Pwning into Power System Center

final presentation of besides 2023 and the honor goes to Omar Joshi thank you I guess I'm hearing my noise can you guys hear me perfect cool so the my topic is all about of course the offensive approach followed by the defensive approach of course and it was our recent red team engagement which we did in the one of the uh country's electricity board and uh this is all about that research the zero days which we have found and we got intruded into the P power system center and you know that very well what will happen if we are into the substations and electricity board and you can shut down the systems you can shut down the

station you can shut down the electricity itself with that note I'll not take much time and uh let's dive into the agenda what I'm going to cover is the simple of course introduction who I am that is authentication of course and architecture what exactly the architecture we were uh you know going through and what are the challenges we faced and how we tackled it the next part is how we did this approach how we uh intruded into the environment and how we got into the specific uh segregated environment and and uh then you know do a bunch of things and you followed by the defens you how how we can you know follow the best security practices and uh what will

be the defense in depth and zero to strategy cool so this is about me I'm just a passionate learner I like to learn with this 10 years of experience I'm still learning I'll be still learning always and I haven't listed my certifications because there are lot of many certifications so I don't like to list it but yeah just a learning guy quick Noob guy and uh I I work with a KOA software uh which is a product management company as a lead security engineer offens of security and I'm a freelancing consultant for cyber AR consulting which is in Europe which is uh specialized in the security services so this basically entire red team project was our me and the Cyber

Consulting together we did it in the uh recently in February 23 okay so uh in the in the afternoon one of the uh gentlemen already explained how we can you know attack the plcs and all that stuff so the traditional when we talk about the traditional substations traditional electricity environment and everything which is we have we do have you know a lot of people who have access to the different different machines or different different PLC or we can say the uh contractors or whoever is a employee they if if there is an issue they have to troubleshoot they they go to the specific safe zone or which is restricted Zone and uh they connect their computers and they troubleshoot

the stfe so now the product is this is all about the the product which simplifies this so when we talk about the product there is a sub power system cent center so the power system center is basically allow you to manage all this Cara devices all this uh you know electric electricity grid systems and lot many systems centralized and basically it gives you visualization remote access and everything with the segregated and zero trust uh strategy so this basically is one of the security layer like instead of giving all people or whoever is the authorized people to access go into inside the specific Zone and connect the computers this product will allow you you can remotely have

control of the all devices and you can do lot many stuff manage the device reset the password troubleshoot the device lot many things so this is the architecture and you can see the sub there is a power system power system center and the power system substation server and centers so these basically architecture wise if you look at this this is these are the inside the environment nobody has access to of course the environment because this is segregated and only the authorized persons via SSO will be having access to these substations servers substations clients and the uh Ser entire the power system center itself so now how we got into that basically so the the the funny thing is

of course whenever I do a red team engagement it's always is I I I'm not saying I laugh but it's a funny part you know you basically trick the people easily that's what we have done is so uh if you look at the red team engagement so this is how the thing works before the power system center so ideally the traditional approach was attackers were directly intruding into the environment if you don't have the power system center when the power system center came into picture you have the dedicated you know uh access provided via power system center to the devices or to the end whatever the OT devices CA devices but you cannot access directly

devices with the first like the first uh you can see the diagram but here is a problem the second diagram is to segregate the things and secure your devices from the unauthorized entities still how we have intruded into that and we were able to access lot many stuff the different different approach that I'm going to you know just tell you how how are the approaches what we have done it how we found the different different zero days in the product itself which will lead to you know entire Power Station uh control in our hand so there there are different different attack vectors and I hope you are aware about the MIT attack framework are you aware about I I can't

hear anyone yes so that is one of the best framework which I have ever seen so far because we have a lot of you know people who do the pentest which is traditional we call it as when when we talk about Mitri framework it has a stage wise you know dedicated approach for the ttps techniqu techniques tactics are there techniques are there so we have utilized different different technique sorry tactics to enter into the specific Zone and perform the malicious activities so what we did is we uh simple as its mitm approach man in the middle attack so what we have of course uh whoever into offens of security must have known the responder or uh mitm6 a

