Havex Deep Dive (English)

•Descargar como PPTX, PDF•

1 recomendación•1,056 vistas

Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers. Havex is the second ICS malware ever seen in the wild.

Tecnología

Havex: A Deep Dive
Corey Thuen
Digital Bond Labs

What is Havex?
Crouching Yeti / Energetic Bear APT campaign
Unknown origin
Targets Industrial Control Systems

Havex Delivery
Trojanized Software Installers
Spear-phishing attacks
Waterhole attacks
No 0-day exploits

Havex Analysis
Analysis was conducted against the Havex Remote Access Trojan (RAT) that
appeared as a trojanized installer for mbconnect
Analysis of Command & Control traffic
requests
Analysis of Downloadable Modules

Havex Analysis
Command and Control Traffic

Havex Analysis
Command and Control Server analysis
C2 server not secured
Directory browsing possible
Fun but not our focus today

What is OPC?
Common bridge for process control systems
Uses Microsoft COM/DCOM
Standard maintained by OPC Foundation consortium

Analysis Environment
Challenges with ICS malware environments:
ICS Equipment may not be virtualizable
Debugging and monitoring may be difficult

OPC Environment
Win2k8 - Matrikon OPC Simulator Server
WinXPsp3 - Malware execution
Win2k8 - Domain controller (to make DCOM easier)

OPC Module Analysis
Sample:
Sha-1
6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82
md5
6bfc42f7cb1364ef0bfd749776ac6d38

Dynamic Analysis
Regshot
Sysinternals - Procmon
DNS & Network Monitor
VMWare + Snapshots

Static Analysis
Strings
CFF Explore
IDA Pro
Resource section analysis

Static Analysis - Resource Section
Decryption & Analysis

Code Flow - Find Systems with DCOM
OPC uses DCOM for communication
DCOM supports enumeration of connected systems
Step 1 when wanting OPC data is to find available OPC Servers

Code Flow - Enumerate OPC Servers
OPC servers have “tags” that are data points, controls, etc.
OPC tag information is valuable to attackers
Havex uses DCOM to get the list of tags on each OPC server to which it can
connect

Summary
1. Havex infects system
2. RAT downloads modules from C2 servers
3. OPC module scans for local OPC servers including tag lists
4. OPC information is packaged up and sent to C2

Conclusions
• Havex is not attempting to hide
• No new vulnerabilities or 0-days are used
• OPC Information is collected and delivered to C2
• No control is attempted
These modules are reconnaissance
For who? For what purpose? Is there a specific target desired?

Questions?
Corey Thuen
thuen@digitalbond.com
@CoreyThuen - Twitter
plus.google.com/+CoreyThuen

Más contenido relacionado

La actualidad más candente

Defcon 22-tim-mcguffin-one-man-shop

Priyanka Aash

RSAC 2016: How to Get into ICS Security

Chris Sistrunk

SCADA Security: The Five Stages of Cyber Grief

Lancope, Inc.

The Control System Security Center (CSSC) in Japan has an active project in their lab to apply process white list control and computer resource access control to Windows servers and workstations in an ICS. These security controls can be very effective in ICS computers that are relatively static as compared to corporate network systems. The process white list control limits process creation with parent-child relation, SHA1 hash value of an executable file, and conflict of interest. The computer resource access control limits access from a process to file, network (IP address and port), and device. Attend this session learn how CSSC is applying this technology and lessons learned in the lab environment.

Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...

Digital Bond

With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone “all in” with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.

An Introduction to PowerShell for Security Assessments

EnclaveSecurity

ICS Network Security Monitoring (NSM)

Digital Bond

Presented @ Emerson Exchange October 7, 2014 Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...

Jim Gilsinn

ICS Security 101 by Sandeep Singh

OWASP Delhi

Scada security presentation by Stephen Miller

AVEVA

How we breach small and medium enterprises (SMEs)

NCC Group

Scada security webinar 2012

AVEVA

CISSP Chapter 7 - Security Operations

Karthikeyan Dhayalan

Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies. In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities. In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers. In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.

