Apresentação Técnica - Infecções por Malware no Brasil

Recent malware infections on control
system networks in Brazil
Marcelo Branquinho
ACS Conference – Washington DC
September of 2011

TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

Don´t need to copy... just download it

http://www.tisafe.com/recursos/palestras/

www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

TI Safe at Twitter
• Follow us at Twitter - @tisafe


About Myself

Marcelo Branquinho
Marcelo.branquinho@tisafe.com

• Electrical Engineer who specializes in computer systems, and who has an MBA in
business management, is one of the founders of the ISACA chapter in Rio de Janeiro.
• A member of ISA International, and currently the director of TI Safe, where he serves as
the head of security for industrial automation systems.
• With extensive experience gained over 12 years in the field of critical infrastructures and
government agencies in Brazil, Marcelo is coordinating the development of the Security
Automation Training , the first Brazilian in this segment.
• Actually is a collaborator of the WG5 TG2 Gap Analysis Task Group that is revising the
ANSI/ISA-99 standard.


Agenda
• Malware Infections on control system networks in Brazil
Study Case 1: Automation Plants of Steel Industry “A”
• Network Architecture
• Automation Systems Composition
• Policies
• Installed defenses
• About the AHACK worm
• Malware Infection
• Implemented Countermeasures
Study Case 2: Power Plant of Steel Industry “B”
• Network Architecture
• Automation Systems Composition
• Policies
• Installed defenses
• Malware Infection
• About the Conficker worm
• Implemented Countermeasures

• Conclusion and Challenges

* Due to confidentiality agreements, the Steel Industries names and all possible
references to their plants were removed from the presentation slides


Study Case 1

Automation Plants of Steel
Industry “A”


About Steel Industry “A”

• Steel Industry “A” is one of the largest producer of steel in the Americas, with
major steel mills in Brazil and a total capacity of about 10 million metric tons
of steel per year.
• The company accounts for about ¼ of total steel output in Brazil.
• The company also operates in the logistics sector through a stake in local
brazilian logistic companies.
• Started operations in 1964.


Network Architecture
• 5 Automation Networks (one for each automation area)
• No documentation:
There isn´t a complete inventory for automation networks, these networks simply grew-up acoording to the
business needs without a consistent planning
There aren´t network diagrams for each area

• IT network connected to the Internet. There are firewalls protecting this connection
• No network segmentation
No Firewalls or VLANs separating automation and IT networks
Any automation network can access another automation network
All main services are at IT servers
Any computer at the corporate network have read/write access to any PLC at the automation networks

• No Windows Domain
SCADA Servers (windows based) doesn´t have login (run automatically after reboot)

• Remote acess (Internet based) is spreadly used by collaborators and third party to
access SCADA
A single Username/Password for ALL remote users


Automation Systems Composition
• Main applications:
Siemens STEP7, DCOM and OPC Client
Siemens Wincc FlexOPC Server
SCADA FactoryLink
ElipseFactory Link and DCOM
Oracle 10g and Message Queue
DEC Basestar, Cimfast and Rally
• Main SCADA Servers
DEC VAX and Alpha (many servers), all running Open VMS
Windows servers running Windows 2003 and 2008 (just a few)
Some Windows servers still running very old operating systems like WINDOWS 95
and WINDOWS NT


Policies
• There´s an IT Security Policy based on ISO27001/27002 that is implemented at the IT
Network
IT and Automation Network teams don´t talk to each other

• Automation and control systems aren´t compliant with international standars like ANSI /
ISA TR-99
• No specific Automation Security Policy
There are some few written procedures where the users assume all responsability in case of security incidents.
They just sign a single term and are allowed to do whatever they want at the automation networks (attach
laptops, USB Sticks, Modems, etc).

