SCADAsploit: a Command & Control for OT. How to break an ICS system

[Music]

thank you hello to everyone I'm the grandpa of the conference um so uh this morning we saw that OT and healthare or better Healthcare sector OT technology industrial iot and is Main Target is an important Target for attacker groups uh during my presentation I will show you how to attack them okay it's nice in the live de with the live demo I have some V machines inside my PC so we will try to attack to exploit to find some vulnerabilities and so on uh before to start let me briefly introduce my experience as a pran said I have more than 24 years 23 years of experience with the plc scada ramoo and so on I work at 15 years

is Hy electric I know very well this kind of products but not only uh I'm a pentester with a with a strong specialization in OT domain and I'm the main developer I the developer scad plit the C that uh is targeting it and OT domain with more than uh 100 of modules auxiliary and exploitation modules targeting Simmons Schneider Rockwell ABB and other producer and my current job I'm the head of OT cyber security in an Italian company I come from Italy and I have I have also a a private life I have four childr and I'm very happy to be here because I'm alone and is a good opportunity for me to stay to get a weekend absolutely alone is a

fantastic dream okay uh you can find some some information I have also a Blog on uh on Omar mar.com website but this is not so important so I have some question first question is why we talk about cyber security in OT domain uh because uh it's clear indasa cult system is a is a very Target for AP group why because it's easier to attack an OT device OT device means a PLC means a strange device that works for 10 20 30 40 years without any update maybe okay I work in in Schnider in tiine tiine is Northwest of Italy and during my I left Schneider in 2005 during my work I um Define some architecture of the Underground in

touring okay that use a specific PLC called it modicon quantum this PLC is out of production since I don't remember 10 years maybe but the underground Metro is using is still using this PLC and you can Google modicon Quantum vulnerabilities you can find a long list of blocks that describe 12 vulnerabilities that can be exploited without any kind of difficulties more or less any kind of difficulties and this is the problem of of the device of plcs the goal is economic or maybe also safety in certain case and the target OT you can find with in energy water treatment Transportation uh manufacturing sector and in and in particular uh critical infrastructure in energy I don't want to boring you with

STX net STX is not the only malware targeting OT but I would like only to underline two important Point related to staet staet was the first malware targeting OT device in the specific case the target was Simons PLC as 300 and 400 Old plcs that is running now also but the important thing that I would like to underline are topic the first staet was the first Mar malware targeting OT devices okay targeting plcs and non not uh computer standard computer in it domain the second important thing related to stet it for was the first malware or better was the first case that demonstrate that using a software we can damage something we can have a

physical impact not a financial impact in it domain I can steal data I can grab account bank account I can get money but there is no physical consequence if it's the pend of a situation but generally speaking there is no physical consequence in OT domain and with Stax net we know that it's possible to attack a PC changing the behavior of the plant and damage the safety problem is a very big impact after stack we have a long list of possible malware one of them is IND Destroyer industro is a malware that is specific developed to attack critical infrction why critical infraction because it use now Lazer doesn't have on the monitor it use some specific

protocol like EC 5 101 104 OPC da and so on typical protocol industrial protocol used in uh Power Generation Plant in power distribution plant that means that this m is able able to Target this specific domain after the first W version we have industory Vu V is the reloaded version in April 2022 uh was discovered a new version a a steroid version of IND Destroyer that is able with more efficient capability to find to identify the right target the right protocol and to uh in fact all distribute the malware over the network with a very impressive impact after IND Destroyer I would like to underline another malware this Triton what is Tron so in a plant in industrial

plant you have the emergency button the red button when something is wrong uh in the plant and you are in a safety situation in critical safety situation you can push the red button and the plant is STO it or better it's not stopped it's depend of the configuration of the what is called it safety instrumentation system the the plant is putting in a safety situation that means close a valve um I don't know decrease the temperature is theend okay and there is a very big uh producer of this kind of device that is triconex triconex is a worldwide company that produce safety information instrumentation instrumented system that is is a I can say the bigger producer of

sis system Triton is a malware that is able to Target this device intelligent device that means that when you are in trouble when you are in a critical situation you're planted you push the red button and the situation growth in term of uh critical impact that means no safety situation can be protected pushing the right button because this kind of malware is targeting in order to block the red button block the right Behavior defined what by some engineers and you can have catastrophic consequence for for the people for situation for the infrastructure okay so what is inside a PLC what is inside an NCS an industrial control system starting from the bottom to up we have the sensors and actuators

