tag:blogger.com,1999:blog-45957486775136392502024-03-19T02:17:39.681-05:00SCADAhackerSCADA/DCS Security from a Hacker's PerspectiveJoel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.comBlogger82125tag:blogger.com,1999:blog-4595748677513639250.post-50630739710576248512016-02-05T12:27:00.000-06:002016-02-05T12:27:28.549-06:00Experts compete to find Ukraine grid hack 'smoking gun'<span style="color: #999999;"><i>Following article has been re-published with the permission of Energy Wire </i></span><br />
<span style="color: #999999;"><i>(original text available at http://www.eenews.net/energywire/stories/1060031555/)</i></span><br />
<br />
<span style="font-size: large;"><b>Experts compete to find Ukraine grid hack 'smoking gun'</b></span>Blake Blake Sobczak, E&E reporter<br />
Published: Monday, February 1, 2016<br />
<br />
A six-hour blackout in western Ukraine has continued to puzzle investigators weeks after the lights came back on.<br />
<br />
The Dec. 23 power outage in Ukraine's Ivano-Frankivsk region was minor by most standards, severing electricity to 80,000 households. Half a world away, windstorms were busy knocking out power to more than twice as many utility customers in northern Michigan.<br />
<br />
But Ukraine's outage that day resulted from a complex attack combining malware, a flood of telephone calls and, perhaps, a few unwitting accomplices in grid control centers.<br />
<br />
Ukrainian officials are dissecting the BlackEnergy strain of malware found to have infected energy, media and government organizations across the country. Authorities haven't yet offered a detailed account of Dec. 23's events, so security researchers have pieced together their own -- sometimes competing -- versions of what happened.<br />
<br />
<a name='more'></a><br />
"We are still missing data, or maybe the authorities didn't share all the data they had," said Udi Shamir, chief security officer of SentinelOne, which has published one of the more detailed analyses of a new BlackEnergy malware variant. "The amount of people who really know what's happened ... they're really outnumbered compared to the researchers, and nobody's going to talk about it -- not in the public, not for now."<br />
<br />
The million-dollar question for cybersecurity experts is: How did the attackers in Ukraine actually manage to cause the outage?<br />
<br />
As Sean McBride, lead analyst for critical infrastructure at cybersecurity firm iSIGHT Partners Inc., put it at a conference last month, "We've got the dead body and the bullet hole, but no gun."<br />
<br />
<b>Sniffers and phishers</b><br />
In its report last week, SentinelOne uncovered a "sniffer" module in BlackEnergy that shows attackers were interested in gathering login credentials and other pertinent information from industrial control systems. But researchers, including Shamir, largely agree that the BlackEnergy malware itself did not directly cause the outage. Questions also remain as to how BlackEnergy spread among power distributors in Ukraine, infecting enough machines to allow for a relatively far-ranging impact when attackers pulled the trigger.<br />
<br />
The initial entry point into victim companies, including Ukrainian electricity provider Prykarpattyaoblenergo, appears to have been a targeted "phishing" email with a malicious Word document attached.<br />
<br />
But Shamir said he isn't so sure employees were duped by a Microsoft Office document, suggesting instead that the unknown hackers may have had help on the inside from at least one of several utilities affected. That's because the attack vector used was more than a year and a half old, a relic from an earlier BlackEnergy campaign that also targeted energy systems in Ukraine.<br />
<br />
If the Microsoft Office vulnerabilities really hadn't been addressed in that time -- meaning an employee could have been legitimately fooled -- "I think the people in Ukraine need to raise some very hard questions to their [computer emergency response team], because it's very alarming," Shamir said.<br />
<br />
Analysts at Kaspersky Lab, who offered an <a href="https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/" target="_blank">in-depth look</a> at the malicious Word document recovered from targeted computers, weren't surprised by the campaign's continued success.<br />
<br />
"In general, we are seeing the use of Word documents with macros becoming more popular in [advanced, persistent] attacks," said Costin Raiu, director of Kaspersky's global research and analysis team. "For instance, recently we observed the Turla APT group using documents with macros to launch a similar type of attack. This leads us to believe that many of these attacks are successful and that this is why their popularity is increasing."<br />
<br />
<b>Cyber confusion?</b><br />
Knowing how attackers probably got in, however, doesn't answer how they were able to shut off power, if at all. There's a huge difference between leveraging a compromised Word document to gain a foothold on a computer network, and then moving laterally along that network and reaching all the way into industrial controls, observers say.<br />
<br />
Robert M. Lee, one of the first researchers to cite evidence that the Ukrainian power outage involved a cyberattack, has said he's moderately confident that attackers used BlackEnergy as their entry point to more critical networks.<br />
<br />
What they did after that first step is less certain, however, according to multiple sources examining the evidence available from the attack. The hackers could have remotely hijacked the human-machine interfaces that offer windows to physical grid components, or they could have deployed some as-yet-undiscovered module for tripping breakers on the power grid. It's possible that the "smoking gun" researchers are looking for automatically destroyed itself after damaging the control systems.<br />
<br />
All of the experts contacted by EnergyWire shared their thoughts with the caveats that what triggered the outage is still unknown and that their theories are just that -- subject to change as new evidence emerges.<br />
<br />
Joel Langill, a specialist in control system cybersecurity and author of the SCADAhacker blog, said he thinks "malware could have been used to cause events that would have led to human decisions being made incorrectly."<br />
<br />
In other words, he said, BlackEnergy's presence, coupled with a denial of service attack on telephone networks used for reporting outages, created an atmosphere of "cyber confusion" that may have triggered the temporary blackouts.<br />
<br />
But even if malware didn't directly cause customers to lose power in Ukraine, Langill said utilities don't yet have reason to rest easy.<br />
<br />
"Maybe this was a trial run, to see a proof-of-concept -- whether or not it could happen," he said. "Until we really understand the sequence of the attack, people aren't really going to understand what to do, and that's where I get a little nervous."<br />
<br />
<b>'One plus one plus one'</b><br />
One of the best ways to recover from the new spate of BlackEnergy infections was published by the U.S. Industrial Control Systems Cyber Emergency Response Team in fall 2014.<br />
<br />
While no evidence has emerged to suggest U.S. utilities have fallen victim to new BlackEnergy attacks, the industry has taken the Ukraine case as an opportunity to re-emphasize good security practices for grid operators. ICS-CERT even dusted off its old notice to add new information from the Ukraine threat.<br />
<br />
"We are continuing to monitor what's going on there and look for those lessons learned," said Scott Aaronson, managing director for national security policy at the Edison Electric Institute, which represents investor-owned utilities in North America.<br />
<br />
Aaronson pointed out how "hard" it is for researchers to put together the disparate clues and say with certainty that a cyberattack took place.<br />
<br />
"What we know is that there was a power outage just before Christmas in Ukraine, there was a denial of service that happened in close relation to that, and malware was found on the Ukrainian utilities' systems," Aaronson said. "One plus one plus one does not necessarily equal three."<br />
<br />
Cyberattack or not, he said, "the fact is, the power went out and they had to respond -- and we would do the same thing here."<br />
<br />
-------------------------------------------------------------<br />
<span style="color: #999999;">Want to read more stories like this?</span><br />
<span style="color: #999999;"><a href="http://www.eenews.net/trial?r=emailed_story_1060031555" target="_blank">Click here</a> to start a free trial to E&E -- the best way to track policy and markets.</span><br />
<br />
<span style="color: #999999;"><b>ABOUT ENERGYWIRE – THE TRANSFORMATION OF THE ENERGY SECTOR</b></span><br />
<span style="color: #999999;">EnergyWire is written and produced by the staff of E&E Publishing, LLC. EnergyWire is designed to bring readers deep, broad and insightful coverage of the transformation of the energy sector. EnergyWire focuses on the business, environmental and political issues surrounding the rapidly expanding unconventional energy industry and the numerous factors -- from expanding natural gas use to renewables and more -- that are altering the traditional electric utility industry. EnergyWire publishes daily at 9:00 a.m.</span><br />
<br />Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com299tag:blogger.com,1999:blog-4595748677513639250.post-90094441708968608932015-01-16T07:51:00.000-06:002015-01-16T07:51:01.579-06:00A unique opportunity to learn both ICS implementation and cyber security skills is now available !!!The interest in the intense, immersion 10-day program on ICS implementation and security has been
overwhelming. This course is not currently scheduled for public offerings. However ...
Joel Langill (founder of <b>SCADA<span style="color: red;">hacker</span></b>.com)<b><span style="color: red;"></span></b>
has joined forces with leading system integrator <a href="http://www.linandassociates.com/" target="_blank">Lin & Associates </a>of Phoenix, Arizona to offer
a unique opportunity to learn the basics of ICS configuration and operation, in a public 3-day workshop
scheduled for March 3-5 (optional 1-day ICS workshops available on March 6). These 4-days provide both
lecture and hands-on modules, and provide an opportunity for attendees to get "up close and personal" with
the systems really used to control critical infrasturture. No virtual PLCs, Raspberry PI, or "toy" SCADA equipment -
real ICS equipment used at the heart of the industrial automation and control industry.<br />
<br />
<a name='more'></a>After enjoying a weekend in beautiful Phoenix where you can visit landmarks like the Grand Canyon, Petrified
National Park, Sedona, Flagstaff and others, the 5-day advanced "Understanding, Assessing and Securing Industrial
Control Systems" course will be offered March 9-13.<br />
<br />
The need for this type of opportunity within the ICS security sector is critical in understanding the real-world
aspects of security operational systems. To facilitiate involvement, students that register for BOTH the 3-day workshop
and the 5-day security course will receive a SPECIAL DISCOUNT equal to the registration fee for the 3-day workshop.
In other words, the 3-day workshop is FREE when attending both. As a SPECIAL BONUS, anyone who registers for either the
DCS Configuration or HMI Scripting workshop will receive a $50 Amazon Gift Card. No where else can you receive
9-days of training from leading industry experts for the price of $4,550 !!!<br />
<br />
Special social events have been scheduled during the 3-day workshop including a Open House and an Arizona Diamondbacks
baseball game!<br />
<br />
Additional information and registration details are provided on the Lin & Associates website by
<a href="http://h4ckr.us/LNAwksp" target="_blank">clicking here</a>. Space is limited
so make your registration early. The special discount expires February 20.<br />
<br />
This course will also introduce the recently published
<a href="http://h4ckr.us/INSbook" target="_blank">"Industrial Network Security"</a> book written by
Joel Langill and Eric Knapp, with all students receiving a copy.
Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com27tag:blogger.com,1999:blog-4595748677513639250.post-59035239399321702492014-07-10T06:51:00.003-05:002014-07-10T06:52:47.426-05:00Cyber Espionage Campaign Hits Energy CompaniesOver the past couple of weeks, cybersecurity vendors have announced the uncovering of a successful cyber espionage campaign carried out by the Dragonfy hacking group. In the most recent string of attacks, Dragonfly (also referred to by the name Energetic Bear) has targeted multiple US and European energy companies, successfully looting valuable process information in what appears to be the next step in the cyber warfare campaign against critical infrastructure organizations, after Stuxnet in 2010. Cybersecurity vendors have scrutinized the campaign and presented an analysis of the malware employed by Dragonfy to steal information from the infected computers.<br />
<br />
Yesterday, a short paper I co-authored with <a href="http://secmatters.com/" target="_blank">Security Matters</a> was released. This short paper revisits the main points of this investigation, including additional details into the specifics of the components of the campaign that exploit industrial control systems. This paper also illustrates why the implementation of a defense-in-depth (DiD) strategy is key to successfully counter cyberthreats like Dragonfly. One of the key aspects of improved DiD involves improving situation awareness within industrial architectures. SilentDefense ICS is one key element in the overall process of gaining insight into your ICS architectures allowing early detection and rapid mitigation of cyber threats.<br />
<br />
A complete copy of the paper is available by <a href="http://h4ckr.us/VX7IgW" target="_blank">clicking here</a>.<br />
<br />
I am currently actively engaged in research of the campaign and the malware employed. In the coming weeks, I will also be releasing another paper that will discuss in details the overall campaign, how the various pieces of the attack are being deployed, and how they are being used against companies relating to industrial automation and control. Stay tuned to <a href="https://www.scadahacker.com/" target="_blank">SCADAhacker.com</a> and follow watch my <a href="https://www.twitter.com/SCADAhacker" target="_blank">Twitter</a> feed for additional release details. Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com85tag:blogger.com,1999:blog-4595748677513639250.post-31242080649889060892014-07-01T04:32:00.001-05:002014-07-01T07:13:49.281-05:00DragonFly/Havex Resource Page Now Available on SCADAhacker.comToday, I am happy to announce the launch of a <a href="http://scadahacker.com/resources/havex.html" target="_blank">new page</a> on SCADAhacker.com devoted to provided timely and relevant information relating to the Dragonfly/Havex campaign. Like resource pages developed in the past for Stuxnet and Duqu, this page will provide a one-stop location for key resources pertaining to industrial control systems as used in this campaign, including Technical Reports, White Papers, ICS-CERT Advisories and Alerts, Press Reports, and other pertinent information.<br />
<br />
The site will also include a dynamic Twitter feed tracking related posts utilizing hashtags #havex, #dragonfly, and #energeticbear.<br />
<br />
If there is anything that you find that could be of use to the general community, please feel free to share this by sending me an <a href="mailto:info@scadahacker.com?subject=Re%20Havex%20Resource%20Page" target="_blank">email</a>.<br />
<br />
<a href="http://scadahacker.com/resources/havex.html" target="_blank">Dragonfly/Havex Resource Page</a> on SCADAhacker.com Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com20tag:blogger.com,1999:blog-4595748677513639250.post-20676463008352098052014-05-05T04:36:00.002-05:002014-05-05T04:38:24.088-05:00Presentation for upcoming ICSJWG "Can you hear me now? Standing up a Security Event Management System to improve Situational Awareness"I am honored to again be presented at the Industrial Control System Joint Working Group (ICSJWG) meeting scheduled for June 3-5 in Indianapolis, Indiana. I will be participating in a panel discussion on Heartbleed and its impact to control systems where I will be sharing some of my research findings and sharing with you my point-of-view based on ICS systems at large.
<br />
<br />
I will also have a session presentation entitled <b>"Can you hear me now? Standing up a SEM to improve Situational Awareness"</b>. This sessions in tentatively scheduled for Wednesday, June 4 at 1:00-2:00pm.
<br />
<br />
I am looking forward to seeing many of you<br />
<br />
<a name='more'></a><br />
<i>Abstract:</i>
<br />
<br />
A great deal has been learned in the four years since Stuxnet was publicly discovered. Organizations are seeing the value of implementing advanced security technologies like application-aware industrial firewalls, unidirectional gateways, and application control. The problem is, how can you leverage these technologies to not only prevent a potential cyber event from occurring within your industrial environment, but also to be notified when such an attempt has occurred in order to possibly adjust your defensive strategies, improve attribution efficiency, and understand what assets in your industrial network the threats are targeting.
<br />
<br />
Many vendors provide basic reporting applications, while others may do nothing as they feel their devices are designed to provide "preventative" measures while failing to look at the value of "detective" controls as well. The only way site support personnel and system administrators can effectively managed this significant amount of raw "data" is through the creation of informative security dashboards that aid in the consolidation, visualization, and analysis that turns this to useful "information".
<br />
<br />
This session looks at the creation of a security event management solution and a ICS Security Dashboard showing how data from heterogeneous suppliers is aggregated, extracted, transformed and visualized, including a live demonstration of the proposed solution set. Everything shown in the solution is based on proven technologies that can be deployed at little or no cost.
Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com4tag:blogger.com,1999:blog-4595748677513639250.post-65091335037481671732014-04-17T08:27:00.004-05:002014-04-17T08:31:29.339-05:00Why "Heartbleed" will only require a Band-Aid in more most ICS installations<div class="title">
<i>(This article was originally posted on <a href="http://www.isssource.com/heartbleed-an-ics-irritation-not-disaster/" target="_blank">ISSSource</a> on April 16, 2014 by Gregory Hale with contributions from Joel Langill)</i><br />
</div><br />
Heartbleed may need a band aid to fix various small wounds in the
industrial control environment, but it surely does not need open heart
surgery.<br />
<br />
<a name='more'></a>Heartbleed is a vulnerability in OpenSSL Versions 1.0.1 through
1.0.1f that contains a flaw in its implementation of the transport layer
security/datagram transport layer security (TLS/DTLS) heartbeat
functionality that could disclose private/encrypted information to an
attacker.<br />
<br />
The Heartbleed issue, labeled CVE-2014-0160, could allow attackers to
read process memory of running OpenSSL processes. This could reveal
secrets, like transmitted data, passwords or private keys.<br />
<br />
“We all know the importance of protecting information ‘privacy’ or
‘confidentiality’ through the use of encryption,” said Joel Langill,
founder of Infrastructure Defense Security Services. “In general, this
problem represents moderate risk to ICS, but can be managed, as I would
not expect a large number of devices to posses this vulnerability. The
devices that I am most concerned about would be security devices like
firewalls and VPN switches used at the perimeter that typically
communicate over public networks, and utilize SSL/TLS as one form of
encryption.”<br />
<br />
Encryption in and of itself is generally a good thing when it comes
to securing communications, but in this case it opens the end user up to
an attack.<br />
<br />
“One very common means of performing this encryption over networks is
based on the Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
mechanism,” he said. “This mechanism is used in everything from web
access, to email, some VPNs, and even communication with ICS
components.”<br />
<br />
“The basis of this encryption is the use of cryptographic keys, which
in the case of servers using OpenSSL that are vulnerable (Heartbleed is
a vulnerability in the OpenSSL crypto library) could allow an actor to
extract these keys, as well as the usernames and passwords used to
create the secure connection and the data exchanged in the encrypted
session from the memory of the vulnerable server,” he said.<br />
<br />
That is the bad news and the possible attack, but the good news is
OpenSSL is not a part of Microsoft’s core framework (Internet
Information Services, Exchange).<br />
<br />
“Microsoft does not implement OpenSSL in their platforms, so the
largest majority of ICS hosts that reside in level 2 and level 3
applications are not vulnerable,” Langill said. “This would include
typical ICS servers, application servers, historians, ancillary
applications (asset management, condition monitoring, etc.). The area of
concern within the ICS environment is now strictly focused on (a)
embedded devices that are not based on a Windows OS — this means not
only the obvious WinXP, Win7, 2003, 2008, etc. but also WinCE, XP
Embedded, etc., (b) provides SSL/TLS encryption typically in the form of
an HTTPS session, and (c) is enabled under normal circumstances.”<br />
<br />
With security awareness continuing its growth curve in the industry,
this could allow for a more enlightened conversation between users and
suppliers.<br />
<br />
“We all expect that the major vendors will follow Siemens lead and
provide a statement as to the fact that they have investigated their
products and that they are or are not vulnerable,” Langill said.<br />
<br />
<b>Additional Resources</b><br />
<a href="https://www.scadahacker.com/" target="_blank">Heartbleed Dashboard - SCADAhacker.com</a><br />
<a href="http://www.isssource.com/tag/heartbleed/" target="_blank">ISSSource - tag "Heartbleed"</a><br />
IDS Signatures for SNORT/Suricata (<a href="https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01B" target="_blank">ICS-CERT</a> | <a href="http://ics-cert.us-cert.gov/sites/default/files/documents/FBI%20Private%20Industry%20Notification-140410-001.pdf" target="_blank">FBI</a>)<br />
<a href="http://heartbleed.com/" target="_blank">The Heartbleed Bug</a><br />
<a href="https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01B" target="_blank">ICS-CERT</a>Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com3tag:blogger.com,1999:blog-4595748677513639250.post-80889227337811263012014-03-18T07:37:00.005-05:002014-03-18T08:27:54.669-05:00Recent development of ICS exploits continues upward trend of security researchIn performing my daily rounds on news feeds and websites, I noticed a
lot of recent developments in open-source exploit modules targeting
industrial control systems. One very important part of a well-rounded
ICS Security Management System (IACS-SMS per <a href="http://isa99.isa.org/ISA99%20Wiki/WP_List.aspx" target="_blank">ISA 62443</a>
terminology) is situational awareness of the actual risks facing
industrial systems in terms of both vulnerabilities disclosed and the
ease in converting these proof-of-concept (PoC) disclosures into
workable exploit modules.<br />
<br />
<a name='more'></a><br />
The vision of SCADAhacker.com
is to assemble in a single location details relating to disclosures and
exploits - as was demonstrated initially by my reference page