• There are some manual backups to tapes, but nobody never tested if they will correctly
restore data when necessary
• Passwords
When exist, are weak and largely divulgated – The main idea is that systems can´t stop due to strong or
unknown passords
Password are never changed on automation systems and sometimes are hard coded (for database
connections, for example)
Very frequently, passwords are equal to the application name (for example, if the Database is ORACLE, the
password is ORACLE)


Installed Defenses
• At most of the SCADA servers, system updates are deactivated
• No Service Packs or Patches have been installed for years
In fact they have been completely ignored (nobody changes systems that are in production due to the fear of
stopping them)

• There´s a Symantec Endpoint Protection suite installed in the IT network and some
automation network computers, what causes a false sense of security
• There aren´t Firewalls separating automation and IT networks
• There aren´t IPS in the whole network (including IT network)
• There aren´t Security Logs and Security Monitoring


About the AHACK worm
• AHACK Worm is a worm that can secretly get into systems and steal sensitive
information
• If a computer was infected by Ahack Worm, the following problems may happen:
Computer instant shutdown
Bundled Trojan
System32 error
.dll errors, .exe errors and runtime errors
Computer slow performance
Degraded system running speed
Driver updated failure
Program uninstall failure
Blue Screen of Death errors


Malware Infection
• Date it was discovered at the plant: June/2008
• Malware: AHACK Worm
• Where: Power and Blast Furnace Plant
• Consequences:
The worm spreaded over all the power plant automation network
It has flooded the network with unwanted packages and made instable the
communication between PLCs and supervision stations, compromising the plant
supervision
In some machines, the worm paralised some important services of the Windows
Operation System
This lack of supervision has occasioned some stops and restarts at the SCADA
systems, generating loss of production and financial injuries


Implemented Countermeasures
• Some less critical computers and SCADA Servers were disinfected with the
worm removal kit
• For about 3 critical SCADA servers that couldn´t have been stopped, the
automation team wrote an internal document explaining:
What to do when the worm activates (and how to identify the activity of the worm)?
Which applications and services should be restarted?
Who they should call in case the procedure fails (perhaps god ☺)?
• All computers and Pen Drives now have to be scanned on a clean machine
before they are inserted at the automation network.
• G3 Modems were banned from the automation network


Implemented Countermeasures (cont.)
• A distributed Microsoft Active Directory domain was created to attend the 5 automation
networks. This domain is composed of users and groups totally different from the
corporate domain.
• The domain was created in 5 different domain controllers (one for each automation
area) and configured on a redundant schema where each change on user or policy is
automatically replicated for all domain controllers.
• To login, a user may use any of the 5 domain servers to log, in a transparent way, or
even log offline if outside the automation network.
• A Security policy was configured for this domain with some important GPOs like:
Turn off Autoplay
Account Lockout after 3 attempts (Locks for 1 minute before new attempt)
Prohibit new task creation
Prohibit user installs
Remove Task Manager
Prohibit access to the Control Panel


Study Case 2

Power Plant of Steel Industry “B”


About Steel Industry “B”
• Steel Industry “B” products are
high-quality steel slabs, which are
processed in European and US
plants.
• The Power Plant has installed
capacity of 550 MW to produce
energy from converter gas, blast
furnace and coke plant steam.
• Started operations in 2009.


Network Architecture – Power Plant
• Approximately 180 computers compose the plant (workstations +
servers). All running Windows OS.
• Documentation
There is a complete inventory of the power plant network, documented in an excel
worksheet
There are some network diagrams for the plant

• About the power plant automation network
Existing Firewalls: Cisco 800 and Hirschmann Egle
No Wireless Networks communicating to this plant
DHCP and DNS servers are inside the IT Plant
Connection with unsecure third party networks
OPC data exchange with other automation plants inside the complex


Network Architecture – Power Plant (cont.)
• No Windows Domain
SCADA Servers (all windows based) doesn´t have login (run automatically after
reboot)
• Remote Access through the Internet for control and monitoring
Authentication through username and password.
There´s just a single username and password for all remote users.
• Governance and Monitoring
Plant has geographically distant locations without very difficult access to the RTUs
Firewall and network logs are not analyzed
There´s an updated McAffee Antivirus running inside the automation plant, but it
didn´t stop the infection or avoided it to spread
Windows Servers doesn´t have updated patches and service packs
SCADA applications not patched (manufacturers charge and take a long time to
execute this service)