sensors is a sound device that translate a physical value to a digital number temperature pressure speed it's theend actuator do exactly the opposite transfer transform a digital value to a physical Action Motors pump valve and so on then we have growing up a level one this is a per partu model that describ the five level of the of the IC plant at level one we have the PLC PLC is a programmable logic controller is a a sort of computer that get the information coming from the sensor elaborate the program inside and then actuate the actuators then we have HMI hm I means human machine interface level two is is a display embedded computer or PC with a

specific software that show all the information to the operator alarm event or get command coming from the operator uh a set point or start command stop command and so on and then we have a scatter system scatter system in level three is a supervisor in control and acquisition mean is a software that run inside the PC Windows PC in most of the case then collect all information coming from different PCS using specific industrial control protocols industrial protocols means modb DCP profinet device net opcua open can open or device net and other specific protocols consider that in industrial control system we have more than 150 proprietary protocols that are specific for industrial control system is depend

of the vendor are produced by the vendors are defined by the vendors we have some uh standard protocol like profinet modbus and other other protocols but some protocol are uh defined by a specific vendor for their equipment okay but what's inside a PLC because if you consider PLC may be something strange something uh I can say that is not so that can be scared okay is a sort of the dark side of the force inside the PLC is something strange because I don't know what is is a PC is a computer PC what is running inside which kind of operating system is running inside the PLC run inside the PLC is embedded Linux more or

less inside the PLC you can find in most of the case a Linux operating system like I don't know Alan Bradley microware os9 is Linux based bndr as Str company Wix Works Rockwell control Logics Wix Works Schneider Electric in some plcs use unit OS Unity O is a Linux based PLC or in another Schneider modicon Quantum Metropolitan inin Wix Works uh Simmons use a custom version of Linux is call it Adonis OS but is a Linux eded system or in case window or Vago is another producer use Linux real time that means that you consider a PLC exactly as a PC with an embedded system without keyboard without HMI HDMI port without Mouse uh in certain case with some USB port with

some memories with realtime extension this is a very big difference that means that this Linux embedded system is a very limited version in order to have the best performance possible in term of real time uh consider a a cycle execu execution cycle of a program inside PC can take more or less 10 milliseconds 20 milliseconds in most of the case I don't know 80 milliseconds but no more and every Loop is executed every I don't know 10 milliseconds for 30 years okay so if I if you take a a small PSC from Simmons S7 1,200 and open you inside will find a Nar cortex A4 what is is a cortex M4 is is a typical uh low price uh

microcontroller specific for realtime application but is is a standard component uh that is used for example in embedded application like Automotive some ECU that control the vehicle use air4 or imagine processing mass storage HDD or um industrial microcontrollers and the this version of Consolers four has a high performance solution for Real Time realtime application real-time reaction but is absolutely a standard controller it means that you can use the same Hardware attack the same approach of a standard iot device or embedded device for example as I said Adon is Real Time operating system Linux based from simens inside you have uh the the the the the ker is divided in two in two section the first is the Library

operating system services and on the other side we have all the services related to the automation but if consider this PLC as an embedded system with Linux embedded you can find also some web server today in most of the case all the plcs has inside a web server running Apache in order to provide a very comfortable uh user interface using a browser you can put in the browser the IP address of the PLC if you don't know the address of PSC you can open uh shodan.io and you can search for Schneider TS6 seimens S7 or you can use S chanes IO is the same you can find a long list of uh direct EP Exposed on the internet

you can connect or you can browser the PLC and you can find a user interface very basic user interface provided directly from the PLC but you can also use a standard tools like deerb debaser gobas ncto or other tools or Barb Suite to evaluate the website please do that it's very funny okay or there are some other problem typical for computer that some vulnerabilities like uh sandbox consider inside the PLC in this case Adonis all the application run inside a Sandbox to protect and prevent uh I don't know to to protect memory file system and so on but there's some vulnerabilities that are typical of a computer and one of them is the uh sandbox

