Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.

Slides:

Advertisements

Similar presentations

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.

Advertisements

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.

Michael Thow Cyber Security Engineering Supervisor

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Click to edit Master title style Click to edit Master subtitle style.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Security for Today’s Threat Landscape Kat Pelak 1.

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

CONTROL SYSTEMS AND CYBER SECURITY 2600 MEETING JUNE 6,2014 MICHAEL TOECKER Mikhail Turcher, big fanci pantsie.

Backup Modernization with NetBackup Appliances

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

Stuxnet Malware Attribution Mike Albright CS 591 Fall 2010.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

Advanced Persistent Threats CS461/ECE422 Spring 2012.

President’s Forum and WSML 2012 INDSTRAT 02 Mobile Market Dynamics Brian Duckering, Deborah Clark, Evan Quinn “A Day in the Life of Mobile” 1.

How Stuxnet changed the landscape for plant engineers Richard Trout, Director for Client Solutions, Trout I.T.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Instilling rigor and imagination in analysis Countering the Iranian Nuclear Threat Stuxnet and its Broader Implications Randolph H. Pherson Mary C. Boardman.

A sophisticated Malware Arpit Singh CPSC 420

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

By: Sharad Sharma, Somya Verma, and Taranjit Pabla.

Information Systems Security Computer System Life Cycle Security.

Jonathan Baulch  A worm that spreads via USB drives  Exploits a previously unknown vulnerability in Windows  Trojan backdoor that looks for a specific.

Risk Based Identity Governance Ken Willén, Senior System Engineer NetIQ.

Symantec Managed Security Services The Power To Protect Duncan Evans Director, Cyber Security Services 1.

Cassio Goldschmidt June 29 th, Introduction 2.

1 Safely Using Shared Computers Amanda Grady December 2013.

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

MALWARE : STUXNET CPSC 420 : COMPUTER SECURITY PRINCIPLES Somya Verma Sharad Sharma Somya Verma Sharad Sharma.

Lessons from Stuxnet Matthew McNeill. Quick Overview Discovered in July 2011 Sophisticated worm - many zero-day exploits, Siemens programmable logic controller.

A l a d d i n. c o m eSafe 6 FR2 Product Overview.

Quick Thoughts on PGP Use Cases for KMIP 1 Michael Allen Sr. Technical Director.

The current state of Cybersecurity Targeted and In Your Pocket Dale “Dr. Z” Zabriskie CISSP CCSK Symantec Evangelist.

President’s Forum and WSML 2012 SYMSTRAT 03: Enterprise Sales Conversations for Virtualization Todd Zambrovitz with guest appearance by Kevin Fiedler 1.

WLAN Auditing Tools and Techniques Todd Kendall, Principal Security Consultant September 2007.

Topic 5: Basic Security.

Innovation From the Ground Up Fred Hollowood, Martin Roche.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Installation of Storage Foundation for Windows High Availability 5.1 SP2 1 Daniel Schnack Principle Technical Support Engineer.

Flame: Modern Warfare Matthew Stratton. What is Flame? How it was found What are its capabilities How it is similar to Stuxnet and Duqu Implications.

Copy to Tape TOI. 2 Copy to Tape TOI Agenda Overview1 Technical Feature Implementation2 Q&A3.

Shared Engineering Services APJ Ghostdetect ver 1.0 for SPC Donghyun Seo Dec 12, 2008.

Optimized Synthetics 1 OpenStorage Optimized Synthetics.

Cyber Security in the Post-AV Era Amit Mital Chief Technology Officer General Manager, Emerging Endpoints Business Unit.

CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.

NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.

BY: AUSTIN NEIGH. WHAT IS CYBER WARFARE? Hacking that is politically motivated to conduct sabotage or espionage Form of information warfare Typically.

APIs related to NBU AIR Feature 1 OST APIs Related to NBU AIR Feature.

Maximize Profits Through Stronger Security Brook Chelmo Product Marketing

How a presumably military grade malware sabotaged the Iranian nuclear program W32.Stuxnet Presenter: Dolev Farhi |

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Deployment Planning Services

W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi |

Office 365 is cloud-based productivity, hosted by Microsoft.

Cybersecurity Case Study STUXNET worm

SAM GDPR Assessment <Insert partner logo here>

Propagation, behavior, and countermeasures

Object Oriented Programming and Software Engineering CIS016-2

Microsoft Data Insights Summit

In the attack index…what number is your Company?

Cyber Security For Civil Engineering

Presentation transcript:

Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011

Agenda Stuxnet – Getting to the target 2 Stuxnet Capabilities 1 Network Distribution Tactics 2 Intel & Targets 3 Sophistication & Success 4 Solutions & Lessons Learned 5

Stuxnet Features Discovery disclosed in July, 2010 Attacks industrial control systems likely an Iranian uranium enrichment facility Modifies and hides code on Siemens PLCs connected to frequency converters Contains 7 methods to propagate, 4 zero day exploits, 1 known exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens security issues, 1 target. 3 versions, June 2009, March 2010, April 2010 Stuxnet - Sabotaging Industrial Control Systems 3

Stuxnet is targeted Stuxnet – Getting to the target 4 Iranian Target

PLCs Monitors Input and Output lines – Sensors on input – switches/equipment on outputs – Many different vendors Stuxnet seeks specific Models – s7-300 s7-400 Stuxnet & PLCs 5 Programmable Logic Controller Stuxnet is Targeted Targeting a Specific type of PLC Searches for a Specific Configuration