(http://scadahacker.com/vulndb/ics-vuln-ref-list.html). This page became
an overwhelming task to keep current - but rest assured it is still on
the plate to update and maintain!<br />
<br />
I wanted to provide a
quick update of some recent developments in terms of disclosures,
advisories and availability of useable exploit modules for some recent
ICS systems. The vulnerability details are obtained via the Open-Source
Vulnerability Database (OSVDB) project, exploit source code via
Exploit-DB, and advisories published by ICS-CERT.<br />
<br />
ABB MicroSCADA<br />
<a href="http://osvdb.org/show/osvdb/100324" rel="nofollow" target="_blank">Vuln Details</a><br />
<a href="http://www.exploit-db.com/exploits/30009/" target="_blank">Exploit Module</a> <b class="final-path">- </b>(published Dec. 3, 2013 (disclosure Apr. 5, 2013)<br />
MSF Reference -<br />
<a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/abb_wserver_exec.rb" target="_blank">windows/scada/abb_wserver_exec.rb</a> <br />
ICS-CERT (none published)<br />
<a href="http://www05.abb.com/global/scot/scot229.nsf/veritydisplay/41ccfa8ccd0431e6c1257c1200395574/$file/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf" target="_blank">Vendor Advisory </a><br />
<br />
General Electric Proficy CIMPLICITY<br />
Vuln Details (none available)<br />
<a href="http://www.exploit-db.com/exploits/31987/" target="_blank">Exploit Module</a> <b class="final-path">- </b>published Feb. 28, 2014 (disclosure Jan. 23, 2014)<br />
MSF Reference - <span class="final-path"> </span><br />
<span class="final-path"> <a href="https://github.com/rapid7/metasploit-framework/blob/308267da142d7a95ff994b48073841d4f7dda874/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb" target="_blank">windows/scada/ge_proficy_cimplicity_gefebt.rb</a></span><br />
<a href="http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01" target="_blank">ICS-CERT</a> <br />
Vendor Advisory (<a href="http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/15000/KB15939/en_US/GEIP13-05%20Security%20Advisory%20-%20Proficy%20CIMPLICITY%20gefebt%20Remote%20Code%20Exec.pdf" target="_blank">adv1</a> , <a href="http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/staging/KB/15000/KB15940/en_US/2.0/GEIP13-06%20Security%20Advisory%20-%20Proficy%20CIMPLICITY%20WebView%20Remote%20Code%20Exec.pdf" target="_blank">adv2</a>)<br />
<br />
WellinTech KingSCADA<br />
<a href="http://osvdb.org/show/osvdb/102135" target="_blank">Vuln Details</a><br />
<a href="http://www.exploit-db.com/exploits/31575/" target="_blank">Exploit Module</a> - published Feb. 11, 2014 (disclosure Jan. 14, 2014)<br />
MSF Reference -<br />
<a href="https://github.com/rapid7/metasploit-framework/blob/0709aac3c5276d4099f3780d0129c64ded60d50b/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb" target="_blank">windows/browser/<span class="final-path">wellintech_kingscada_kxclientdownload.rb</span></a> <br />
<a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01" target="_blank">ICS-CERT</a> Vendor Advisory (none published)<br />
<br />
Yokogawa Centum CS<br />
Vuln Details (<a href="http://osvdb.org/show/osvdb/104431" target="_blank">v1</a> , <a href="http://osvdb.org/show/osvdb/104429" target="_blank">v2</a>)<br />
Exploit Modules (<a href="http://www.exploit-db.com/exploits/32209/" target="_blank">e1</a> , <a href="http://www.exploit-db.com/exploits/32210" target="_blank">e2</a>) - published Mar. 12, 2013 (disclosure Mar. 10, 2014)<br />
MSF References -<br />
<a href="https://github.com/rapid7/metasploit-framework/blob/368df03ae1de097059d9c0bc8292ac71eef6d8ad/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb" target="_blank" title="modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb">windows/scada/yokogawa_bkhodeq_bof.rb</a><br />
<a href="https://github.com/rapid7/metasploit-framework/blob/368df03ae1de097059d9c0bc8292ac71eef6d8ad/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb" target="_blank" title="modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb">windows/scada/yokogawa_bkbcopyd_bof.rb</a><br />
<a href="https://github.com/rapid7/metasploit-framework/blob/368df03ae1de097059d9c0bc8292ac71eef6d8ad/modules/auxiliary/dos/scada/yokogawa_logsvr.rb" target="_blank" title="modules/auxiliary/dos/scada/yokogawa_logsvr.rb">dos/scada/yokogawa_logsvr.rb</a> <br />
<a href="http://ics-cert.us-cert.gov/advisories/ICSA-14-070-01" target="_blank">ICS-CERT</a> / <a href="http://jvn.jp/vu/JVNVU98181377/index.html" target="_blank">JP-CERT</a> <br />
<a href="http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf" target="_blank">Vendor Advisory </a><br />
<br />
Of
particular interest to me is the Yokogawa Centum CS activity. This
represents a significant shift in ICS research from SCADA to
traditionally more robust DCS platforms. Rapid 7 published a very
interesting <a href="https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities" target="_blank">blog</a>
on this activity, with some very detailed information regarding the
exploit. It is important to understand that the Centum CS3000 product is at
end-of-life. Since it is based on Windows XP (migration to Centum
VP required to support Windows 7), users of this ICS platform will face
numerous challenges as Microsoft withdraws support in April 2014. Centum CS3000 R3 was first released in 1998 with Release 3.09 available February 2010. Yokogawa claims to have sold over 7,600 systems worldwide that likely have installations in most process and manufacturing sectors.<br />
<br />
These vulnerabilities target what is
called the "Test Function" on the Centum system. This is an offline
simulation environment that allows you to test and validate your
configuration prior to downloading to an actual production controller or
"Field Control Station". There are numerous risk factors associated with running the Test Function on a production system, and for this reason, installations typically have this feature enabled on off-line engineering development systems.<br />
<br />
I <a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-053-01" target="_blank">published a vulnerability</a>
within the Emerson DeltaV M- and S-Series controllers in March 2013,
which was unique as it was one of the first vulnerabilities targeting a
DCS controller. There had been numerous vulnerabilities disclosed for
SCADA devices like PLCs, but known focused on the DCS product sector
which, in my opinion, are the primary ICS systems deployed at the core
of all critical process industries.<br />
<br />
Feel free to comment or drop me a note if you have any additional information you would like to share.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com121tag:blogger.com,1999:blog-4595748677513639250.post-63218530982133486032014-01-22T05:50:00.002-06:002014-01-22T05:59:47.458-06:00Gleg releases Ver 1.31 of the SCADA+ Exploit Pack for Immunity CanvasGleg
announced last week (January 16) the release of version 1.31 of the SCADA+
Exploit Pack for the Immunity Canvas framework.<br />
<br />
A summary of recent releases includes:<br />
<ul>
<li>Version 1.30 was released on December 13, 2013</li>
<li>Version 1.29 was released on November 22, 2013</li>
<li>Version 1.28 was released on October 7, 2013 </li>
<li>Version 1.27 was released on September 6, 2013</li>
<li>Version 1.26 was released on August 14, 2013</li>
<li>Version 1.25 was released on July 5, 2013</li>
<li>Version 1.24 was released on May 14, 2013</li>
<li>Version 1.23 was released on April 22, 2013</li>
<li>Version 1.22 was released on February 27, 2013</li>
<li>Version 1.21 was released on February 7, 2013</li>
<li>Version 1.20 was released on December 21, 2012</li>
<li>Version 1.19 was released on November 8, 2012</li>
</ul>
<a name='more'></a>SCADA+ 1.31 includes 2 new DoS 0-days targeting Eaton and Inductive Automation!<br />
<br />
SCADA+ 1.31 modules include:<br />
<ul>
<li>ABB MicroSCADA - Remote Code Execution [public exploit] </li>
<li>Eaton Network Shutdown Module - DoS [0-day]</li>
<li>Eaton Network Shutdown Module - Remote Code Execution with Credential Stealing [public]</li>
<li>Inductive Automation Ignition! Gateway OPC-UA Server - DoS [0-day]</li>
</ul>
<div>
<div class="p1">
The MicroSCADA vulnerability was initially reported to ABB by <a href="http://www.zerodayinitiative.com/advisories/ZDI-13-268/" target="_blank">ZeroDayInitiative</a> with an <a href="http://www02.abb.com/global/scot/scot229.nsf/veritydisplay/41ccfa8ccd0431e6c1257c1200395574/$file/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf" target="_blank">official release</a> by ABB in April 2013. Public disclosure occurred in November 2013 through standard channels (<a href="http://www.securityfocus.com/bid/63901/" target="_blank">Security Focus</a>, <a href="http://packetstormsecurity.com/files/124228/ABB-MicroSCADA-wserver.exe-Remote-Code-Execution.html" target="_blank">Packet Storm</a>, <a href="http://secunia.com/advisories/55845/" target="_blank">Secunia</a>, etc.) with public exploit modules available for the <a href="http://www.rapid7.com/db/modules/exploit/windows/scada/abb_wserver_exec" target="_blank">Metasploit</a> framework. Details for this vulnerability do NOT appear to have been communicated via ICS-CERT (probably because they were too busy working all those DNP3 advisories!). Complete details with additional links are available via <a href="http://osvdb.org/show/osvdb/100324" target="_blank">OSVDB ID 100324</a>.<br />
<br />
There is little information available regarding the DoS 0-day (if you find anything, please share). The Remote Code Execution vulnerability was publicly disclosed in June 2012, with public exploit code available for <a href="http://www.rapid7.com/db/modules/exploit/multi/http/eaton_nsm_code_exec" target="_blank">Metasploit</a> with an alternative Python script available at <a href="http://packetstormsecurity.com/files/124320/Eaton-Network-Shutdown-Module-3.21-PHP-Code-Injection.html" target="_blank">Packet Storm</a>. Disclosure with PoC occurred through many of the standard channels (<a href="http://www.exploit-db.com/exploits/23006" target="_blank">Exploit-DB</a>, <a href="http://secunia.com/advisories/49103/" target="_blank">Secunia</a>, <a href="http://www.securityfocus.com/bid/54161" target="_blank">Security Focus</a>, and <a href="http://packetstormsecurity.com/files/124320/Eaton-Network-Shutdown-Module-3.21-PHP-Code-Injection.html" target="_blank">Packet Storm</a>), with OSVDB logging this under three IDs <a href="http://osvdb.org/show/osvdb/83199" target="_blank">83199</a>, <a href="http://osvdb.org/show/osvdb/83200" target="_blank">83200</a>, and <a href="http://osvdb.org/show/osvdb/83201" target="_blank">83201</a>. It should be noted that these vulnerabilities have NOT been tagged as SCADA related by OSVDB, as they are general IT products. Neither of the Eaton vulnerabilities appear to have made their way through the ICS-CERT communication channels as well. <br />
<br />
The vulnerability and exploit for Inductive Automation's Ignition! server does not appear to be logged or recorded by anyone, so this could represent <span style="color: red;"><b>increased risk</b></span> to those users who have deployed this particular ICS software. If anyone finds anything, please share details.<br />
<br />
What is most disturbing about these disclosures is the mysterious absence of ICS-CERT in this process. I was under the impression that they were taking the lead role in terms of information sharing and disclosure. This does not appear to be the case, as several of these vulnerabilities were available via separate mechanisms in early 2013! I guess that is more incentive for me to create a threat intelligence page for the SCADAhacker.com website, in order to consolidate and present information such as this in a timely manner. The site has recently been updated to include more "active" and "dynamic" content - check it out if you have a chance.<br />