Automation Systems Composition
• Main Systems:
ALSPA P320 PLC
ABB EGATROL
ABB MicroSCADA
ABB 800xA System, version 5.0 Rev D.
TDMS
Siemens PCS7 WinCC
Siemens STEP7 S7-400
Intouch
• Main SCADA Servers
The plant has only 2 years of operation and all systems are based on Windows
Servers running Windows 2003 R2 SP2
• All Workstations running Windows XP SP2
• Main OPC Servers
OPC – Energy Management System – KepServer 5
OPC Matrikom - OPC Explorer version 3.5.0.0 / OPC Explorer version 3.2.1.150
OPC – PI OSI


Policies
• There´s an IT Security Policy based on ISO27001/27002 that is not fully
implemented at the IT Network
IT and Automation Network talk to each other.
Teams are very small for the size of the plant and security tasks have very low priority.
• Automation and control systems aren´t compliant with international standars
like ANSI / ISA TR-99
• No specific Automation Security Policy
Free use of laptops, removable USB medias and G3 Modems inside the automation networks
and even directly connected to SCADA servers
Automation team never had automation security trainings
• No Backup Policy.
There are some manual backups to external Hard Disks managed through an Excel Worksheet.
• Passwords
When exist, are weak and largely divulgated – The main idea is that systems can´t stop due to
strong or unknown passords
Password are never changed on automation systems and sometimes are hard coded (for
database connections, for example). Very frequently, passwords are equal to the application
name


Malware Infection
• Date it was discovered: 02/06/2011
• Malware: Conficker
• Where: Power Plant
• What happened:
In 02/06/2011 the ALSPA System stopped. After check was identified virus (Conficker) in all machines (ALSPA
System).
• The worm spreaded over the whole power plant automation network (and probably in other automation
networks, but the investigation was limited to the power plant due to lack of budget)
• It has flooded the network with unwanted packages and made instable the communication between PLCs
and supervision stations, freezing most of the supervision systems.
– WYSINWYG (What you see in NOT what you get ☺ )
The automation team cleaned the infected machines, but the worm infected the machines again.
The Alston team installed the Windows Service Pack II in all machines (only in ALSPA System), cleaned them
and the system returned to work well, disconnected from PI.
The worm infected the PI machine and the “SGE” network, but was removed without problems.
All Systems returned to work well while the external networks are disconnected. When these networks are
reconnected, the malware “wakes up” and increases the network traffic, freezing the supervision station
screens. Due to this, the automation team decided to keep these external networks disconnected.
• Since the infection began the company is paying monthly fines to government because some important
reports (such as environmental control, for example) are not being sent.
• Internal reports for production planning are being prejudicated
• Chaos is stablished always when it happens – operator loose control of the plant


How Conficker spreads?
Due to self-propagation mechanisms, the worm uses the
following vectors and probably are infected when in contact
with infected hosts:

USB removable media like hard
drives, USB flash drives, DVDs,
CDROMs, etc.
Network hosts with out of date
pathes or without antivirus
Other network hosts correctly
patched and with AV, but with weak
or default passwords
Other networks that
communicate with the power plant
(via OPC, for instance)


Conficker Variants
Var Detect
ian ion Infection vectors Update propagation Self-defense End action
t date

HTTP pull:
-Downloads from
NetBIOS: Exploits MS08-067
A 11/08
vulnerability in Server service
trafficconverter.biz None
Updates self to Conficker B, C or D
- Downloads daily from any of 250
pseudorandom domains over 5 TLDs

- NetBIOS: Exploits MS08-067
vulnerability in Server service. - HTTP pull: Downloads daily from any
- Dictionary attack of 250 pseudorandom domains over 8
-Blocks certain DNS lookups
B 12/08
on ADMIN$shares[32]
TLDs
Updates self to Conficker C or D
- NetBIOS push: Patches MS08-067 to
- Removable media: Creates - Disables AutoUpdate
open reinfection backdoor in Server
DLL-based AutoRun trojan on service
attached removable drives