escape and that allow you to take the control of the operating system starting from the connection passing through the protocol communication protocol so why we talk about C2 uh the first point is why we talk about adversary simulation in OT domain you can find a long list not so long but okay some tools that can be useful to identify vulnerabilities table OT this is a the nessus version for OT domain you can find Clarity you can find noomi Guardian you can find R flow armies that are typical tool that scan the network grab the information from the PLC and tell you okay this this version of the fmer of the PLC is vulnerable to this is

potential vulnerable to this kind of CV and so on but this is not a real scenario I mean how can I I'm not sure if I can exploit this kind of vulnerability I not sure that this D is able to identify possible kill chain or path attack in a real case so adversary simulation is something that can help you to identify the right capability and the right exposure of the of the your system the attacks are faced that can be more and more uh bigger respect of the scanning basic scanning can do using uh this tool so adversary simulation in OT why adversity simulation can help you to identify weaknesses and notice uh or tradition

that can be cannot be um identified using traditional tools as I said before or you can have the benefit of realistic track scenario uh passing through the web server of the PLC passing through the protocol passing through I don't know it's theend of the scenario response evaluation another important point is the sock assessment is your sock able to identify an an attack coming from OT that is growing up to it or from it that's going down to OT it's depend of the rules it's depend of the Playbook is depend of the capability of the instrument of the settings of the instrument of the IDS or IPS or better risk mitigation and compliance Assurance why compliance Assurance

because there are new important regulation that's that are coming in order to not only Lear n to of course but also other specific standard that are related to IC and OT domain so uh howu works I think that you are very comfortable with the this kind of slide but only to put some important point we have a team ser we have a server that is running our our uh C2 uh core waiting for a victim to be connected we have at least one or more than one commander ramit commander that can be REM of course or in the same machine it's theend and then we have the potential victim the potential victim that are affected by an agent a dropper

um Beacon a badger is the pend of the C2 some some C2 call Beacon Cobble strike come Beacon Brattle called Badger it's theend that means an agent a Mal a back door a rat that is connected to the team server in order to receive command from the team server and from the commander and in this case we can use different kind of protocol HTT HTTP https you can use D do DNS over https we can use external C2 like a slack driver or teams or uh Discord and then using different protocol we can pivoting we can do a lateral movement using SMB for example and grabbing and [Music] and cover all the network and discover

all the network and pass the also to the other victim victim three4 stend of architecture this is more or less a typical architecture of a of a common and control nothing new why is in not uh because uh considering the partu model that I shown before level zero the process sensor Ator level one our PLC level two the supervisor HMI and scada we have a level three three that means production plant and so on then we don't have DMZ because is not so common thez in industrial control system and then we have the level four and five that is a corporate Network the problem is that an attacker have a very huge attack surface in a t

plant because it can use for example supply chain attack grabbing credential for a supplier if you buy if I don't know consider Ferrero that produce Nutella maybe you know or Barilla that produce pasta okay they have a long uh Lane to produce the pasta that means that is some Machinery that produce I don't know uh change the the um mix all the of the different components uh uh cook the pasta and then put the pasta in a bag and there is a machine that is a packaging machine that put the pasta inside a bag this the producer of this machine of the packaging machine is I don't know he not barila is a a OEM is a a producer specialized in

packaging machine that can be a small producer it's not Barilla is a small producer and this producer usually provide a remote assistance for their client their customers that can be in Italy that can be in us that can be I don't know in Bulgarian so they provide remote assistance how this service remote connection is uh is uh protected by the small producer they use team buber any desk remote connection how they protect their credential because if I grab the credential I can enter not in the Machinery I enter in the lane of barila and if there is no segmentation net segmentation from OT and it I can go up looking for the server of villa I can

encrypt steel data and so on so remote connection is very big Pro big big big program in OT domain another big problem is infected laptop I'm a Barilla guy I the maintenance of the Gilla B I'm the programmer of the PLC I use my PC for change the configuration parameters inside the OT plant but I use my PC also for email web server web surfing searching and so on it's absolutely common it the same PC same laptop is used in both of the domain it's very difficult to find a customer that use separated PC or a vtu machine inside side what's v machine for OT guys is something strange so they use the same PC in it then put a the problem