<br />
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.</div>
</div>
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com1tag:blogger.com,1999:blog-4595748677513639250.post-66757267199862003612013-11-08T14:03:00.003-06:002013-11-08T14:10:39.820-06:00"Stop the Madness!!!" - Mr. Wonderful, Shark Tank<div class="p1">
For those that attended, it was a great week in Rockville at the recent ICSJWG Fall Meeting. I was very much hoping that so many of these "alarmists" who continue to "cry wolf" of these DNP3 vulnerabilities would attend so that we could once and for all resolve some of the issues around how this is being communicated to the broader ICS security community. Unfortunately, none seemed to show their faces, except for Adam Crain which provided me the opportunity to have a very detailed discussion around these vulnerabilities (unfortunately, the contents of these discussions will remain private).</div>
<div class="p2">
</div>
<div class="p2">
</div>
<a name='more'></a><br />
<div class="p1">
What continues to be disappointing when reading these articles is the complete omission of the how these vulnerabilities are seen in actual deployed, commissioned systems. If you look at the DHS ICS-CERT summary advisory <a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-291-01" target="_blank">ICSA-13-291-01</a>, you will note that there are in fact 8 systems identified to date (I expect many more to come), however, of those listed with details publicly available, only the Alstom e-Terracontrol and Schweitzer RTAC act as not only the DNP3 Master (responsible for primarily data communication) but also can function as a form of SCADA Master (combining not just data comms, but visualization, historization, and applications) - In more graphical text, the different between "A master" and "THE master". This means that if you can compromise the DNP3 Master, you will most likely impact the overall SCADA Master Server as well. The other identified systems are acting more like "gateways" within the overall ICS architecture.</div>
<div class="p2">
<br /></div>
<div class="p1">
So ... what exactly does this mean?</div>
<div class="p2">
<br /></div>
<div class="p1">
To start, Security 101 teaches you that if someone gains physical access to a remote site (DNP3 outstation or substation in this case) that you have to concede that it is compromised and there is in fact very little you can do other that respond and remediate these threats via "physical" means - a baseball bat works great in these situations! This location is pwned - game over! The security objective is now to protect this initial compromise from affecting either the Central Site (such as a central control facility) or a peer site (such as another substation). In the case of the Alstom system vulnerability, we did in fact have a serious risk in that the substation could provide the means to initiate a successful remote attack against the Central Site. </div>
<div class="p2">
<br /></div>
<div class="p1">
However, the misrepresentation that surfaces in so many of these documents is that in the case of many of these system identified as vulnerable, they were in fact acting as an application gateway that is taking the vulnerable nature of DNP3 and converting this to OPC-DA RPC communications (which if you don't know, already possess secure authentication mechanisms). What this means is that if you are in fact successful in remotely launching the attack against the OPC Server which is also acting as the DNP3 Master Station, you have done nothing more than DoS/DoV/DoC the remote site which has already been compromised. In other words, the DNP3 vulnerability does not add any additional risk to the situation!</div>
<div class="p2">
<br /></div>
<div class="p1">
I submitted a diagram to many of those that like to argue this, and as expected, no one was willing to talk about the problem against a real architecture! In this case, your system has performed its security function and your corrective action is more in line with physical security improvement than cyber security ones.</div>
<div class="p2">
<br /></div>
<div class="p1">
What is probably most disturbing about all of this is that the mere deployment of the DNP-OPC application gateways is in fact a security countermeasure in itself, because it is performing its main job in protecting the SCADA Master from compromise due to physical attacks against the DNP3 Master. So, unless these guys have figured how to remotely take DNP3 commands and "pivot" through the host and spawn malicious RPC commands (against an authenticated protocol), we have effectively stopped the attack (good thing is that OPC-UA will make this even harder!). Again, these "alarmists" will argue that the OPC Server is being used to aggregate multiple DNP3 outstations. Poor engineering design needs to be addressed through other security measures. This is no different than someone implementing non-redundant components in a high-availability architecture, and shows that the original system designer (which could in fact be some of these "alarmists") failed to perform the necessary FMEA on the design architecture before commissioning! Something those of us who design against functional safety standards like IEC-61511 are very familiar.</div>
<div class="p2">
<br /></div>
<div class="p1">
In closing, I have to tell a story. I found a very significant and similar <a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-053-01" target="_blank">vulnerability in one of the world's leading DCS controllers</a> recently that would allow me to completely shutdown all controllers on a given controller network provided I had PHYSICAL ACCESS to the controller network to initiate the attack. From a plant perspective, this could mean taking down a refinery's catalytic cracking unit or a power plants boilers (very common applications for this device). I didn't cry wolf and say that nn% of this country's refined products were now at risk because of this vulnerability, because (a) the mere disclosure of this number is both irresponsible and probably inaccurate, and (2) it would not reflect the reality of how these devices are actually deployed.</div>
<div class="p2">
<br /></div>
<div class="p1">
I am very impressed with Adam and his work, and look forward to seeing great things from him in the future. I know that he is not to blame for this misrepresentation of data. I am only hoping that for all of those that read this blog who are new to the ICS world realize the distinction between component vulnerabilities versus system vulnerabilities. Sad that my course still is the only one that really focuses on identifying and mitigating system vulnerabilities. </div>
<div class="p2">
<br /></div>
<div class="p1">
Mike Ahmadi and Billy Rios blew the crowd away (myself included!) yesterday with their talk about a project that evaluated medical devices in a deployed system environment. Everyone was energized and hopeful that this approach may soon become more common in industrial manufacturing environments. Until then, I can only continue to teach the importance of taking a given vulnerability and its Base CVSS score, and consider the Environmental and Temporal factors that reflect the net risk of a given vulnerability to your organization AS DEPLOYED.</div>
<div class="p2">
<br /></div>
<br />
<div class="p1">
Stay safe and secure ....</div>
Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com3tag:blogger.com,1999:blog-4595748677513639250.post-52255641585026291732013-10-08T21:41:00.002-05:002013-10-08T21:43:53.093-05:00Gleg releases Ver 1.28 of the SCADA+ Exploit Pack for Immunity CanvasWow ... they are really providing a steady stream of updates as Gleg announced today (October 8) the release of version 1.28 of the SCADA+ Exploit Pack for the Immunity Canvas framework.<br />
<br />
A summary of recent releases includes:<br />
<ul>
<li>Version 1.27 was released on September 6, 2013</li>
<li>Version 1.26 was released on August 14, 2013</li>
<li>Version 1.25 was released on July 5, 2013</li>
<li>Version 1.24 was released on May 14, 2013</li>
<li>Version 1.23 was released on April 22, 2013</li>
<li>Version 1.22 was released on February 27, 2013</li>
<li>Version 1.21 was released on February 7, 2013</li>
<li>Version 1.20 was released on December 21, 2012</li>
<li>Version 1.19 was released on November 8, 2012</li>
</ul>
<a name='more'></a>SCADA+ 1.28 includes 3 new 0-days targeting a copy of new ICS "victims" including Moore Industries and Eaton, along with our long-time friend Siemens!<br />
<br />
SCADA+ 1.28 modules include:<br />
<ul>
<li>Moore Industries NCS (NET Concentrator System) Configuration DoS [0-day]</li>
<li>Eaton HMi VU Remote DoS [0-day]</li>
<li>Siemens WinCC TIA Portal miniweb.exe Remote DoS [0-day]</li>
<li>Galil RIO-47000 DoS</li>
</ul>
<div>
<div class="p1">
This is an interesting release, as neither the <b>Eaton</b> nor <b>Moore Industries</b> vulnerabilities appear to have been identified by ICS-CERT (maybe it is because of the hiatus!). Information on the versatile Moore NCS product is available on <a href="http://www.youtube.com/watch?v=DxjjfgA3aho" target="_blank">YouTube</a>. There are several PDF documents available (links not included here) on the Eaton HMi VU for reference. These could be interesting exploits, as there appears to be little documented on this vuln from the typical sources. </div>
<div class="p1">
<br /></div>
<div class="p1">
The Galil vulnerability is discussed in ICS-CERT Advisory<a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-116-01" target="_blank"> ICSA-13-116-01</a> originally disclosed by Jon Christmas of Solera Networks published on April 26, 2013. Some interesting information on the RIO-47xxx can be found <a href="http://www.galilmc.com/products/rio-47xxx.php" target="_blank">here</a>.</div>
<div class="p1">
<br /></div>
<div class="p1">
It is difficult to tell whether or not the Siemens WinCC vulnerability has been previously identified and document by ICS-CERT, since there are multiple entires in 2012 and 2013 relating to the TIA Portal web services. </div>
<div class="p1">
<br /></div>
Additional details and references can be found for the exploit modules included in the SCADA+ pack:</div>
<div>
<ul>
<li><span style="background-color: white;">Galil RIO-47000 DoS<br />(<a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-116-01" target="_blank">ICS-CERT</a> / <a href="http://packetstormsecurity.com/files/122564/Galil-RIO-Modbus-Denial-Of-Service.html" target="_blank">PacketStorm</a> )</span></li>
</ul>
</div>
<div>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.</div>
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com2tag:blogger.com,1999:blog-4595748677513639250.post-19470827470483538852013-09-17T10:45:00.001-05:002013-09-17T10:45:04.837-05:00Gleg releases Ver 1.27 of the SCADA+ Exploit Pack for Immunity CanvasLike clockwork, Gleg announced on September 6 the release of version 1.27 of the SCADA+ Exploit Pack for the Immunity Canvas framework.<br />
<br />
A summary of recent releases includes:<br />
<ul>
<li>Version 1.26 was released on August 14, 2013</li>
<li>Version 1.25 was released on July 5, 2013</li>
<li>Version 1.24 was released on May 14, 2013</li>
<li>Version 1.23 was released on April 22, 2013</li>
<li>Version 1.22 was released on February 27, 2013</li>
<li>Version 1.21 was released on February 7, 2013</li>
<li>Version 1.20 was released on December 21, 2012</li>
<li>Version 1.19 was released on November 8, 2012</li>
</ul>
<a name='more'></a>SCADA+ 1.27 includes 3 new SCADA related vulnerabilities; none of them are 0-days.<br />
<br />
SCADA+ 1.27 modules include:<br />
<ul>
<li>pwStore Denial of Service</li>