lot of there mitm you know uh products are available so we there is a you know I'll just give you example there is a organization XYZ organization who deals with the Nations electricity they have this product and there and the problem is we ined we were into the environment and but the problem was we were having access to only the specific limited systems we don't have access to any of the OT devices or any of the electricity or substation devices so what we did is simply we H ran the mitm man in the middle tag to capture whether we can you know uh have any kind of hashes which is passing through the uh different different approaches like wpad

or there is llmnr or NBD Stat or maybe smbs so this is one of the approach which we started with to gain the credentials or whether we can get the credentials we got the credentials we impersonated specific user so the user there was again you know different difficulty in accessing I'll tell you further so we got the hashes of course hashes are not pretty easy to crack but yeah there is a organization password policy so the password was of course complex but was in the dictionary so we were able to crack the hashes within a 3 to 4 hours span of time and we got to know that the user has this limited very limited

access to the environment so we started with the scanning the environment what are the inside the specific architecture whether any available host are pro whether we can attack any environment or whether we can go into the environment where is the act actual this substations and everything are there or Scara devices when we got into that we got to know that there is a one product which is a power system center substation server and substation client these are the different different products are running on the Port 80 that is a strange thing so that was all the uh isolated Zone but we were able to reach to the port 80 with with the specific user which we have

impersonated and that has again the limited access so the product is all about having the so there are two things one is the impersonating user but the user is having SSO SSO user has a specific you know plat access to specific uh environment the second thing is the product role what kind of role it user the user which I have impersonated has the user has the role of read only permissions there are no other user roles allocated to the specific user so then we try to you know escalate the Privileges whether we can escalate the Privileges and we can you know uh access specific things into the SP system center uh whether we we can manipulate

the devices whether we can uh troubleshoot the devices or do the lot many stuff and believe me there was the Journey of finding the zero days in the product so we started finding the zero days uh of course uh I am not right now telling you the product or vendor because that we have already contacted and we are yet to receive the CVS and public disclosure so uh but the product itself has a compatibility with the almost multiple Scara vendors like you know you can name it anywhere like cens andri ABB so they have compatibility to everything so what we did is basically so I'm just these are the actual screenshots and redacted the data uh so

we have done the mitm with their responder and we got the you know SMB share uh you know tricking the user into the SMB share so that he can just mistype the things and you get the hashes that's what we got the hashes of the one of the user from the uh mad in the middle attack which we have performed and then when we you know uh access the specific environment we got we cracked the hashes we got to come to know that this is the user there is a domain specific domain user of course so we locked in with that credentials and we have dropped our office skated malicious payload uh one of the uh great

fellow in the in the morning he has already explain about the MSM MSI bypass and everything how do you bypass the Defenders and fortunately they they were having also Defender but they don't they were not having much more you know kind of proactive IPS controls it was detecting but not much so we were able to you know get the river shell with the office ated payload which we have created with the simple uh of course it was exe but we have created off skated payload we tried with the multiple payloads uh by creating a simple simple things but it was detecting the defender was up to dat it was detecting things but then we able to get the river shell

on our system with the system 32 privileges that was a quick one uh and when we actually scan the sorry when we actually scan the environment we came to know that there is a power system center which is running on the port 0 and this is the IP address of course we we got to know with the subnet scanning that there are this is IP live then we ran the nmap scan simple nmap scan and we got to know this is the power system center and the power system center does not have the normal username and password authentication it has the domain authentication it is through the domain uh credentials so then we realize that whoever is the user we had has the

only permission of the read only you can see the permissions over there so we were not able to access even though one of the feature uh which are the crucial which we our aim was to actually Target so we were not able to access anything and uh then we realized what we can do is we started with the next action is the fuzzing of course one of the uh great already speaker already mentioned about the fing so we targeted about the different different endpoints so whether we can access the endpoints or whether whether it's simple like you you can go uh first the directories or first the end points easily pretty easily and one of my