NetBIOS: - HTTP pull: Downloads daily from any
- Exploits MS08-067 of 250 pseudorandom domains over 8
vulnerability in Server service TLDs
-NetBIOS push: - Blocks certain DNS lookups
C 02/09 - Dictionary attack
-Patches MS08-067 to open reinfection Updates self to Conficker D
on ADMIN$shares
backdoor in Server service - Disables AutoUpdate
•Removable media: Creates - Creates named pipe to receive URL
DLL-based AutoRun trojan on from remote host, then downloads from
attached removable drives URL

-Blocks certain DNS lookups: Does an in-memory patch
- HTTP pull: Downloads daily from any of DNSAPI.DLL to block lookups of anti-malware
500 of 50000 pseudorandom domains related web sites
D 04/09 None over 110 TLDs - Disables Safe Mode - Downloads and installs Conficker
- P2P push/pull: Uses custom protocol - Disables AutoUpdate E
to scan for infected peers via UDP, - Kills anti-malware: Scans for and terminates processes
then transfer via TCP with names of anti-malware, patch or diagnostic utilities
at one-second intervals

- Updates local copy of Conficker C
- HTTP pull: Downloads daily from any to Conficker D
- Blocks certain DNS lookups
500 of 50000 pseudorandom domains - Downloads and installs malware
- Disables AutoUpdate
E 07/09 NetBIOS: Exploits MS08-067 over 110 TLDs
- Kills anti-malware: Scans for and terminates processes
payload: Waledac spambot,
vulnerability in Server service - P2P push/pull: Uses custom protocol SpyProtect 2009 scareware
with names of anti-malware, patch or diagnostic utilities
to scan for infected peers via UDP, - Removes self on 3 May 2009 (but

www.tisafe.com then transfer via TCP
at one-second intervals
leaves remaining copy of Conficker
D)
TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.

Antivirus diagnostic is not precise..

• Antivirus doesn´t tell which variant of Conficker is infecting the plant
• Antivirus doesn´t guarantee that this is really a Conficker infection (may be
stuxnet)


Conficker or Stuxnet?
Similar attack vectors
It is speculated that the latest variants of Conficker have been the
first variants of Stuxnet
Exploit the same vulnerability (even if coded differently)
Some similar symptoms
Both advanced cyberweapons
Conficker is sometimes regarded as proof-of-test Stuxnet
You need a diagnosis oriented Stuxnet to differentiate one from the
other malware


Persistence
o
Conficker “kills” anti-virus or anti-malwares that hasn´t detected it so
they won´t receive new signatures and will never detect it.
The worm tries to spread to other machines at the network and keep
an internal protocol that advises other peers when it is being
exterminated, so these peers will reinfect the host – This causes the
increase of network traffic
Turn patched machines vulnerable by corruping the server service of
the machine.


Countermeasures (under deployment)

c) Board Security
b) Cleaning

Desinfection Cycle

a) Malware d) Systems and
Isolation and Connectivity restore
Diagnose

Start: Automation
Security Training (20hs)

e) Governance
and Monitoring


Malware Isolation and Diagnose
• Identification of all points of infection and contamination
vectors using nmap and other tools
• Checked that the attacker is the Conficker worm.
• Identified which variant of Conficker that is attacking the
plant.
• Identified the “Mark 0” of the infection.
• Disconnected all external networks that communicate with
the power plant.
• Removed all computers that were not part of the power
plant automation network (including third parties
and consultants).


Cleaning
• Tested the effectiveness of current Antivirus
• For SCADA Servers:
• Triggered the manufacturer to install the MS08-067
patch.
• Turned autorun off.
• Disconnected service that listens on port 445 (will
loose file sharing)
• For other hosts:
• Disinfected using steps above and applied the
same solutions used to clean SCADA servers without the
need of wait for manufacturers.