<li>3S CODESYS Gateway-Server <= 2.3.9.27 Directory Traversal Vulnerability</li>
<li>Two modules for different National Instruments LabWindows/CVI, LabVIEW, and other products ActiveXes</li>
</ul>
<div>
The Codesys vulnerability appears to contain one of the vulnerabilities communicated in ICS-CERT Advisory ICSA-13-050-01A originally disclosed by Aaron Portnoy of Exodus Intelligence and published on February 19, 2013 with an update on March 27, 2013. This exploit module has already been posted for the <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/codesys_gateway_server_traversal.rb">Metasploit Framework</a> in the open source community. Note that this exploit targets the Gateway Server and is different than the other CODESYS vulnerability disclosed during the same time that targeted the runtime system.<br />
<br />
Additional details and references can be found for this exploit module included in the SCADA+ pack:</div>
<div>
<ul>
<li><span style="background-color: white;">3S CODESYS Gateway-Server Multiple Vulnerabilities<br />(<a href="https://ics-cert.us-cert.gov/advisories/ICSA-13-050-01A" target="_blank">ICS-CERT</a> / <a href="http://www.securityfocus.com/bid/56300" target="_blank">SecurityFocus</a> / <a href="http://packetstormsecurity.com/files/120718/SCADA-3S-CoDeSys-Gateway-Server-Directory-Traversal.html">PacketStorm</a> / <a href="http://osvdb.org/show/osvdb/90368" target="_blank">OSVDB</a>)</span></li>
</ul>
</div>
<div>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.</div>
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com1tag:blogger.com,1999:blog-4595748677513639250.post-31623642846635852482013-09-05T15:05:00.002-05:002013-09-05T15:05:17.035-05:00InteVyDis releases Ver 10 of the VulnDisco Exploit Pack for Immunity Canvas with ICS ModulesOn September 4, InteVyDis announced version 10.0 of their VulnDisco Exploit Pack for the Immunity Canvas framework. It appears for the first time that this pack contains ICS modules, including 0-days.<br />
<br />
<br />
<a name='more'></a><br />
The VulnDisco Exploit Pack appears to contain roughly 300 modules, and in this version 10.0, it appears that they have offered some 0-day exploits targeting the Cogent Datahub system (components are not defined):<br />
<br />
<ul>
<li>vd_cdatahub - [0day] Cogent DataHub DoS</li>
<li>vd_cdatahub2 - [0day] Cogent DataHub DoS</li>
<li>vd_cdatahub3 - [0day] Cogent DataHub file overwrite</li>
<li>vd_cdatahub_ver - [Tool] Get version of Cogent DataHub</li>
<li>vd_cdatahub_clstat - [Tool] Get status of Cogent DataHub clients</li>
</ul>
<br />
With the limited information available, it looks like these may be related to the ICS-CERT Advisory ICSA-13-095-01 "Cogent Real-Time Systems Multiple Vulnerabilities" originally disclosed by Dillon Beresford of Cimation originally released April 5, 2013 and revised April 30, 2013.<br />
<br />
Information on the InteVyDis VulnDisco Exploit Pack can be found <a href="http://intevydis.com/vulndisco.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.<br />
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com1tag:blogger.com,1999:blog-4595748677513639250.post-62970030910855268902013-08-14T16:41:00.002-05:002013-08-14T16:41:29.791-05:00Gleg releases Ver 1.26 of the SCADA+ Exploit Pack for Immunity CanvasRight on schedule with their next release just one month after their previous update ... Gleg announced on August 14 the release of version 1.26 of the SCADA+ Exploit Pack for the Immunity Canvas framework. <br />
<br />
A summary of recent releases includes:<br />
<ul>
<li>Version 1.25 was released on July 5, 2013</li>
<li>Version 1.24 was released on May 14, 2013</li>
<li>Version 1.23 was released on April 22, 2013</li>
<li>Version 1.22 was released on February 27, 2013</li>
<li>Version 1.21 was released on February 7, 2013</li>
<li>Version 1.20 was released on December 21, 2012</li>
<li>Version 1.19 was released on November 8, 2012</li>
</ul>
<a name='more'></a>SCADA+ 1.26 includes 3 new SCADA related 0-days against Siemens and Honeywell, plus one additional exploit for a previously disclosed Honeywell vulnerability. This release is very interesting in that it targets the Honeywell UniSim (ShadowPlant) Dynamic Training Simulator package. This is one of the most popular high-fidelity simulators for process control, and could expose numerous other weaknesses to the knowledgeable attacker if exploited.<br />
<br />
Knowing this, I believe that these 0-days represent a real threat to operational ICS and more important, the physical plant and associated intellectual property contained within the ICS.<br />
<br />
SCADA+ 1.26 modules include:<br />
<ul>
<li><span style="background-color: white;">Siemens Solid Edge ST4/ST5 WebPartHelper ActiveX Control Remote Command Execution [0-day]</span></li>
<li><span style="background-color: white;">Siemens ProTools Pro CS DoS [0-Day]</span></li>
<li><div class="p1">
Honeywell UniSim ShadowPlant Bridge DoS [0-Day]</div>
</li>
<li>Honeywell ActiveX control code execution. <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0108" target="_blank">CVE-2013-0108</a></li>
</ul>
<div>
The Siemens ProTool Pro package WAS the universal configuring software for all SIMATIC operator panels and for the HMI part of the SIMATIC C7. It ran on Windows 98 SE/ME and Windows NT 4.0/2000/XP. Siemens announced the <a href="http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&objid=26262043&nodeid0=10805581&caller=view&lang=en&siteid=cseus&aktprim=0&objaction=csopen&extranet=standard&viewreg=WW" target="_blank">phase out</a> of this product effective Oct. 1, 2007 with the <a href="http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&nodeid0=10805581&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805581&treeLang=en" target="_blank">discontinuation from sale</a> effective Oct. 1, 2010, so this is an obsolete and unsupported product. It has been replaced by the WinCC Flexible package.<br />
<br />
ICS-CERT does not appear to have released any Alerts or Advisories for either Honeywell UniSim or Siemens ProTool ICS products affected by these exploits. The Honeywell ActiveX control vulnerability was previously disclosed in <a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-053-02" target="_blank">Advisory ICSA-13-053-02</a>. Rapid7 released a Metasploit Framework <a href="https://www.rapid7.com/db/modules/exploit/windows/browser/honeywell_hscremotedeploy_exec" target="_blank">exploit module</a> for the Honeywell ActiveX vulnerability in March, 2013.</div>
<div>
<br /></div>
<div>
Additional details and references can be found for the other exploit modules include in the SCADA+ pack:</div>
<div>
<ul>
<li><span style="background-color: white;">Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability (<a href="http://ics-cert.us-cert.gov/advisories/ICSA-13-053-02" target="_blank">ICS-CERT</a> / <a href="http://www.securityfocus.com/bid/58134/info" target="_blank">SecurityFocus</a> / <a href="http://packetstormsecurity.com/files/120755/Honeywell-HSC-Remote-Deployer-ActiveX-Remote-Code-Execution.html" target="_blank">PacketStorm</a> / <a href="http://www.osvdb.org/90583" target="_blank">OSVDB</a>)</span></li>
</ul>
</div>
<div>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.</div>
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com0tag:blogger.com,1999:blog-4595748677513639250.post-76149187018047338302013-07-11T08:34:00.000-05:002013-07-11T08:34:02.424-05:00Gleg releases Ver 1.25 of the SCADA+ Exploit Pack for Immunity CanvasGleg announced on July 5 the release of version 1.25 of the SCADA+ Exploit Pack for the Immunity Canvas framework. This is keeping with their unofficial schedule of continuing to release updates to this exploit pack approximately every month.<br />
<br />
A summary of recent releases includes:<br />
<ul>
<li>Version 1.24 was released on May 14, 2013</li>
<li>Version 1.23 was released on April 22, 2013</li>
<li>Version 1.22 was released on February 27, 2013</li>
<li>Version 1.21 was released on February 7, 2013</li>
<li>Version 1.20 was released on December 21, 2012</li>
<li>Version 1.19 was released on November 8, 2012</li>
</ul>
<a name='more'></a>SCADA+ 1.25 includes 2 new SCADA related 0-days against Schneider's PLC Simulator and MOXA's AWK Search Utility, as well as two other Schneider exploits. I do not believe that these 0-days represent any real threat to operational ICS.<br />
<br />
SCADA+ 1.25 modules include:<br />
<ul>
<li><span style="background-color: white;">MOXA AWK Search Utility DoS [0-day]</span></li>
<li><span style="background-color: white;">Schneider Electric PLC Simulator 'sim.exe' Remote denial-of-service [0-Day]</span></li>
<li><span style="background-color: white;">Mikrotik Syslog Server for Windows 1.15 Denial of Service</span></li>
<li><span style="background-color: white;">Schneider Electric Ethernet Modules Multiple Service Default Hardcoded Credentials</span></li>
<li><span style="background-color: white;">Multiple Schneider Electric Products 'ModbusDrv.exe' Local Buffer<br />
Overflow Vulnerability</span></li>
</ul>
<div>
ICS-CERT does not appear to have released any Alerts or Advisories for the MOXA AWK Utility, Schneider PLC Simulator / ModbusDrv, and Mikrotik vulnerabilities. This is expected, as these products are not directly related to ICS. The Schneider ModbusDrv.exe vulnerability was posted on SecurityFocus and confirms that this vulnerability is locally exploitable, making it a relatively low-risk vulnerability. The Schneider Ethernet Module vulnerabilities have also been discussed on SecurityFocus and include details on exploit techniques. This can be exploited remotely, so it represents moderate-risk if these devices are present, and unauthorized network access is obtained.</div>
<div>
<br /></div>
<div>
Additional details and references can be found for the other exploit modules include in the SCADA+ pack:</div>
<div>
<ul>
<li><span style="background-color: white;">Schneider Electric Ethernet Modules (<a href="http://download.schneider-electric.com/files?p_File_Id=84680059&p_File_Name=SEVD-2013-023-01A.pdf" target="_blank">Schneider</a> / <a href="http://ics-cert.us-cert.gov/advisories/ICSA-12-018-01A" target="_blank">ICS-CERT</a> / <a href="http://www.securityfocus.com/bid/51046/info" target="_blank">SecurityFocus</a> )</span></li>
<li><span style="background-color: white;">Schneider Electric Products 'ModbusDrv.exe' (<a href="http://download.schneider-electric.com/files?p_File_Id=110756058&p_File_Name=SEVD-2013-070-01A.pdf" target="_blank">Schneider</a> / <a href="http://www.securityfocus.com/bid/58999/info" target="_blank">SecurityFocus</a> )</span></li>
</ul>
</div>
<div>
<br /></div>
<div>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.</div>
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com0tag:blogger.com,1999:blog-4595748677513639250.post-53975874185893312562013-04-22T09:57:00.004-05:002013-04-22T09:57:48.230-05:00Gleg releases Ver 1.23 of the SCADA+ Exploit Pack for Immunity CanvasGleg announced this morning (April 22) the release of version 1.23 of the SCADA+ Exploit Pack for the Immunity Canvas framework. This is keeping with their unofficial schedule of continuing to release updates to this exploit pack approximately every month.<br />
<br />
A summary of recent releases includes:<br />
<ul>
<li>Version 1.22 was released on February 27, 2012</li>
<li>Version 1.21 was released on February 7, 2012</li>
<li>Version 1.20 was released on December 21, 2012</li>
<li>Version 1.19 was released on November 8, 2012</li>
</ul>
I will provide details of this releases in a subsequent post.<br />
<a name='more'></a>SCADA+ 1.23 includes 2 new SCADA related 0-days against Schneider's Vijeo SCADA, along with two public DoS exploits for some well known SCADA software.<br />
<pre></pre>
<div>
SCADA+ 1.23 modules include:</div>
<ul>
