A notorious Chinese hacker collective known as APT1 or Comment Crew, possibly linked to the Chinese Army, have been caught red handed breaking into a fake United States water control system i.e. known as a Honeypot.
Kyle Wilhoit, a researcher with security company Trend Micro has just revealed the details at BlackHat Conference on Wednesday.
Hackers hacked a water control system for a US municipality back in December last year, but it was merely a decoy set up by Kyle Wilhoit using a Word document hiding malicious software to gain full access.
The honeypots directly mimicked the ICS/Scada devices used in many critical infrastructure power and water plants. Cloud software was used to create realistic Web-based login and configuration screens for local water plants seemingly based in Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S.
Researchers have been tracked back to the APT1 Group, which security company Mandiant has claimed operates as part of China’s army. Wilhoit used a tool called the Browser Exploitation Framework, or BeEF, to gain access to his attackers’ systems and get precise data on their location. He was able to access data from their Wi-Fi cards to triangulate their location.
Between March and June this year Wilhoit's 12 honeypots attracted 74 attacks and roughly half of the critical attacks on his honeypots come from China, with Germany, UK, France, Palestine and Japan. “I actually watched the attacker interface with the machine. It was 100 percent clear they knew what they were doing.” Wilhoit said.
The incident has led Wilhoit to believe that other utilities around the world may have already been infiltrated by hackers, and that engineers working at these facilities may not realize that their systems have been compromised. The attacks reportedly occurred before the US opened talks with China over cyber security.
2013-05-26T08:28:00-11:00Sunday, May 26, 2013 Mohit Kumar
For all the talk about China and the Syrian Electronic Army, it seems there's another threat to U.S. cyber interests i.e Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran.
Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify.
The officials stated that the goal of the Iranian attacks is sabotage rather than espionage. Whereas, The cyber attacks from China however, are more aimed at stealing information from the U.S. government that is confidential, as well as from private business. Mandiant announced that the Chinese government was backing the attacks. However, officials from the government in Beijing vehemently denied any connection to the attacks.
The new attacks, officials said, were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines. Iran has denied being the source of any attacks, adding that it had been a victim of American sabotage.
Tom Cross, director of security research at Lancope, told that industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. "It is also difficult to fix security flaws with these systems because they aren't designed to be patched and restarted frequently. In the era of state-sponsored computer attack activity, it is not surprising to hear reports of these systems being targeted," he said.
Government officials also claimed that Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars. But that attack was a less sophisticated denial of service”effort.
2012-12-17T05:20:00-11:00Monday, December 17, 2012 Pierluigi Paganini
Stuxnet case is considered by security expert the first concrete act of cyber warfare, a malware specifically designed to hit SCADA systems inside nuclear plants in Iran.
The event has alerted the international security community on the risks related to the effects of a cyber attack against supervisory control and data acquisition in industrial environment.
SCADA systems are adopted practically in every industrial control system (ICS) used for the control and monitor of industrial processes that are potential targets of a cyber attack such as a critical infrastructures or a utility facilities.
Manufacturing, production, power generation, water treatment facilities, electrical power transmission and distribution and large communication systems are all considered critical asset for every countries and represent privileged targets for cyber attacks.
Obtain access to SCADA systems is fundamental step for a attackers that desires to compromise the controlled processes and contrary to what you think it isn’t a rare event.
In majority cases the SCADA system aren’t protected despite they perform a crucial role in the control of processes, compromising it is possible to directly create serious damage to real life infrastructures, SCADA hacking is the classic example of impact on real world of attacks originated in the cyberspace.
Following an interesting proof of concept on attacks against Echelon SCADA Systems that I found on internet, following the architecture of iLON100 echelon SCADA system.
The targets are chosen analyzing the server responses, in particular all that responses that contain in web header the value WindRiver-WebServer for Server attribute and uses Basic realm-”i.LON” for WWW-Authentication.
The targets selected with methods described run echelon Smart server 2.0 that is affected by a couple of vulnerabilities one totally new (0-days) and one exposed some time ago, more information on i.LON system. are reported at following address: http://www.lon-catalog.ru/ .
After few research on internet the hacker found source code for WindRiver firewalls on the following website
Once analyzed the final target the attacker have only to execute the exploit for it. The post reports: “Then you should have the admin panel to change everything on the box”
The post reports a list of devices directly controlled from admin console of the SCADA, it is possible to note that its main use is for heating purposes.