favorite tool is bub suit of course uh the bub suit Enterprise or bubs professional Enterprises of course it's different one but professional is the one which I have used of course for the specific endpoints collection with the different different uh scope so then what I realize is uh this is one of the device which I was having access but which with which was only read only I was not able to even edit the device I was not able to modify the contents so basically if I give you a background on the product the product will allow you to remotely control the device itself whatever the devices you have in the specific Power Station you can remotely

control through this power system center you can troubleshoot the device you can uh basically reset the password you can enforce the password policy so lot many things you can do using this power system center and I was not having access to that because of the readon role then I have captured the different different you know uh these are the end points and then I come to know that whether I can do the privileg escalation or not with read only then you can see the result so uh there was a devices which has every information was hidden into that like you cannot the readon user cannot see the data of the specific devices like what are the IPS what is

the port number of course there are to remotely control the device you should be able to have the IP address or host name and the port number to connect to that so we were not able to reveal with the uh read only but I was able to do the privilege escalation and access the IP address and the Port Port information with that I was able to connect to the specific device directly with the readon user and that was our first uh finding which we had and then we were able to you know go ahead and further modify the data of the device restart the device so you know we reset the device lot many things the options

we were able to perform using this different different privilege escalation issues so the issue was actually present in the product itself so we were not actually targeting the plc's or the smart grid stations or the OT devices the there there were no any issues with the OT device the issue was with the product which was allowing us to connect to the OT device and the product itself was completely vulnerable we call them as a dvwa I hope you you have heard about dvwa the damn vulnerable machine we we call them as a one of the dvw in our recent team engagement and we were able to entirely modify the station templates I hope you have heard about stations

substations in the uh electricity or in the power station we have different different areas right where we call it as a substations so let's say suppose in Hungary we have a Budapest area so in Budapest is one of the sub station so we were able to access the specific substation and literally they they have created a sample law for us and we have literally uh shut down the entire power system or power of the specific substation using this vulnerability and that was the uh one of the uh thing which we have successfully delivered it and you will you can see that there are multiple other you know functionalities which we were not having access like work order

or you know impersonation of the user so we were able to impersonate the users as well let's say let's take example U as a Omar I was a readon user and the XYZ person is having a higher access so we were able to you know perform the actions on behalf of XYZ so the logs will show the XYZ has done this action not Omar that was uh one of the tricky thing which we also found uh in the in this red team engagement so you can see that as well so what we did is we uh basically created activity record for at the critical alarm and that was created by the user me but you can see it is

executed by also a different admin so and we actually then cross verified with the uh sock team and everybody because it was a Kind of Blue Team and Red Team uh simulation and that was actually executed by admin not by Omar so this was successful attack which we have also done and there were no traces of whether Omar has done or admin has done so this is mainly we have targeted how we have targeted the environment and then how we have got into that and simple misconfiguration the main thing is which I wanted to focus on here is uh the although you're you know you have a segregated environment but there are chances also you can get the access

through a simple uh tunnel I would say this is one of the tunnel itself like through the product we were able to access the entire Power Station substations and devices so we should not limit ourself okay we were not able to find anything because there is a segregated access zuro trust is already implemented uh there is a separate wheelan no we can get that get into that as well with the different different roots and there are of course bunch of other vulnerabilities which we have found with the multiple file upload cross file upload is was quite interesting we were able to upload the malicious files and we have infected the environment itself so uh hopefully and

fortunately the environment was not uh production that's the reason we were we were we were able to save our rest of course but yeah that was the main uh vulnerabilities which we have found in this during the red team engagement so with that the offensive approach of course we all always uh you know think about okay we know that this is the issue how we can tackle or how we can Safeguard ourself so that's what with comes into picture the attack vectors or attack surface so the attack surface we all know can be you know how how we can reduce the attack surface it can be a uh physical it can be a digital and you know it can be uh through the