<li><span style="background-color: white;">Schneider Electric Accutech Manager Server Denial-of-Service</span></li>
<li><span style="background-color: white;">GE Fanuc Proficy HMI/SCADA Cimplicity WebView/ThinView Server DoS</span></li>
<li><span style="background-color: white;">Schneider Electric Vijeo Web Gate Server Vulnerability [0-day]</span></li>
<li><span style="background-color: white;">Schneider Electric Vijeo Web Gate Server Denial-of-Service [0-day]</span></li>
</ul>
The mentioned 0-days targeting the Schneider Vijeo SCADA package do NOT appear to have been announced by ICS-CERT (Schneider advisories available <a href="http://ics-cert.us-cert.gov/ics-cert/archive.html#s" target="_blank">here</a>), so if you feel that you have one of these systems, it is highly advised to contact for vendor immediate for guidance.<br />
<br />
These exploits continue to show the need to offer enhanced intrusion monitoring capabilities within the internal, trusted ICS networks. I believe that an enhanced detection infrastructure could assist asset owners in early warning and response to pending cyber attacks. If anyone is interested in discussing my solution to address these vectors, please feel free to <a href="mailto:info@scadahacker.com?subject=ICS%20Intrusion%20Monitoring%20Solutions" target="_blank">contact me</a>.<br />
<br />
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.<br />
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.<br />
<br />Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com0tag:blogger.com,1999:blog-4595748677513639250.post-12321674014208445742012-12-24T08:38:00.002-06:002012-12-24T08:47:34.968-06:00Gleg releases Ver 1.20 of the SCADA+ Exploit Pack for Immunity Canvas<br />
In keeping with their previous record of releasing updates on a regular basis, Gleg announced on December 24 the release of version 1.20 of the SCADA+ Exploit Pack for the Immunity Canvas framework.<br />
<br />
Version 1.19 was released on November 8, 2012.<br />
<br />
<a name='more'></a>SCADA+ 1.20 includes 1 new SCADA related 0-day, along with some "old buy still useful" RTOS modules and a 0-day for a Korean router.<br />
<br />
SCADA+ 1.20 modules include:<br />
<ul>
<li><span style="background-color: white;">QNX QCONN Remote Shutdown</span></li>
<li><span style="background-color: white;">QNX PHRelay Denial-of-Service</span></li>
<li><span style="background-color: white;">Directory Traversal vulnerability in cgi-bin/read.cgi in Netbiter webSCADA <a href="http://support.netbiter.com/dynpage.cfm?FPID=85" target="_blank">WS100</a> and <a href="http://support.netbiter.com/dynpage.cfm?FPID=85" target="_blank">WS200</a> (CVE-2010-4730). Additional information on HMI Industrial Network's Netbiter solutions can be found at <a href="http://www.netbiter.com/">http://www.netbiter.com</a>.</span></li>
<li><span style="background-color: white;">ANT Automation's <a href="http://ant-automation.com/industrialstudioscada" target="_blank">Industrial Studio SCADA</a> Denial-of-Service [0-day]. Additional information on ANT Automation LLC and the Industrial Studio SCADA can be found at <a href="http://ant-automation.com/">http://ant-automation.com</a>. </span></li>
</ul>
As published with my blog update regarding v1.18 of SCADA+ in October, QNX is one of the real-time operating systems (RTOS) used in many embedded devices, including (though not important to ICS but more for general information) the BlackBerry Playbook and Colt. Of more relevance to the ICS world, QNX can be found in ICS suppliers including Emerson Process Management (Ovation and DeltaV), General Electric (Mark VI Turbine Controller), Tridium (JACE 600), as well as most major automative manufacturers! This DoS could represent significant risk to ICS systems installed in CIKR and other critical sectors. A complete list of references, and other useful information on QNX can be found at their website <a href="http://www.qnx.com/">http://www.qnx.com/</a>.<br />
<br />
Network Devices:<br />
<ul>
<li>ipTIME (South Korea) router [0-day]. Additional information on ipTIME can be found (in Korean) at <a href="http://www.iptime.co.kr/">http://www.iptime.co.kr/</a>. These devices are not likely to be installed in moderate risk ICS networks.</li>
</ul>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.<br />
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com1tag:blogger.com,1999:blog-4595748677513639250.post-73878047128563236952012-11-08T08:51:00.001-06:002012-12-24T08:47:43.665-06:00Gleg releases Ver 1.19 of the SCADA+ Exploit Pack for Immunity CanvasOn November 8, reference on the Gleb website indicates that they will be releasing version 1.19 of the SCADA+ Exploit Pack for the Immunity Canvas framework offer by Gleg. On November 9, the Immunity Inc. listserver provided confirmation that the update is now available.<br />
<br />
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, with this release coming just 4 weeks after v1.18!<br />
<br />
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Both ICS systems included in this release represent reasonable risk to critical infrastructure and manufacturing facilities within the USA.<br />
<br />
<a name='more'></a>SCADA+ 1.19 includes 2 new SCADA related 0-days and new automated network device exploitation tools.<br />
<br />
SCADA+ 1.19 modules include:<br />
<ul>
<li><span style="background-color: white;">Siemens WinCC v7.0 SP2 CCEServer.exe Denial-of-Service [0-day]</span></li>
<li><span style="background-color: white;">GE Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView Server 8.10.0000.18236 Information Disclosure [0-day]</span></li>
</ul>
Network Devices:<br />
<ul>
<li><span style="background-color: white;">AirTies RT104 Router - Unauthorized Configuration Download [0-day]<br />This is a device typically used in Home and Small Business applications, and would not typically be found as part of ICS solutions for critical infrastructure and manufacturing operations.</span></li>
<li><span style="background-color: white;">Sitecom Home Storage Center - Authentication Bypass via Directory Traversal Vulnerability<br />As the name implies, this is a Home Use NAS solution. The details of this vulnerability were discovered July 29, 2012 and publicly disclosed on or about Sept. 6, 2012</span></li>
<li><span style="background-color: white;">Thomson TWG850-4 - Unauthenticated Backup File Access<br />This device is typically for Home Use Only in VoIP applications. The details of this vulnerability and associated PoC were publicly disclosed on or about Sept. 20, 2012</span></li>
</ul>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.<br />
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com1tag:blogger.com,1999:blog-4595748677513639250.post-20711481987749798372012-10-10T15:54:00.000-05:002012-12-24T08:47:53.328-06:00Gleg releases Ver 1.18 of the SCADA+ Exploit Pack for Immunity CanvasOn October 10, Gleg released version 1.18 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.17 of the Agora Exploit Pack.<br />
<br />
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, at approximately 4-8 week intervals!<br />
<br />
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Two of the systems included in this release do not appear to be high-risk to most critical infrastructure and manufacturing facilities within the USA; however, these products do have references within these industries in other countries so due diligence should be performed if you own a potentially vulnerable system. A third system, which is actually one of the leading RTOS used by many embedded devices, could pose elevated risk to ICS users.<br />
<br />
<a name='more'></a>SCADA+ 1.18 includes 3 new SCADA related 0-days and a new version 1.1 of the automated network device exploitation tools.<br />
<br />
SCADA+ 1.18 modules include:<br />
<ul>
<li>Elipse E3 ActiveReports Remote Arbitrary File Replace [0-day]<br />Elipse is a software company based in Brazil that offers two primary ICS monitoring and control products (E3 and SCADA), as well as other supplemental application packages. Information on Elipse can be found at <a href="http://www.elipse.com.br/">http://www.elipse.com.br</a>.</li>
<li>Carel PlantVisor v.2.4.4 (possibly others) directory traversal vulnerability [0-day]<br />Carel is a company based in Italy with other regional offices and subsidiaries. Their products, including the targetted PlantVisor application is developed for refrigeration and air-conditioning systems. This appears to be similar to one disclosed by Luigi Auriemma with an initial publication date of September 13, 2011 documented as <a href="http://www.securityfocus.com/bid/49601/info" target="_blank">BID-49601</a> and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3487" target="_blank">CVE-2011-3487</a>. This is yet to be confirmed, however, Luigi's PoC is provided at the Mitre link. Additional information on Carel can be found at <a href="http://www.carel.com/">http://www.carel.com</a>.</li>
<li>QNX FTPD Denial-of-Service [0-day]<br />As many may already know, QNX is one of the real-time operating systems (RTOS) used in many embedded devices, including (though not important to ICS but more for general information) the BlackBerry Playbook and Colt. Of more relevance to the ICS world, QNX can be found in ICS suppliers including Emerson Process Management (Ovation and DeltaV), General Electric (Mark VI Turbine Controller), Tridium (JACE 600), as well as most major automative manufacturers! This DoS could represent significant risk to ICS systems installed in CIKR and other critical sectors. A complete list of references, and other useful information on QNX can be found at their website <a href="http://www.qnx.com/">http://www.qnx.com</a>.</li>
</ul>
Network Devices:<br />
<ul>
<li>Ubiquiti Networks AirOS Directory Traversal Vulnerability for AirOS 5, 4.0, 3.6.1</li>
<li>Alpha Networks ADSL2/2+ Wireless Router ASL-26555 Password Disclosure</li>
<li>QLogic SANsurfer FC HBA Manager Directory Traversal vulnerability</li>
</ul>
Information on the Gleg SCADA+ Exploit Pack can be found <a href="http://gleg.net/agora_scada.shtml" target="_blank">here</a>, as well as information on Immunity's CANVAS <a href="http://www.immunityinc.com/products-gleg-scada.shtml" target="_blank">here</a>.<br />
<br />
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com2tag:blogger.com,1999:blog-4595748677513639250.post-41195822575865766242012-04-05T02:06:00.001-05:002012-04-05T02:08:27.547-05:00What do March Madness and Cyber Security have in common?<i>(this blog was originally posted by Bryan Owen on the vCampus Blog and is copied here for wider distribution)</i><br />
<br />
<b>OSIsoft User Conference 2012: Cyber Security Line Up</b><br />
March Madness is a wrap, did your picks do well? You can consider the Pwn2Own competition at CanSecWest as a cyber security version of March Madness.<br />
<br />
In continuation of a global trend, this year signaled a change in the 'sport of hacking'. Move over undergrads. Pwn2Own has become a professional contest. It was Vupen's dedicated exploit team versus Google's Chrome security team (both declared victory but Vupen's story won better news coverage).<br />
<br />
So yes, cyber security is a team sport. It is complete with talented athletes, coaches, and trainers. Let's not forget the fans, institutions, regulators, media and the rest of the eco system. Do you have PI System security superstars on your team?<br />
<br />
I'm very pleased to call out a strong cyber security line up for User Conference 2012:<br />
<br />
<a name='more'></a><br />
<u><b>Day Zero</b></u><br />
1:45 PM - ISA 99 Workshop sponsored by WBF. Learn about the ISA 99 standard approach for cyber security - Graham Speake (Yokogawa), Joel Langill (SCADAhacker)<br />
<br />
<u><b>Day 1</b></u><br />