is in certain case this PC required a specific configuration that means that EDR is not so easy to put inside or better some malware that are not targeting it domain are not uh identified by the ADI because is out of scope but if you put this PC with this OT malware in the OT plant you can you can uh uh transport and put the malware inside this protocol another uh common use is the infected USB USB in OT domain is something absolutely standard because they need a manual in PDF format they need to share schema they need to share program and so on so infected malware infected USB is absolutely common then in in Secure remote support coming from

it and going down without cementation it could be possible going down to the OT domain so that's reason why I started to use a to develop two years ago uh scatter exploit strange name uh we know Metasploit Metasploit has more than 6,000 modules auxiliary exploitation and commands modules the problem is it has also more than 70 modules for scatter the problem is that these module are not targeting European market are not targeting uh real situation uh the you can find two three module for Schneider for modbus you can find two three modu for simens and then some strange device that are not used in Europe and in the main in main OT Market that's a that's the reason why I decided

to develop something that is absolutely targeting OT domain with a long list of uh um modules but also able to be used in it domain that's the reason why I implemented ADR revision anti malware scan interface even tracing for window Bypass anti- sandboxing or antiaging process injection using indis C andt API and so on multiple pivoting techniques using SMB TCP or RPC a different kind of St Beacon staged and stages Beacon is the pend of architector or expandable using payload with a BF BF is Beacon object files introduced by by Cobble strike is a c code compiled but not linked very small code is an object file is a standard format that you could put inside the agent agent that is

running inside the big te and you can uh with a very small file you can increase the list of the possible command then can be executed on the victim or another interesting things is that the server can be uh is can be run inside and arm computer that means a raspberry very small raspberry that means means that you can put a raspberry inside a network as a stealth installation like Mr Robot and TV that us a a Raspberry Pi put inside a connection with a mod than 4G or 5G depend you have a web server absolutely a team server absolutely accessible from remote so interesting but the the scope the the goal of my presentation is not to promote scad plit

uh the scope cope is to underline the importance of the IC cyber security OT T cyber security uh to install a beacon an agent inside you need a dropper what is a dropper a dropper is something that put your malware inside the victim and there are different kind of dropper that you can use a file based dropper some something that is a tool program s tool document based dropper PDF or EXL for example USB based dropper in case of a infected USB or web script dropper like J uh J or VB or other file PDF in OT is more than the 65% of the file or better more than the 65% of the of the PDF are used to

compromise an OT device okay then we have Office doc PPT Excel it's theend but it's easier to understand that if you run an Excel uh you have the banner this file contains a macro do you want to but you can bypass this kind of process using for example XL format that doesn't require this absolutely recognize as a good file from Microsoft and you can open an xcl that means an Excel file but is a dll inside that can put that can contain a some part of malware this is a basic approach for example this is a real case uh applied during some uh adversary simulation in Italy and we use a fishing server a spare fishing with an

XL um inside bypassing the mark of the web protection open the XL and you have opening the D XL by Excel the XL is signed was signed as a standard as a recognized file xcl was open and then we have the dropper that can bypass the drr protection and then using external C2 we can connect with the remote Commander this is a standard approach as you can you as you know this is not absolutely new but is exactly the same path attack or kill chain that you can use in it can be used in OT domain because in OT domain you have computer with a scatter system you have engineering station for programming the PC that is a window

computer you have window weand system for HMI so more or less it the same without with a low level of protection because ADR is not so common used in uh in OT domain uh antivirus is not so used in OT domain demo but before big disclaimer the big disclaimer activities to be performed in a test environment laboratory Dury and pl shut down for maintenance that means please don't do an adversary simulation during the production plan of Billa okay to test if it's possible to attack the PLC is possible okay the answer is yes if you can reach a PLC you can create a denial of service in 10 seconds don't do that okay but okay is important we know

that it's important to underline that all these phas can be must be performed in a lab to simulate that simulated the plant or during maintenance according with the customer okay oh in my in my PC I have this configuration I have a team server I have a remote Commander all in the same machine of course and I have three virtual machines one with Windows 11 Note 10 with a Defender and another ADR okay and then I have two virtual machine that simulate one simulate a PLC and the other one simulate an HMI product