Defcon through the_eyes_of_the_attacker_2018_slides

Marina Krotofil

Network performance testing for devices and systems can be a daunting task for vendors and end-users given the cost of test equipment and the investment that the companies have to spend in developing relevant tests and understanding the results. During the last couple years, a group of low cost computing systems have been introduced that are very capable from a functional point of view, but how well do they actually perform? Can they be used in a low-cost performance testing lab system to validate ICS devices before they go into production? Can end-users use them to capture live traffic in their network and get reliable performance results? This talk will discuss how and when different types of equipment can be used to develop a low-cost network performance testing lab. It will also show results from a series of performance tests conducted on some of the equipment and with different testing architectures.

Low-Cost ICS Network Performance Testing

Jim Gilsinn

Defcon 22-gregory-pickett-abusing-software-defined-networks

Priyanka Aash

Gunter Ollmann, Microsoft As reverse engineering tools and hacking techniques have improved over the years, software engineers have been forced to bury their secrets deeper down the stack – securing keys and intellectual property first in software, then drivers, on to custom firmware and microcode, and eventually as etchings on the very silicon itself. For the hackers involved, the skills and tooling needed to extract and monetize these secrets come with ever increasing hurdles and cost. Yet, seemingly as a corollary to Moore’s Law, each year the cost of the tooling drops by half, while access (and desire) doubles. Today, with access to multi-million dollar semiconductor labs that can be rented for as little as $200 per hour, skilled adversaries can physically extract the most prized secrets from the integrated circuits (IC) directly. Understanding your adversary lies at the crux of every defensive strategy. This session reviews the current generation of tools and techniques used by professional hacking entities to extract the magic numbers, proprietary algorithms, and WORN (Write Once, Read Never) secrets from the chips themselves. As a generation of bug hunters begin to use such tools to extract the microcode and etched algorithms from the IC’s, we’re about to face new classes of bug and vulnerabilities – lying in (possibly) ancient code – that probably can’t be “patched”. How will we secure secrets going forward?

BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...

BlueHat Security Conference

Presented: BSidesDC 2015, Washington, DC, October 18, 2015 YouTube Video @ https://youtu.be/v3LBywLthjY Determining the overall health and security of an industrial control system (ICS) network is currently done by looking at the negative case. If the network infrastructure devices indicate that all the devices are connected and communicating, then the network must be operating correctly. If the controllers indicate that they are able to communicate with the other devices in the system, then the system must be operating correctly. If the network security monitoring (NSM) or security information and event management (SIEM) system are not indicating any security events, then the system must be operating correctly. In each of these cases, the assumption is that the system is operating correctly if there are no errors or events being indicated by any of the devices. In reality, the actual health and security of the system can only be determined by positive conditions. The communication streams need to be measured to determine that they are operating within certain limits based upon a desires set of conditions, like rate and maximum latency. Many controllers keep track of these factors for real-time communications, however they are often only recorded as averages and not high-fidelity measurements. This paper presents an approach to analyzing the real-time network traffic performance of an ICS by measuring the jitter and latency associated with individual network traffic streams in the system. By using statistical and mathematical analysis of the high-fidelity jitter and latency data, a network reliability factor can be determined and used to indicate the health of those traffic streams. The author will present a method to combine the individual network reliability factors into a network reliability monitoring system. Lastly, the author will discuss how network reliability monitoring can be used to indicate potential security problems by observing the network traffic patterns.

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

Jim Gilsinn

Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017

FRSecure

5 Under-utilized PCI Requirements and how you can leverage them

Praveen Vackayil

Presented by: Chris Sistrunk, Entergy Abstract: IT folks have been doing it for years – building labs to test new products before rolling them out – but the concept is still rather revolutionary to most practitioners of SCADA security. Yet the benefits of a lab are many, including training staff and solving real-world problems by replicating and attacking them in the relatively low-risk lab environment. But how do you pitch this (not inexpensive) idea in a way that gets organizational buy-in? And if your organization is just too small, what are the factors to considering when using a third-party lab? Hear ideas and ask questions of someone who evolved his organization’s capabilities from one small lab to five complete labs.

Come See What’s Cooking in My Lab

EnergySec

La actualidad más candente (20)

Defcon 22-tim-mcguffin-one-man-shop

RSAC 2016: How to Get into ICS Security

SCADA Security: The Five Stages of Cyber Grief

Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...

An Introduction to PowerShell for Security Assessments

ICS Network Security Monitoring (NSM)

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...