12:45 PM - Product Expo PI System Security Booth: "Open topics like: Architecture, Firewalls, Compliance, Windows Server Core, Services" - Bryan Owen, David Casazza, Gary Seifert, Jim Davidson, John Stawiarski, Martin Bryant<br />
<br />
3:55 PM - "Have you done enough with Cyber Security?" (vCampus Live! 2011 encore presentation)<br />
Bryan Owen (OSIsoft), Joel Langill (SCADAhacker)<br />
<br />
<u><b>Day 2</b></u><br />
9:40 AM - "Secure, Manageable Application Integration at Detroit Water and Sewerage Department" - Biren Saparia (Detroit Water) and Andrew Ginter (Waterfall Security Solutions)<br />
<br />
5:00 PM - Keynote closing panel "Data-Driven Decision Making" - Panelist Marty Edwards, DHS Control System Cyber Security Program Director<br />
<br />
<u><b>Product Evaluation Day</b></u><br />
8:30 AM - PI System Security Workshop - Jed Haile and Jonathan Gray (Idaho National Lab) with Anthony Tang, Dario Amiri, and Omar Shafie (OSIsoft). Panel from the field: What works, what's challenging, and what can be done to save time and effort. - Panelists (TBA)<br />
<br />
In summary, OSIsoft User Conference 2012 is the place to be if you are charged with cyber security for the PI System. We will make a best effort to share these materials with those who can't attend but contributing in person is the way to get the most benefit from these highly professional resources.<br />
<br />
If you are a vCampus member but aren't the 'security guru' - please let them know the place to be and people to meet for PI System security are at the UC.<br />
<br />
Your teamwork makes a difference with Cyber security!<br />
<br />
Bryan OwenJoel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com4tag:blogger.com,1999:blog-4595748677513639250.post-89692684484162487582011-11-30T16:21:00.003-06:002011-11-30T16:31:20.361-06:00Hackers accessed city infrastructure via SCADA<i>(This article was originally written by <a href="http://www.information-age.com/channels/security-and-continuity/news/1676243/hackers-accessed-city-infrastructure-via-scada-fbi.thtml" target="_blank">Hal Hodsen on November 29, 2011 via Information Age</a> and has been copied here for reference purposes only.)</i><br />
<br />
<b>The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems</b><br />
<br />
Hackers recently accessed the critical infrastructure of three unnamed cities by compromising their <span class="st">SCADA (supervisory control and data acquisition) systems, the </span>deputy assistant director of the FBI's Cyber Division said today.<br />
<br />
<a name='more'></a>Speaking at the <a href="http://defence.flemingeurope.com/cyber-security-summit/" target="_blank">Flemings Cyber Security conference</a> in London, Michael Welch said the hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall.<br />
<br />
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city," Welch said. <br />
The attack "was sort of a tease to law enforcement and the local city administration, saying 'I’m here, what are you going to do about it," he said. "Essentially it was an ego trip for the hacker because he had control of that city’s systems and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things."<br />
<br />
Welch would not clarify whether the attacks in question realated to a <a href="http://www.information-age.com/channels/security-and-continuity/news/1674733/us-utility-hack-shows-scada-vulnerabilities.thtml" target="_blank">reported SCADA attack on a water facility</a> in Springfield, Illinois. On Wednesday, the <a href="http://us-cert.gov/control_systems/pdf/ICSB-11-327-01.pdf" target="_blank">Department of Homeland Security denied</a> that there was any hacking involved in the failure of a water pump at the Springfield facility.<br />
<br />
Cyber security is "a huge growth factor" for the FBI, says Welch. He expects the bureau's Cyber Division to double in size during the next 12 to 18 months. <br />
<br />
"A big part of what we do is private sector liaison," he said. "At no time in our history have we had to stretch the definition of what constitutes crime more than we do now."<br />
<br />
Additional References:<br />
<a href="https://www.infosecisland.com/blogview/18450-FBI-Three-Cities-Compromised-via-SCADA-Networks.html" target="_blank">InfoSec Island</a>Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com2tag:blogger.com,1999:blog-4595748677513639250.post-61735646979028688262011-11-27T15:44:00.003-06:002012-12-24T08:48:05.857-06:00Gleg releases Ver 1.8 of the SCADA+ Exploit Pack for Immunity CanvasOn November 24, Gleg released version 1.8 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.7 of the Agora Exploit Pack.<br />
<br />
In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma. Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.<br />
<br />
<a name='more'></a>SCADAhacker has noticed that the vulnerabilities included with Gleg SCADA+ 1.8 regarding the Optima APIFTP Server SCADA HMI application have not yet been disclosed by ICS-CERT. I will be posting an out-of-band advisory on this vulnerability set within the next 24 hours, and will update this blog accordingly.<br />
<br />
The Gleg Step Ahead customers receive some additional exploit modules, including one which allows them to decrypt users credentials in Promotic SCADA and an additional SCADA-related ActiveX exploit.<br />
<br />
SCADA+ 1.8 modules include: <br />
<ul>
<li>Beckhoff TwinCAT <= 2.11.0.2004 </li>
<li> Optima <= 1.5.2.13 Denial of Service </li>
<li>OPC Systems.NET <= 4.00.0048 Denial of Service </li>
<li>Data Archiver service in GE Intelligent Platforms Proficy Historian <= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 Stack Overflow Proof of Concept & Denial of Service </li>
<li> Atvise webMI2ADS <= 1.0 Denial of Service </li>
<li> another Atvise webMI2ADS <= 1.0 Denial of Service </li>
<li> Atvise webMI TestServer Directory Traversal </li>
<li> PcVue <= 10.0, SVUIGrd.ocx <= 1.5.1.0 Code Execution </li>
<li> PROMOTIC <= 8.1.3 Directory Traversal leveraged to user credentials disclosure</li>
</ul>
It is worth mentioning that the <a href="http://www.scadahacker.com/vulndb/ics-vuln-ref-list.html" target="_blank">SCADAhacker Vulnerability Reference List</a> contains a great deal of information for most of these vulnerabilities and includes any publically-disclosed PoC code.<br />
<ul>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-beckhoff-11-256-06.html" target="_blank">Beckhoff TwinCAT "TCATSysSrv.exe" Network Packet Denial of Service Vulnerability</a></li>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-atvise-11-283-02.html" target="_blank">atvise webMI Web Server Multiple Remote Vulnerabilities</a></li>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-openautosw-11-285-01.html" target="_blank">Open Automation Software OPC Systems.NET Denial-of-Server Vulnerability</a></li>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-microsys-11-286-01.html" target="_blank">Microsys Promotic Directory Traversal and ActiveX Control Buffer Overflow Vulnerabilities</a></li>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-ge-11-243-01.html" target="_blank">General Electric Intelligent Platforms (GE-IP) Proficy Plant Applications Buffer Overflow Vulnerabilities</a></li>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-ge-11-243-03.html" target="_blank">General Electric Intelligent Platforms (GE-IP) Proficy Historian Data Archiver Buffer Overflow Vulnerability</a></li>
<li> <a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-arcinformatique-11-271-01.html" target="_blank">ARC Informatique PcVue Multiple ActiveX Vulnerabilities</a></li>
</ul>
Other SCADA/ICS vulnerabilities disclosed by Luigi Auriemma covered in the SCADAhacker Vulnerability Reference List but not included in Gleg SCADA+ include: <br />
<ul>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-sunway-11-266-01.html" target="_blank">Sunway ForceControl and pNetPower Multiple Security Vulnerabilities</a></li>
<li><a href="http://www.scadahacker.com/vulndb/2011/ics-vuln-irai-11-283-01.html" target="_blank">IRAI AUTOMGEN Buffer Overflow Vulnerability</a> </li>
</ul>
As always, please post your comments or suggestions to improve the usefulness of this information.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com3tag:blogger.com,1999:blog-4595748677513639250.post-65800199594376331202011-11-21T06:23:00.023-06:002011-11-23T22:26:10.556-06:00UPDATED: Hackers Independently Attack Two Different Water Utility DistrictsUpdated: November 23, 2011<br />
<br />
News reports broke on November 18, 2011 (<a href="http://www.wired.com/threatlevel/2011/11/hackers-destroy-water-pump/" target="_blank">Attack on City Water Station Destroys Pump - Wired</a>) when fellow security specialist <a href="http://community.controlglobal.com/content/water-system-hack-system-broken" target="_blank"> Joe Weiss blogged</a> about a report released on November 8, 2011 that a water utility district in Springfield, IL (later identified as Curran-Gardner Public Water District) suffered what looked like a "blended attack". The first phase focused on compromising a supplier's internal system which contained remote access credentials not only the target, but several other yet "unnamed" sites. The second phase allowed the attackers to simply "turn the key and walk in the front door" gaining complete access to the industrial control system. The end result was a failure of one of the process pumps. <br />
<a name='more'></a><br />
DHS, and possibly even the FBI, downplayed the attack, and stated "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety" in their report. This outraged many, including a twenty-something hacker only known as "pr0f" or @pr0f_sys. As reported on November 18, 2011 (<a href="http://news.cnet.com/8301-27080_3-57327968-245/hacker-says-he-broke-into-texas-water-plant-others/" target="_blank">Hacker says he broke into Texas water plant, others - CNET</a>), this attacker then used a completed unrelated attack vector to easily gain access to another water utility in South Houston, TX where he posted several screenshots of the control system on <a href="http://pastebin.com/Wx90LLum" target="_blank"> PasteBin</a>. Obviously, he knew what he was doing, and intentionally left the system unafffected. In addition to his initial post, he also wrote a second article on <a href="http://pastebin.com/PLGDJMTd" target="_blank"> PasteBin</a> providing some insight into what he calls "SCADApocalypse". Interestingly enough, I also came across an interesting PasteBin post on November 3, 2011 by pr0f entitled "Water Metering SCADA" complete with passwords. <br />
<br />
So ... when are people going to let us ICS security specialists perform some "light" penetration testing to be an accurate assessment of one's security posture? <br />
<br />
Many people were quick to jump on the "disclosure" bandwagon blaming either the control system vendor for not disclosing critical security vulnerabilities, or DHS / ICS-CERT for not disclosing information of the breach. Unfortunately, it is SCADAhacker's view with the limited information that is available that both of these attacks had little to do with the ICS / SCADA vendor, but rather poor security implementation practices by either the owner-operator or the system integrator responsible for commissioning these systems. This is obviously not the end of these types of attacks, and SCADAhacker will continue to provide timely, relevant information to help protect the ICS and SCADA systems used to control our critical infrastructure and manufacturing processes.<br />
<br />
All of this information is going to be placed into a case study that will make an excellent module in my 2012 course offered entitled "<a href="http://scadahacker.blogspot.com/2011/10/scadahacker-to-offer-icsscada-blue-team.html" target="_blank">Understanding and Security Industrial Control Systems</a>".<br />