Programming a PLC Simatic or Step 7 software – Used to write code in STL or other languages STL code is compiled to MC7 byte code MC7 byte code is transferred to the PLC Control PC can now be disconnected Stuxnet Infecting PLCs 6 Step7, STL and MC7

Attack Preparation Stuxnet – Getting to the target 7 Uranium Enrichment Facility Stuxnet Creator PLC Control PC

Attack Considerations Stuxnet – Getting to the target 8 Air Gap Corporate LAN Internet Etc

How Stuxnet Attacks Corporations Stuxnet uses 7 different methods to propagate! 1.USB drives – Zero Day 2.Print Spooler Vuln – Zero Day 3.Ms Vuln 4.Network Shares 5.P2P sharing 6.Wincc Hard coded Password 7.Step7 projects 9 Stuxnet – Getting to the target Control PC

Self-Replication Step 7 Project Files Stuxnet - Sabotaging Industrial Control Systems 10 MyProject.s7p ApiLog types hOmSave7 S7HK40AX S7HK41AX … xutils links listen … +00 WORD count +02 BYTE[] records types: DB WORD count +02 BYTE[] records %Step7%\S7BIN %SYSTEM32% %SYSTEM% %WINDIR% project's hOmSave7/* subdirectories s7hkimdb.dll xr mdx (encrypted Stuxnet) s7p00001.dbf (Stuxnet datafile) s mdx (Stuxnet config data file)

Stuxnet Windows Rootkit Stuxnet - Sabotaging Industrial Control Systems 11

Attack Execution Stuxnet – Getting to the target 12 Air Gap Corporate LAN Internet Etc 1. Initial Delivery 3. Reporting Updates 2. Network Exploits 4. Bridge AirGap 5. Deliver Payload

Delivering the threat Stuxnet targeted specific companies in Iran Only 10 initial targets Resulting in over 14k infections Research was needed to identify valuable targets Companies connected to Uranium enrichment Hope to infect someone who would visit a Uranium enrichment facility Someone who worked on Uranium enrichment projects Actual delivery method is unknown Stuxnet – Getting to the target 13

Limited Spread Attackers wanted limited spread No Internet capable exploits used USB exploit only infects 3 machines USB exploit has deadline of 21 days All exploits have a deadline Large configuration file ~430 different settings Why did it spread so far? Stuxnet – Getting to the target 14

Why did it spread so far? Zero.lnk vulnerability wildly successful Step7 project infection very successful Misunderstanding of how contractors interact Misunderstanding of how connected companies are Intended? Needed to be more aggressive to succeed? Stuxnet – Getting to the target 15

Was Stuxnet Successful We don’t know. 1 year in the wild undiscovered Over 100k infections Majority in Iran Natanz shut down Industrial Companies Infected Reports of infections at Natanz and Busheir IAEA report states 1000 centrifuges offline in Nov 2009 Stuxnet – Getting to the target 16

Was Stuxnet Successful We don’t know. Discovered 3 months after USB zero day added No report of centrifuges out of action since March Gained high media attention Analysis performed Iranian authorities aware Stuxnet – Getting to the target 17

Sophistication First threat to target hardware Targets Uranium Enrichment Large amount of code Very configurable 4 zero days Long Reconnaissance phase Needed Hardware for testing Targets 95/98,Win2k,Winxp,Vista,Win7… 3 Rootkits PLC programming knowledge Stuxnet – Getting to the target 18

Sophistication It was discovered No advanced encryption C&C infrastructure easily taken down Infection information stored Blue screens?? (unconfirmed) P2P not protected Escaped outside of Iran Stuxnet – Getting to the target 19

New Version Not simple to create new version Cannot just drop in new zero days Target specific information required PLC programming knowledge Exploit knowledge Real danger is the idea Now people know it can be done People can start their own projects knowing it is possible Stuxnet – Getting to the target 20

Solutions & lessons learned Insider threat is significant – Employees are major risk IP is extremely valuable, protect it at all costs Monitor systems and networks Watch for red flags Implemented real air gaps Or accept this is not possible and protect computers inside the air gap more vigorously White listing, behavior blocking and reputation based solutions can mitigate threat. Device blocking – USBs, contractor laptops, etc.. Vigilance is key Stuxnet – Getting to the target 21

Response Need dedicated resources in place in advance that can switch focus to a new threat quickly Need engineers who are familiar with the latest developments in the threat landscape Need to respond quickly – critical infrastructure may be at risk Private public partnership will be important Growing market We will see more of these types of threats in the future, need to prepare for that. Stuxnet – Getting to the target 22

Summary Stuxnet is the first publicly known malware to intend real-world damage Required resources at the level of a nation-state While as a whole extremely sophisticated, the technique to inject code into PLCs is not Enterprises should assume attackers know how these systems work Has changed our job at Symantec We expect to see more of these threats Stuxnet – Getting to the target 23

White Paper Available Stuxnet Technical Details Available here: curity_response/whitepapers/w32_stuxnet_dossier.pdfhttp:// curity_response/whitepapers/w32_stuxnet_dossier.pdf Stuxnet – Getting to the target 24 W32.Stuxnet Dossier

Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank you! Stuxnet – Getting to the target 25 Liam O Murchu -