Network Security - Implemented Solutions
• IBM-ISS NIPS GX4004 (for board security of automation network)
2 GX4004 configured on critical communication paths to the corporate
network, working together with Firewalls that already existed at the
infrastructure and that were hardened
SiteProtector console configured at the CMI
• TOFINO (for internal security of the automation network and also OPC
Enforcing)
9 Tofino Argon Security Appliances configured with SAM, Firewall and
OPC Enforcer LSMs
Tofino Argon Central Management Platform configured at the CMI
• IBM TSM (Automated Backup)
Agents installed at the main servers of the power plant
Incremental Backup to Server Tape
Management Console installed at CMI


Systems and Connectivity restore
• Hardened all SCADA and OPC Servers of the power plant
• Performed a complete and clean backup of the plant.
• Turned IBM-ISS NIPS mode to block and log Conficker attacks.
• Reconnected one by one all external networks.
• Checked if the Conficker attack (or any other attack) was
coming from the external networks that were reconnected.


Governance and Monitoring
• Develop and implemented an specific security policy according to
ANSI/ISA-99 best pratices, that includes:
• Access control policy for critical network devices such as PLCs
and RTUs
• VPN external access with strong passwords and independent
users
• Internal training and Endomarketing
• Created an automation domain based on Microsoft Active Directory
• Added machines and users to this domain and
implemented transparent logon on stations, when applicable
• Configured GPOs for USB and Logical port control
• Built an internal monitoring station (CMI)


The CMI – “Central de Monitoramento Interna”

• Central server for security monitoring
• Installed inside the automation network and managed by
the automation team
• Integration point between the customer security team and
TI Safe remote support team (24 X 7)
• Through the CMI are monitored and managed:
IBM-ISS NIPS
Tofino Appliances
IBM TSM Automated Backup
Existing Firewalls
UPSs
Environment variables of main servers (Processor, Memory, Disk, etc)
Network traffic


Conclusion and Challenges


Conclusion and Challenges
On both study cases, we are not talking about Stuxnet. I don´t have knowledge of any
comproved case of a Stuxnet infection in a Brazilian automation plant (what doesn´t mean
that it could not exist in Brazil because industries may take too long to detect they are
infected and commonly hide those facts).
Common worms that have very low impact on home computers or IT networks can
completely paralise automation networks causing financial loss and exposing human lifes
to risk.
The ANSI/ISA-99 Zones and Conduit model has never been deployed on an automation
plant in Brazil.
Is very hard for a company to implement this model after the plant is on production. Who would
change the network architecture of a plant in production?
In this case the ANSI/ISA-99 is unuseful because it doesn´t mention a subset of best pratices for
the ones who cannot apply the defense-in-depth model to their networks. With the confusion,
automation managers get lost.
ANSI/ISA-99 is not clear on the indication of security solutions.
How can a user know which security solution should be used in each specific situation.


Conclusion and Challenges (cont.)
Anti-Virus on automation networks generate a false sense of security
They are not ready for Cyberweapons
They dont protect computers with old operating systems
In some cases they don´t determine the worm variant and confuse users
In other worst cases, they indicate the contamination of a wrong malware
They are not able to detect some SCADA Malware developed on 2 stages (Tests using
Metasploit on TI Safe Labs – check video at http://www.youtube.com/watch?v=DmHxFiCivi8 )
Correctly diagnose an infection is hard and must be done by experts
It´s fundamental to know who are we fighting against
It´s very important to discover the mark zero of the infection
SCADA application patching is a problem because the manufacturers take too long to
patch
Operating Systems updates are frequently disabled on SCADA servers, whate leads to
na insecure environment.
There isn´t a ceritified methodology to help industries to recover infected automation
networks. Security managers use what they think is the best countermeasure and
frequently believe that they cleaned the plant, but the malware reappears.
There are other automation plants contaminated in Brazil.


Thank You!

Marcelo Branquinho
marcelo.branquinho@tisafe.com
+55 21 2173-1159 / +55 21 9400-2290


Apresentação Técnica - Infecções por Malware no Brasil

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (18)

Similar a Apresentação Técnica - Infecções por Malware no Brasil

Similar a Apresentação Técnica - Infecções por Malware no Brasil (20)

Más de TI Safe

Más de TI Safe (20)

Último

Último (20)

Apresentação Técnica - Infecções por Malware no Brasil