ICS Security 101 by Sandeep Singh

Scada security presentation by Stephen Miller

How we breach small and medium enterprises (SMEs)

Scada security webinar 2012

CISSP Chapter 7 - Security Operations

Defcon through the_eyes_of_the_attacker_2018_slides

Low-Cost ICS Network Performance Testing

Defcon 22-gregory-pickett-abusing-software-defined-networks

BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017

5 Under-utilized PCI Requirements and how you can leverage them

Come See What’s Cooking in My Lab

Destacado

The presentation covers assessment, implementation methodology, and current level of success for addressing four key objectives which are protecting the controls fieldbus (networks) from untrusted networks (domain), secure and safe remote support capability from both inside and outside of the company, control supplier access to manufacturing equipment when onsite, and protect manufacturing systems from Malware and intrusion. This system isn’t theoretical, it’s in broad use and full critical production. If the time and connectivity is available a quick remote access demonstration can be given. The presentation will wrap up with a series of thoughts and ideas that occur to me regarding security in general as I listen to other organizations and groups talking about various security needs and activities.

ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...

Digital Bond

Should I Patch My ICS?

Digital Bond

Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis. If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.

Writing ICS Vulnerability Analysis

Digital Bond

PLC Code Protection

Digital Bond

Presented @ 2016 ISA Process Control & Safety Symposium, November 10, 2016 The exchange of key information between business operations, suppliers, customers, production, and ultimately the production equipment itself can provide significant financial and productivity advantages. This presentation will discuss some practical approaches to utilizing the cyber security principles from ISA/IEC 62443 in order to integrate the business and production environments. It will also present some of the different solutions for meeting a variety of scenarios, such as data historians, patching/updating, and remote maintenance.

Practical Approaches to Securely Integrating Business and Production

Jim Gilsinn

Each SCADA network, in a healthy state, presents a specific quality of service (QoS) which rarely changes given the repetitive process of the IACS operations. The continuous monitoring of QoS parameters of an automation network may anticipate problems such as malware contamination and equipment failures like switches and routers. It is very important to be aware of these changes in behavior in order to receive alerts and promptly handle them, avoiding incidents that could compromise the operation of the network and be financially or environmentally costly. In this session Mr. Branquinho presents the results of tests to measure the performance of a simulated automation network parameters using a small SCADA network sandbox. First, the normal operating parameters of the network were measured. Next, several attacks were launched against the simulated automation network. At the conclusion of the work the graphs of the network in healthy state with the graphs of the network with the security incidents described above. The session will show how the network parameters were affected by each kind of incident and built a table showing the way the main parameters of an automation network were affected by the attacks.

Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...

Digital Bond

Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...

Digital Bond

Remote Control Automobiles at ESCAR US 2015

Digital Bond

Presented @ 2014 ICS Cyber Security Conference October 21, 2014 It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.

Integrating the Alphabet Soup of Standards

Jim Gilsinn

Hacker Halted 2016 - How to get into ICS security

Chris Sistrunk

Dynamic Zoning Based On Situational Activity in ICS (Japanese)

Digital Bond

ICS Security Training ... What Works and What Is Needed (Japanese)

Digital Bond

Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.

BSidesAugusta ICS SCADA Defense

Chris Sistrunk

Common Techniques To Identify Advanced Persistent Threat (APT)

Yuval Sinay, CISSP, C|CISO

Lessons Learned from the NIST CSF

Digital Bond

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...

arnaudsoullie

Destacado (16)

ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...

Should I Patch My ICS?

Writing ICS Vulnerability Analysis

PLC Code Protection

Practical Approaches to Securely Integrating Business and Production

Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...

Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...

Remote Control Automobiles at ESCAR US 2015

Integrating the Alphabet Soup of Standards

Hacker Halted 2016 - How to get into ICS security

Dynamic Zoning Based On Situational Activity in ICS (Japanese)

ICS Security Training ... What Works and What Is Needed (Japanese)

BSidesAugusta ICS SCADA Defense

Common Techniques To Identify Advanced Persistent Threat (APT)

Lessons Learned from the NIST CSF

Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...

Similar a Havex Deep Dive (English)

Transforming your Security Products at the Endpoint

Ivanti

Breaking the monolith to microservice with Docker and Kubernetes (k8s)

Tamir Dresher

Kunal - Introduction to backtrack - ClubHack2008

ClubHack

Workshop on BackTrack live CD

amiable_indian

Kunal - Introduction to BackTrack - ClubHack2008

ClubHack

I got 99 trends and a # is all of them

Roberto Suggi Liverani

Introduction to Malware Analysis

Andrew McNicol

Internship msc cs

Pooja Bhojwani

The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.

hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...