<b><br />
</b><br />
<b>UPDATES:</b><br />
Threat Post was able to get an interview with pr0f and released a very informative article on November 20, 2011 (<a href="https://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-digit-password-secure-internet-facing-scada-system-112011" target="_blank">Hackers says Texas Town Town used Three Character Password to Secure Internet Facing SCADA System</a>) which provided additional details regarding the target ICS vendor and the poor "3-letter" password which was used to compromise the system(s).<br />
<br />
Elinor Mills from CNET posted a new story on November 22, 2011 (<a href="http://news.cnet.com/8301-27080_3-57330029-245/dhs-denies-report-of-water-utility-hack/?tag=mncol;cnetRiver" target="_blank">DHS Denies Report on Water Utility Hack</a>) in advance of the official DHS announcement that followed the next day in their Information Bulletin <a href="http://www.us-cert.gov/control_systems/pdf/ICSB-11-327-01.pdf" target="_blank">ICSB-11-327-01</a> on the Illinois Water Pump Failure incident, finding no evidence of a cyber breach at the facility. Conveniently enough, it still lacks an explanation of the second attack on the facility in South Houston. In an email to the ICSJWG member, "ICS-CERT is assisting the FBI to gather more information about this incident", which leads me to believe that they have uncovered enough information to further investigate what is most likely an easy penetration of the target systems. Elinor interviewed me, and I provided her with numerous examples of the lack of "urgency" I see when looking at security in the manufacturing sector.<br />
<br />
What is most disturbing when reading reports like that from DHS ICS-CERT are comments like "ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events." It appears that they have not uncovered the vulnerability used by pr0f in his attack, and also does not have the enumeration data which shows several other potential targets! I believe there is a lot more to come regarding this breach.<br />
<br />
What appears to be even more interesting in a related event that occurred in New Jersey and published by <a href="http://www.homelandsecuritynewswire.com/dr20111121-dhs-investigates-attacks-on-new-jersey-water-supply" target="_blank">Homeland Security News Wire</a> on November 21, 2011 that talks about yet another attack on the West Milford water system that has resulted in "shut off power to water systems, opened valves that should have been shut, and thrown a plank of wood into a sewage filtration system." This appears to be a physical attack, but details are still not official.<br />
<br />
This story is far from over ... stay tuned for more !!!Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com9tag:blogger.com,1999:blog-4595748677513639250.post-52294245591893152872011-11-09T15:02:00.002-06:002011-11-09T15:02:55.335-06:00Are Web Services a Dumb Idea???I recently read a blog post by Reid Wightman on the @DigitalBond site entitled "<a href="http://www.digitalbond.com/2011/11/09/when-web-services-are-a-dumb-idea" target="_blank">When Web Services are a Dumb Idea</a>". It seems that the folks at Digital Bond are on some kind of mission to create a list of "insecure ICS products" which might not necessary be a bad idea, but at least we need to be sure that everyone is being evaluated against the same criteria.<br />
<br />
First off, I have to apologize to Dale in my comment to this post, as I did not see that it was written by Reid, and incorrectly referenced Dale in my response. I have copied my "edited" response from the @DigitalBond site below:<br />
<a name='more'></a>After reading Reid’s interesting post, I thought it would be nice to bring in two useful points for conversation.<br />
<br />
First, you need to expand your concept of an “embedded web server” beyond something that a user would use when launching a browser and entering a URL for the device. Vendors actually use embedded web servers for a number of reasons, and many of these vendors are leaders in the industry – both from a functional and security point of view!<br />
<br />
Point in case … Honeywell … clearly one of the leaders in terms of their commitment to security and one of the market leaders in ICS utilizes the embedded SafeNet Sentinel License Monitor embedded app which provides an http daemon on their Experion nodes (R31x was the last I verified that this was still present) for “internal use”. Vulnerabilities with this app were originally disclosed by Luigi Auriemma, and when I mentioned to Honeywell that they were using a vulnerable service on 6002/tcp, their response was that it was “hidden” behind the Windows Firewall and that they did not need to provide any further patches. Poor response considering that some of their “default accounts” allowed me to disable the firewall and expose this vulnerable service!<br />
<br />
I also disclosed this exact same vulnerability to Iconics in their Genesis32 HMI package this past March after reviewing some of the exploits that were disclosed by Luigi Auriemma.<br />
<br />
So, it is clear that there are a lot more web servers or better said http daemons running than one might expect! During your next assessment, see if you can find any of these services running!<br />
<br />
Next point is that I initially was drawn to this post because of the term “web services” in the title. After reading, however, it was clear that Dale was not talking about “web SERVICES” but rather “web SERVERS”.<br />
<br />
Vendors have been using web “services” for some time now, because they offer a fairly secure means of inter-application communication both locally and remotely across firewalls when integration is required with enterprise applications using the eXtensible Markup Language (XML) following the SOAP standard. (Of course, the recent news that researchers have been able to exploit the XML encryption standard does add a slight twist here!)<br />
<br />
Vendors have been moving more and more to a service oriented architecture (SOA) to support better communication between applications from different vendors. One such implementation was the OPC XML-DA standard released in 2004, and more recently, the OPC Unified Architecture (UA) standard which is also based on XML/SOAP via web services! Now, remember that one of the drivers behind OPC-UA was improved integration with “non-Microsoft” platforms, including … process level devices. So it is not that difficult to see that most leading ICS vendors will have some form of web SERVICE running inside the ICS application framework, and in the near future, as OPC-UA is released in more devices, this will include L0 and L1 devices as well. OPC Foundation used the phrase “From the Controller to the Cloud” to describe OPC-UA, and when I just visited their <a href="http://opcfoundation.org/Products/Products.aspx?STX=Specification%3a48%2b49%23" target="_blank">product page</a>, I saw there they are currently testing OPC-UA for <a href="http://opcfoundation.org/Products/ProductDetails.aspx?CM=1&RI=9106&CU=29" target="_blank">QNX</a> and <a href="http://opcfoundation.org/Products/ProductDetails.aspx?CM=1&RI=9104&CU=29" target="_blank">VxWorks</a> – so expect it to show up in controllers soon! There were also several leading ICS vendors who have tested or are in the process of testing their OPC-UA interfaces for their ICS L2 hosts.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com3tag:blogger.com,1999:blog-4595748677513639250.post-86101518075985382052011-10-26T11:38:00.001-05:002011-10-26T11:40:15.949-05:00SCADAhacker publishes Duqu Reference PageBased on the success of the <a href="http://www.scadahacker.com/resources/stuxnet.html" target="_blank">Stuxnet Resource Page</a> on <a href="http://scadahacker.com/" target="_blank">SCADAhacker.com</a>, today I launched a similar page consolidating the useful information and material relating to the new "Son of Stuxnet" malware known as "Duqu".<br />
<br />
There are currently multiple researchers analyzing this relatively unknown piece of malware, and all of them appear to be coming up with different conclusions. I felt that it would be useful to share my bookmarks and some of the interesting references that I come across in performing my own open-source research and analysis.<br />
<br />
Please bookmark your browser and visit this <a href="http://www.scadahacker.com/resources/duqu.html" target="_blank">page</a> often.<br />
<br />
I am currently consolidating information. If you have anything you would like to share, please pass it along.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com1tag:blogger.com,1999:blog-4595748677513639250.post-83597542070876517342011-10-26T11:27:00.005-05:002011-12-13T19:31:15.391-06:00SCADAhacker to Offer ICS / SCADA "Blue Team" Security Training and Awareness Course in 2012Having been involved in the industry for several years, I have realize that there is a lack of specific training to address "how to secure" industrial control systems. There are several very good courses currently available, including those offered by InfoSec Institute (which I will teach until early 2012), Red Tiger Security, Digital Bond, SANS and Idaho National Labs. However, when reviewing the syllabi of these courses, I feel that they tend to focus too much on either (1) theoretical aspects of the problem, or (2) the "hacking" or "red team" side of ICS security.<br />
<br />
Knowing this, and not trying to duplicate what is currently available, I have decided to launch my own course entitled "Understanding and Security Industrial Control Systems". This course will be primarily focused on "securing" or "blue teaming" the ICS and will involve several labs that reinforce the selection and implementation of security controls relating specifically to ICS.<br />
<br />
<a name='more'></a><br />
The preliminary agenda is as follows:<br />
<ul><li>Understanding the Unique Threat Landscape of Industrial Control Systems</li>
<li>Understanding Current Standards and Best Practices from a Security and Compliance Point of View (ISA, IEC, ISO, NERC-CIP, CFATS, NIST, CPNI)</li>
<li>Risk Identification, Classification, and Threat Modeling</li>
<li>Understanding and Identifing ICS Vulnerabilities</li>
<li>Selecting and Implementing Administrative Security Controls</li>
<li>Selecting and Implementing Technical Controls</li>
<li>Auditing and Accessing ICS Security</li>
</ul>I expect the first one or two classes to be offered in the Chicago area (near ORD airport). Future classes will be offered in manufacturing epicenters such as Houston, Los Angeles, Detroit, Pittsburgh, New Orleans, Washington D.C. and Calgary (others will be available based on customer interest). <br />
<br />
Students will use their own computers and supplied with a bootable external drive which contains the testing environment and other tools studied during the week. Many labs will utilize physical ICS equipment providing a realistic scenario to that actually existing in the field. The course will also stress many new leading edge security technologies that will form the basis of a comprehensive overall ICS security program.<br />
<br />
I am also open to nesting this curriculum in existing vendor and supplier training programs. please feel free to contact me for additional details.<br />
<br />
All of this is very exciting, and i hope that this material will allow me to write and publish a much needed book on this topic in the 2012-2013 timeframe. The end goal is to offer a textbook in addition to the standard PowerPoint slide deck used to teach the class.<br />
<br />
Please stay tuned for more details. i expect the first course to be available in the April-May timeframe, with registration beginning after the start of the year.Joel Langillhttp://www.blogger.com/profile/13100871638585633131noreply@blogger.com9