2.
Sergey Gordeychik
Positive Hack Days Director and
Scriptwriter, WASC board member
http://www.phdays.com
Gleb Gritsai
Principal Researcher, Network security and
forensic researcher, member of PHDays
Challenges team
@repdet
3.
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik
Roman Ilin
Artem Chaykin
Dmitry Efanov
Andrey Medov
Alexander Zaitsev
Dmitry Sklyarov
Roman Ilin
Kirill Nesterov
Gleb Gritsai
Ilya Karpov
Yuriy Dyachenko
Yuri Goltsev
Sergey Scherbel
Dmitry Serebryannikov
Alexander Timorin
Alexander Tlyapov
Denis Baranov
Sergey Bobrov
Sergey Drozdov
Vladimir Kochetkov
Timur Yunusov
Dmitry Nagibin
Vyacheslav Egoshin
Evgeny Ermakov
4.
Analytics “SCADA security in numbers”
Industrial Protocols
ICS systems on the internets
plcscan for S7 and modbus
Vulnerabilities
Siemens WinCC components and vulnerabilities
Lot’s of “We don’t know yet”
5.
6.
To find ICS system
To find vulnerable device
Get https://scans.io/ (~500 GB) = ~$60
Index by Elastic Search (3 cpu days) = $0
Grep it all!
It’s all vulnerable (for sure!) = $0
Put in Excel (I hate it!) = $9000
CoV
($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061
31. This is my
encryptionkey
Metasploit module
for harvesting data from WinCC project’s database and decrypting ciphertexts
http://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html
36. ActiveX components
for communication
and rendering of
HMI
Another component
of WinCC.
For example,
forwarding
commands to the
PLC via the S7
protocol
IIS extension
SCSWebBridgex.dll
Manages SCS
connection and
converts data to PAL
CCEServer.exe
Yep-Yep, again)
CCEServer.exe
WinCC core:
Manages requests of
components
WebNavigatorRT.exe
Rendering HMI and
command
transmission
[kudos to Alexander Tlyapov @rigros1]
42.
What is Project?
Collection of ActiveX/COM/.NET objects
Event Handlers and other code (C/VB)
Configuration files, XML and other
Can Project be trusted?
Ways to spread malware with Project?
43.
NO!
Project
itself is dynamic code
It’s easy to patch it “on the fly”
Vulnerabilities in data handlers
How to abuse?
Simplest
handlers
way – to patch event
44. Sub OnClick(Byval Item)
Dim tagName, tagValue, tagFilename
Dim strFilename, strLine
Dim fso, objFile, objTag
Set fso = CreateObject("Scripting.FileSystemObject")
Set objFile = fso.CreateTextFile("%WinCC%1.exe",True)
strLine = “malware code here"
objFile.WriteLine strLine
objFile.Close
End Sub
52.
Understand the components roles
Define entry points (input)
how they communicate (i.e. HMI-DCS-PLC)
how they store data (i.e. account/project data)
User input, IPC communications, command
protocols
Analyze code
Resurrect structures/classes used in entry points
Research initialization and processing
53.
54. Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin
function>
ret = recv(s, buf2, buf[42], flags)
This not supposed to work in real world!