
Thank you!
Liam O Murchu - [email protected]
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Stuxnet – Getting to the target
25