social engineering you can do lot many things right so when we talk about attack surface I always talk about what are the possible entry points in in this case maybe you can do asso engineering with the fishing email and you can send the fileless specific file if you known about fil less malware or fileless execution so there are my favorite L beIN have we heard about Lin living of the land binaries yeah so so uh one more thing is I would like to highlight is the recently they have released for the Mac as well so if you are uh pretty interested into learning the living of the land Li living of the Land binaries There is a Mac version also so you can

explore the Mac as well so the on OSX you can do that LOL bin attacks as well so this is the attacks surfaces and how you reduce it that's what the question which the organizations you know uh members and the executive ask us and it's a simple uh what I jot it down in the different different four sorry four parts first is you have to identify the Gap what are the existing challenges you have what are the uh what are the missing things you have in your environment that we call it as a gap analysis in the traditional term or or compliance term Gap analysis we have to first identify what where we are lacking

and then go ahead with that then understand analyze exercise yourself then I of course uh there is a famous term in the security right now is defense and depth and I hope all are aware about defense and depth is a layer layered approach basically you know at the each layer you should have the prodection in place every uh layer like it can be Network lay it can be host protection it can be application it can be identity level protection so even though these things the organization were having still some kind of misconfiguration some kind of uh tricking the humans that is the social engineering like human is the weakest element this can happen even though you

have the defense in depth so the first thing which I always tell to organization 100% security cannot be guaranteed of course you have to mature you have to update yourself every day it's it's it's simple otherwise you have to lock the doors that's it still there is a possibility of left so and the best practices is all about as this zero days or findings where about all for the product I would definitely say shifting left is always the best approach so when we talk about shift sh LIF shift left is the dev Ops of course Security in devops most of are already adopting this but we have to have this proactive approach in the life

cycle that we should have this mitigated of course we have bunch of things in when we talk about shift left SAS dust sea uh dependencies of course SC is all about you know dependencies and all that third party libraries then what about this is the technologically we are evolving we are having the tools integrated we are having the people people are there who runs the tool who do the integration within cicd who do the secure coding or you know run the scanners but what about people itself that's what we I I always call it as a PP do you know the pp what does the PPT means not about the presentation yeah that's correct so the

PPT is all about people process and Technology we have the process implemented different different compliance standard we are added with the we have the technology updated we have the cloud everywhere is cloud we are using this this technology we are using Next Generation xdr everything but what about people that most of the organiz are lacking right you know awareness trainings making people aware that you know you should be of course you have a policies to enforce the people not to have the simple password but the password let's consider you have the one simple special character and uh maybe a number that is the only policy then P password at1 123 will will be a common password which can be easily

brute forced so the password policy should be also properly configured so that the people will not have the password which is pretty easily guessable or pretty easily easily brute forced so the people process the people of course employee awareness training the people awareness training that is what is must all always and regular you know if you have any kind of uh training programs to developers as well when it comes to the actual product development this is all about product so the you have everything in place but what about the secure coding guideline or bre practices we have o standard it is a baseline actually we have oasp we have Sans we have different different plenty

of others we have the threat modeling Frameworks but still we are getting the issues or we are you know getting lot of vulnerabilities in the product itself why this is happening so that is the because of you know we should be We are following the approach but we are not proactively looking at the what are the consequences of okay we just do the SAS Canan or we just do a Das Canan what are the consequences of that it is automated tools we cannot rely on any kind of automated tool even though we are living in the 2023 everywhere is is automation but s Tas anywhere even do you VM vs scans and lot of thing whenever it comes to

automated tools it will give you only the things which are there as in the database or signatures or whatever it is but when it comes to a traditionally manual uh when you do a sec code r or of course it is not possible but manual uh efforts when you put into that like in pentest or red team engagement that's where you make the people aware that not only automated tools can solve the issues or find problems you have to go beyond that so with that uh I believe that's all about my presentation do you have any questions so do we have any uh questions please for Oma no it would question we don't at this

time are you sure are or maybe it's leaving time so yeah no any questions okay in that case thank you very very much thank you