1. NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK Email ID: karthik.gomatam@gmail.com College: Sathyabama university Dept.: Electronics and Communication CEC Batch: Aug 2012 STUXNET

2. What is Stuxnet? Stuxnet is a highly sophisticated computer worm that spreads via Microsoft Windows, and targets Siemens industrial software and equipment. It is mainly used for industrial sabotage and the first ever to include a programmable logic controller (PLC) rootkit.

3. Making of Stuxnet It was initially rumored that it was designed by Israelis or the Americans but later reports confirmed the involvement of both the countries making it a joint operation under the code name “Operation Olympic Games”

4. Discovery of Stuxnet The worm was at first identified by the security company VirusBlokAda in mid-June 2010 Its name is derived from some keywords discovered in the software. The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update.

5. First Infection: Enterprise Computer Employee is transmitted project files from an offsite contractor on a USB flash drive Infected USB drive inserted into computer Even though computer is fully patched and current with anti-virus signatures, worm successfully installs Rootkit installed to hide files Attempts connection to C&C server for updates Infects any new USB Flash drive inserted into computer

6. Propagation on Networks Enterprise Network: Rapidly spreads to Print Servers and File Servers within hours of initial infection Perimeter Network: Infects Web Navigation Server’s WinCC SQL Server Infects STEP 7 Project files used in Web Navigation Server Terminal Services feature Infects other Windows hosts on the subnet like WSUS, ADS, AVS

7. How it infects the system Infected Removable Media: 1. Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2. Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3. Copies itself to accessible network shares, including administrative shares 4. Copies itself to printer servers (0-day) 5. Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6. Installs in WinCC SQL Server database via known credentials 7. Copies into STEP7 Project files

8. How it infects the system All Windows Hosts ◦ Installs rootkit and loader ◦ Creates configuration and data files ◦ Propagates to other potential hosts Siemens PCS7 STEP7 Hosts ◦ Wraps S7 Device OS driver (MitM + PLC rootkit) ◦ Looks for specific PLC models  Infects S7 Project files  PROFIBUS driver replaced Siemens PCS7 WinCC Hosts ◦ Infects WinCC SQL Server database files Target System ◦ Injects 1 of 3 different payloads into PLC

9. Stuxnet & India In mid-July 2010 National Technical Research Organization (NTRO) estimated of 10,000 infected computers in India, of which 15 were located at what are called 'critical infrastructure' facilities including the Gujarat and Haryana electricity boards and an ONGC offshore oil rig. While the flaw caused Stuxnet to reach these computers, thankfully, it did not activate itself on them. In other words, India was only a few flawed lines of code away from having its power and oil sectors crippled.

10. What can we do? Short-Term Complete prevention is not realistic Provide additional protection around high-risk assets Focus on complete life-cycle of cyber breach Escalate advanced attacks to national authorities Contain attack to minimize consequences Deploy, operate & maintain ICS-appropriate advanced security technologies & practices ◦ Whitelisting ◦ Advanced Firewalls ◦ Unidirectional Gateways ◦ Intrusion Detection ◦ SIEM / Log Analysis ◦ Compliance Managers

11. What can we do? Long-Term Current best practices need improvement Improve content inspection of ICS protocols Hardware-based security, not software

12. STUXNET Thank you for the attendance