okay okay I run the team server boom and then I run the remote Commander remote Commander is something like that uh I don't know if you are familiar with command and control in this case the remot command the team servey is developed using go and Python and the remot commander is developed in C++ using QT library is multiplatform we have a listener what is a listener is a service that waiting from a victim Connection in order to uh send and receive command to the victim I prepared three listener one that is based on HTTP the other one that use https this Sport and an SMB for pivoting but we don't have time for pivoting but okay believe

me we have it then inside this remot command we have other tabs but it's not so important so uh see for one important thing related to a um command and control is what is is called it a malleable C malleable C2 means a common and control that is able to adapt their behavior Its Behavior depending on the architector that means in this case we need to create dynamically an agent that use one of this protocol and that use different techniques to bypass the ADR depending of the system of course we can oh and we have also the network map here we have the team server okay Badger list we want to create a beacon I go

very quickly we have a long list of possible parameters if you don't need what they means we have a l here but in this case I don't want to burn you we can create different kind of payload as we saw during my during the presentation uh before me uh from from black cat uh we can create a Windows x file executable file we can create a Windows dll it's the or we can create a service executable we create a Shell Code using this protocol some different techniques to bypass to ofation they to to cover the communication from the agent and the team server in order to prevent firewall protection to prevent IDs and IPS protection to prevent alerting the

sock uh analyst for example and we can use different techniques I I change I chose direct directly waiting for single object X we can add some Technic slips like jump air ax register we can bypass want to bypass amsi and then we can encrypt I will change my encryption algorith for the next version based on your presentation thank you so much basically at the moment I have AES algorithm that are uh targeting different approach for example as encrypted Q user AP APC or in this case I will use direct CIS executable execution and then I flag in dat CIS C choosing this possible combination of the agent I push the generate button I and dynamically I compile my malware

in because it's basing in C language and Assembly Language generate some tricks then encrypt the payload and finally we have a binary it takes why yeah we have the binary I put the binary here and I call it do nothing I think it's good name okay so now I have here my Windows machine I need to put the malware inside my Windows machine of course the pre exploitation that means what what it means I need a dropper I need I don't know a document a PDF and I don't know what you want to put inside uh this machine uh for the demo I don't have the uh the opportunity to show how to um to to to drop my malware

my agent inside because it takes a a long time but in in this case is very simple I use app doog do you know app dog yeah app dog here I have the fender that is running I put here I have do nothing okay thank you okay First Alert Mark of the web Mark of the web means you are downloading in an ex executable file from internet no good not good but in this case okay keep please keep my file are you sure yes keep my file sure sure sure yes keep my file okay no analysis from ADR no alerting from ADR okay good run it I run the process

I run the process and boom yeah we have it okay this is the first line is our victim machine that is connected to the team server using the malware or the agent that we have generated right now if I go on the network map I have my server and I have my Victim okay what I can do a lot of long list of possible command the first is interact with Beacon okay who am I now I'm sending the command to the agent and I grab some information coming from the system or I can do deer and I have the list of the file here this list or screenshot very basic okay download screenshot this is

my screenshot for example or better share sh sorry shell Cal I send a command and Cal is compared yeah good it's funny but this is a standard this is a standard common and control you can do the same using uh Cobble strike using BR throttle using sver using it's not so interesting from my point of view no it's interesting but okay we can do better what we can do for example OT all the modules all the command that I implemented inside scad plit start with OT underline OT net map what is OT net map is a command that in trying to discover different all the possible interface inside the computer and we find another common interface that is

here that use port 502 Port 502 is used for modb TCP protocol oh good so we have first information related to our infrastructure why because we are here we have the first connection to the it level and then we have the second connection second network interface to the OT level good funny what you can do modb OT modb scan is a module that start scanning theot device using the modbus protocol I can enter the list of uh IP addresses sl24 a range of addresses or a single IP address in this case we use this range because I know it takes time so instead of do sl24 I know that my vual machine has one of the or better two of these

addresses enter it take a while yeah we have it we discover two devices the first is a the vendor is sther electric the device is a PLC the model name is modicom m580 the CPU module is this one the network modules is the same because the CPU has inside two network connection embedded we have the version of the firmware 3.10 we have the name of the project the revision the version of the project we find a lot of things and the mark address then we discover another device is an HMI human machine interface by Schneider that is called it xbt gt43 this version and this Mac address interesting uh are important information that we uh got uh from from the plc for