Accessing to the single device it is possible to set its operating parameters, let’s imagine the effects on industrial processes or SCADA inside nuclear plant … it’s already happened and it could happen again!
The steps proposed are very simple and demonstrate how much vulnerable are critical infrastructures. Many security experts believe that the most complicated phase is the research of targets, SCADA system exposed on internet for various reasons. That’s wrong!
Many hackers “Shodan Computer Search Engine” to find SCADA systems exposed on internet, the popular website gives also a useful series of information on the possible targets, many of these system leak of proper authentication mechanisms and in many cases aren’t updated.
Shodan is the equivalent of Google for the machines exposed on internet, it is a search engine for servers, routers, load balances and any other network device.
“Search results include information like HTTP server responses to GET requests, FTP and Telnet service banners and client/server messages exchanged during login attempts, and SSH banners (including server versions).”
It’s fundamental that government will improve cyber strategies to protect SCADA systems, requiring the respect of strict regulation under security perspective to ensure their security and prevent external attacks.
• Deploy secure remote access methods such as Virtual Private Networks (VPNs) for remote access
• Remove, disable, or rename any default system accounts (where possible)
• Implement account lockout policies to reduce the risk from brute forcing attempts
• Implement policies requiring the use of strong passwords
• Minotor the creation of administrator level accounts by third-party vendors
If you think that SCADA system today are secure, and in case you had not convinced the criticality of the problem let me suggest you watch the video “ReVuln - SCADA 0-day vulnerabilities".
It is a showcase of some SCADA 0-day exploits owned by ReVuln security company, the 0-day vulnerabilities are all server-side and remotely exploitable. This video shows issues affecting the following vendors: General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton, Siemens … nobody is secure. Note that many other 0-day vulnerabilities owned by ReVuln affecting other well known SCADA/HMI vendors have been not included in this video.
The attackers "can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service," ReVuln co-founder and security researcher Luigi Auriemma.
"They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure."
As it is possible to image the situation is very concerning!
2012-10-25T08:57:00-11:00Thursday, October 25, 2012 Mohit Kumar
Reid Wightman from security firm ioActive reported that there is an undocumented backdoor available in CoDeSys software that actually used to manage equipment in power plants, military environments, and nautical ships.
The bug allow malicious hackers to access sensitive systems without authorization, Ars said. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering and There is absolutely no authentication needed to perform this privileged command, Reid mention.
This software has been used in industrial control systems sold by 261 different manufacturers. 3S-Smart Software Solutions designs CoDeSys and recently issued an advisory that recommends users set a password, but he is able to develop two exploit shells , one is codesys-shell.py (to get the CoDeSys command shell without authentication) and other , codesys-transfer.py (read or write files to the PLC without authentication) which works fine without authentication.
This is another big security vulnerabilities that threaten power plants and other critical infrastructure both in the United States and elsewhere in the world. Wightman said a simple search using the Shodan, showed 117 devices directly connected to the Internet.
Wightman said that additional vulnerability details about issue and exploit code that automates the hack can be added to Metasploit framework.
2012-10-17T05:38:00-11:00Wednesday, October 17, 2012 Mohit Kumar
Eugene Kaspersky is working with his engineers at Russian security firm Kaspersky Lab to create a secure-by-design OS for ICS. In an interview Kaspersky said ” It’s true no one else ever tried to make a secure operating system. This may sound weird because of the many efforts Microsoft, Apple and the open source community have made to make their platforms as secure as possible. With all respect, we should admit they were developing a universal solution for a wide range of application and various kinds of users. And security and usability is always a matter of compromise! With a universal OS a developer inevitably sacrifices security for usability."
Companies that maintain ICS are forced to try to patch them on the fly in the event of a malware attack, a process usually easier said than done. Instead, Kaspersky suggests that the solution lies in a secure operating system, one in which ICS can be installed. Such an OS could help ensure that industrial systems stay healthy and that the data generated is reliable.
Energy and water plants, factories and transportation systems are typically run with SCADA (supervisory control and data acquisition) systems that are accessible via conventional computer networks, making them vulnerable to hackers, Kaspersky said.
"We aim to develop a highly tailored OS specifically for ICS without any compromise in usability. As a matter of fact, we are somewhat lucky here as usability was never a point in the industrial control systems. What is really valued in this market is a guarantee and our business model will include such guarantees.”
Though Kaspersky feels the OS is doable, he did refer to its development as a "sophisticated project" since it requires working with industrial companies. And since the project is just getting off the ground, he declined to reveal any specific information at this point.