Area41

Catch Me If You Can - Finding APTs in your network

DefCamp

Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. By checking IOCs in RAM images (e.g., code injection sign, used/hooked API functions, unpacked code sequences), we can detect malware faster and deeper than disk-based traditional IOCs. In this presentation, I explain how to define and improve IOCs for openioc_scan, introduce IOC examples including not only IOCs for specific malware but also ones focusing on generic traits of malware. I also show remote malware triage automation combining with F-Response.

openioc_scan - IOC scanner for memory forensics

Takahiro Haruyama

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

Aj MaChInE

As presented at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.

Using hypervisor and container technology to increase datacenter security pos...

Tim Mackey

As presented by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.

Using hypervisor and container technology to increase datacenter security pos...

Black Duck by Synopsys

how-to-bypass-AM-PPL

nitinscribd

Typhoon Managed Execution Toolkit

Dimitry Snezhkov

Digital Forensic Assignment Help

Global Web Tutors

Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1

securityxploded

On Tuesday, June 22nd Jonny Griffin, Security Engineer at Working Group Two, gave a presentation at a three day conference at GSMA FASG. In the last three years, Working Group Two has been developing a DevSecOps framework to ensure their cloud-native mobile core network is secure. Automating Cloud Security introduces the topics around cloud computing, DevSecOps, cloud-native Security Layers, and how WG2 built a security tool chain that can be leveraged by any organisation. As security is evolving so is WG2's capabilities for identifying, preventing, and responding to security events in our networks.

Automating cloud security - Jonny Griffin

Jonnathan Griffin

2008-03-06 Harris Corp Security Seminar

Shawn Wells

Similar a Havex Deep Dive (English) (20)

Transforming your Security Products at the Endpoint

Breaking the monolith to microservice with Docker and Kubernetes (k8s)

Kunal - Introduction to backtrack - ClubHack2008

Workshop on BackTrack live CD

Kunal - Introduction to BackTrack - ClubHack2008

I got 99 trends and a # is all of them

Introduction to Malware Analysis

Internship msc cs

hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...

Catch Me If You Can - Finding APTs in your network

openioc_scan - IOC scanner for memory forensics

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

Using hypervisor and container technology to increase datacenter security pos...

how-to-bypass-AM-PPL

Typhoon Managed Execution Toolkit

Digital Forensic Assignment Help

Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1

Automating cloud security - Jonny Griffin

2008-03-06 Harris Corp Security Seminar

Más de Digital Bond

The Future of ICS Security Products

Digital Bond

The RIPE Experience

Digital Bond

Assessing the Security of Cloud SaaS Solutions

Digital Bond

Active Directory in ICS: Lessons Learned From The Field

Digital Bond

Accelerating OT - A Case Study

Digital Bond

Unidirectional Security Appliances to Secure ICS

Digital Bond

S4xJapan Closing Keynote

Digital Bond

Survey and Analysis of ICS Vulnerabilities (Japanese)

Digital Bond

Incubation of ICS Malware (English)

Digital Bond

Unsolicited Response - Getting BACnet Off of the Internet (Japanese)

Digital Bond

Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Digital Bond

Application Whitelisting and DPI in ICS (English)

Digital Bond

Industrial Wireless Security (Japanese)

Digital Bond

S4x14 Session: You Name It; We Analyze It

Digital Bond

This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos. We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has received so little attention that we thought it was worth including in S4x14. HART is widely used in DCS to connect controllers and instruments. The HART Foundation says over 30 million HART devices are deployed. Alexander covers the protocol in the early slides, but make sure you look at slides 16-21 where he shows how he can change the RTU's Polling Unit ID (who the RTU expects to poll it) to create a man-in-the-middle attack. There are a number of other HART protocol attacks described, but I was most interested in his HRT Shield board - a high-power low-noise HART modem Arduino shield for sniffing, injecHng, and jamming current loop. He brought over some boards that we are building up to have in our Rack when we go out on an assessment. I should note, mainly to avoid an email from Jeff, that WirelessHART has integrated security such as source/data authentication and encryption. As we walk through plants and factories we are seeing a number of these WirelessHART devices. They are easy to spot because they can be deployed in the most physically convenient place without worrying about wiring.