example fmer version I can Google modicom M5 80 version 3.10 I suggest also 3.20 because I working on these vulnerabilities they decare to fix this vulnerability with the 3.2 but is not cover okay oops no no it's not true yeah you can you can use those using the 3.2 version it's the same 3.20 and you can find some vulnerabilities that can be addressed with this kind of version of the PLC we have some information related to the project revision if I'm an Insider as we saw this morning maybe I I don't know I I'm I was an employeer inside Barilla I was the programmer of a PC of Barilla and before to leave Barilla I copied my

all the program project file inside my computer if I saw the if I identify the same version after three years it means that I know what is inside the PC because is exactly the same version that I have that means I can they can analyze the software I can as analyze the different step of the software and I can attack I can use use this project to attack Barilla for example or we identify which kind of tools was used to programmer this PLC version v14.1 of unity pro software other possible vulnerabilities but what is funny is that here now I have two PLC one PLC and one HMI this is a specific function of scadas I

mean if you use a cobal strike you cannot see this devices for example because are not computer are not windows-based in this case we can do that what we can do next step we try to attack the PLC using this is the simulator of the PLC we can for for example attack using or exploiting a vulnerability that is called it 28755 I know it I have another module that is called modicon 7855 this vulnerability is called it set breakpoint vulnerability I mean when you programming a PLC you consider a PLC as a PC it means that you if you are familiar with the development tool you have inside your Visual Studio code a the buger you can put a breakpoint to

stop the execution of your code and then step by step analyze the data changing the data and so on you can do the same with a PLC you can do the same using Unity Pro for Schneider or Tia portal from Simmons but there is a vulnerability inside this PLC if you put the breako address to 0 you stop completely the PC it stopped completely the CPU in stop ethernet communication is in stop we can try to do that and the address is this one ah sorry there is a mistake here okay try to do that pum yeah okay this is a simulator but I exploited this vulnerability I set the set breakpoint with the breakpoint memory address to 00

and the CPU is completely in stopped I have a physical PSC at my home if you search on YouTube you will find the same exploitation with the physical PLC okay believe me this is a of course is a is a simulator but the behavior is exactly the same so okay so it means that I'm not only able to identify vulnerabilities but I can also test if this vulnerability can be exploited in a specific case okay I think this is quite funny not for the customer but for the potential victim but if you are engaged by a company to to do a red team mod adversary simulation inot passing through it I think is very very funny so okay uh two

last slides make it safe uh what we can do what we have to do to protect our OT system uh the first uh measures are organizational measures that means security assessment evaluate your network evaluate the risk ass uh the risk so it means performing a risk assessment or business impact analysis related to OT for Barilla or for steel production awareness this absolutely a very important to uh training people in order to be uh aware of the risk of the OT devices protect the supply chain protect the the prot the the ramit connection from the supplier and policies and procedure Tech technically speaking asset inventory uh asset Discovery I I give you an example in Italy we have an

important car producer we have more than one but one is very uh known internationally very high level of uh vehicle okay red uh I don't know who is and we perform a an asset Discovery we talk with the customer before to do that that and they said okay we have more or less 500 plcs in our plant good 500 okay we will take three days for asset inventory and so on we do the asset Discovery and we found 960 iot device exactly the double okay more or less because why because plcs are 500 okay but then you have digital balance with iot device you have microscope um instrumentation connected to Internet you have I don't know other tools that

are yeah I industrial iot that is exactly the same of a PLC that use industrial protocol that use embedded system and can be exploited by someone else okay Network segmentation is absolutely important to protect and to subdivide the network in different level using OT firewall OT IDs OT IPS able to perform and to do the Deep bucket inspection of industrial protocol endpoint protection SEC PLC programming patching where it's possible and SEC remote access so takeaways awareness of cyber security and risk this was my goal of my presentation today the import so validate the safety posture but really not running anten or naso says you are okay go without any kind of problem knowledge of a very effective tool of

red team but is not the only one you can develop your buff you can develop your tool is not so important what is important is to focus your tool and your approach to the OT Target using the OT techniques don't believe anything in anyone even me and take care of your cyber security OT system because if you don't do that it someone else will but maybe will be apt probably okay so if you want to buy a scit Lego version no is a just GPT production it doesn't exit okay thank you so much [Music]