HART as an Attack Vector

Digital Bond

Más de Digital Bond (15)

The Future of ICS Security Products

The RIPE Experience

Assessing the Security of Cloud SaaS Solutions

Active Directory in ICS: Lessons Learned From The Field

Accelerating OT - A Case Study

Unidirectional Security Appliances to Secure ICS

S4xJapan Closing Keynote

Survey and Analysis of ICS Vulnerabilities (Japanese)

Incubation of ICS Malware (English)

Unsolicited Response - Getting BACnet Off of the Internet (Japanese)

Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)

Application Whitelisting and DPI in ICS (English)

Industrial Wireless Security (Japanese)

S4x14 Session: You Name It; We Analyze It

HART as an Attack Vector

Último

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Real Time Object Detection Using Open CV

Khem

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

MINDCTI Revenue Release Quarter One 2024

MIND CTI

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Havex Deep Dive (English)

1. Havex: A Deep Dive Corey Thuen Digital Bond Labs

2. Havex Overview

3. What is Havex? Crouching Yeti / Energetic Bear APT campaign Unknown origin Targets Industrial Control Systems

4. Havex Delivery Trojanized Software Installers Spear-phishing attacks Waterhole attacks No 0-day exploits

5. Havex Analysis Analysis was conducted against the Havex Remote Access Trojan (RAT) that appeared as a trojanized installer for mbconnect Analysis of Command & Control traffic requests Analysis of Downloadable Modules

6. Havex Analysis Command and Control Traffic

7. Havex Analysis Command and Control Server analysis C2 server not secured Directory browsing possible Fun but not our focus today

8. OPC Module Deep Dive

9. What is OPC? Common bridge for process control systems Uses Microsoft COM/DCOM Standard maintained by OPC Foundation consortium

10. Analysis Environment Challenges with ICS malware environments: ICS Equipment may not be virtualizable Debugging and monitoring may be difficult

11. OPC Environment Win2k8 - Matrikon OPC Simulator Server WinXPsp3 - Malware execution Win2k8 - Domain controller (to make DCOM easier)

12. OPC Environment

13. OPC Module Analysis

14. OPC Module Analysis Sample: Sha-1 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82 md5 6bfc42f7cb1364ef0bfd749776ac6d38

15. Dynamic Analysis Regshot Sysinternals - Procmon DNS & Network Monitor VMWare + Snapshots

16. Dynamic Analysis - Regshot

17. Dynamic Analysis - Procmon

18. Static Analysis Strings CFF Explore IDA Pro Resource section analysis

19. Static Analysis - Strings

20. Static Analysis - CFF Explore

21. Static Analysis - IDA

22. Static Analysis - Resource Section Decryption & Analysis

23. OPC Module Code Flow

24. Code Flow - Decrypt Config File

25. Code Flow - Create tmp files

26. Code Flow - Create run log

27. Code Flow - Find Systems with DCOM

28. Code Flow - Find Systems with DCOM OPC uses DCOM for communication DCOM supports enumeration of connected systems Step 1 when wanting OPC data is to find available OPC Servers

29. Code Flow - Enumerate OPC Servers

30. Code Flow - Enumerate OPC Servers OPC servers have “tags” that are data points, controls, etc. OPC tag information is valuable to attackers Havex uses DCOM to get the list of tags on each OPC server to which it can connect

31. Code Flow - OPC Output Log

32. Code Flow - Pack it up for Havex RAT

33. Summary 1. Havex infects system 2. RAT downloads modules from C2 servers 3. OPC module scans for local OPC servers including tag lists 4. OPC information is packaged up and sent to C2

34. Conclusions • Havex is not attempting to hide • No new vulnerabilities or 0-days are used • OPC Information is collected and delivered to C2 • No control is attempted These modules are reconnaissance For who? For what purpose? Is there a specific target desired?

35. Questions? Corey Thuen thuen@digitalbond.com @CoreyThuen - Twitter plus.google.com/+CoreyThuen

Havex Deep Dive (English)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (16)

Similar a Havex Deep Dive (English)

Similar a Havex Deep Dive (English) (20)

Más de Digital Bond

Más de Digital Bond (15)

Último

Último (20)

Havex Deep Dive (English)