BSidesCharm 2022 - Chernovite's Pipedream - Ben Miller

that went off

attack surface management product uh formerly a senior cyber research scientist for the company called security risk advisors um i've made some open source tools all very ocd and i've spoken about a bunch of conferences and if you like they're including chat about this kind of stuff that's my contact it's a great organization i'm pretty new to twitter so uh don't expect much over there with ics no equipment to this topic feels who i am not ask questions first and foremost i am not a plumber i believe um hopefully i've been known to find some leaky buckets uh-huh um blue-collar like ics putting together vulnerabilities um i'm also not a lawyer here's my topic well this is a strange

um disclaimer to have to give for retirement the themes that might be the legalities of accessing someone else's last year as well as the previous couple years messy there's not a lot of litigation uh beyond a couple of small examples to talk about we're gonna be talking a lot about google docs

now this slide you might find offensive uh due to that when i'm talking about documentation specifically these are the kinds i'm talking about the file types that spin the cogs the world of business these are the files that we interact with these are typically the file types we're trying to protect um as enterprise defenders from getting out and transferring the files that store everything focused on the business around uh control systems now in terms of publication i break publication categories the least common one is intentional um this is you know releasing marketing each of those boxes releasing product documentation the most sophistication that these activity groups have tracked uh and demonstrated and it's mapped to the industrial

control systems cyber kill chain uh so if you're familiar with the traditional cyber security kill chain uh they're it's a series of steps i think it's seven steps uh from uh initial uh initial delivery all the way to exploitation or action on objectives uh and so we we would consider that stage one of uh gaining access in the environment gaining persistence and then um the the action on objectives would be moving on to stage two which is gaining access into the industrial control systems environment from stage two uh you're developing a capability you're reconning what the industrial control systems look like and then you're finally you're disrupting or having some sort of effect on the industrial control systems

environment the vast majority of the activity groups that we track represented by those little coins there are what we would call ics curious stage so they've started attacking uh and gaining access into the it environments for various asset owners they've started doing reconnaissance attacking suppliers vendors and oem providers for some of these environments but they haven't actually gained access into the industrial control systems environments what's interesting there is unlike in in the it space ics space uh is a much more selective uh and they're in much more of a growing of a capabilities perspective and so it's interesting watching them from the early days of gaining that capability or understanding that they need that capability doing that recon

doing that capabilities development which is where the vast majority of these activity groups are and then it starts weeding out from there so the next category there of stage two see essentially as uh activity groups adversaries have gained access in the industrial control systems environment but they haven't done anything there uh uh but they're actively collecting data they're exfiltrating information um uh and they're they're positioning themselves within within those environments for a later date whatever later date that may be and then the cream of the krem is the stage two on the action stage so these five activity groups have demonstrated some sort of capability to disrupt uh and impact industrial control systems uh this goes uh

this ranges from electrum uh responsible for a 2016 uh ukraine attack against transmission that led to a power outage in kiev to xenotime attacked a refinery in saudi arabia with a piece of malware called triton also known as trisis that tripped that that refinery several times and actually could have led to a safety event for the personnel there they actually targeted the safety systems of that refinery in order to trip that refinery so that's the level of sophistication that we were speaking to when we talk about adversaries that have stage two capabilities uh and and now we're tracking a new one as of a couple weeks called called shernovite so cernovite is built a good next slide uh shernovite has built

a toolkit uh dub that we dub pipe dream uh a mania also refers to it as in controller if you've heard of in controller uh and pipedream is you is notable in that it's only the seventh malware that has been developed that has ics uh capabilities embedded into it so think of all the malware strains out there uh that that you may be familiar with there's only seven that can uh impact industrial control systems that are known uh the last uh that i mentioned was uh triton also known as trisis that was deployed in 2017 and it was discovered uh in 2018 so you're talking about something that is continuing to escalate as far as

these capabilities are being developed more and more but still a one two three year sort of uh time frame for for some of these tool kits to be discovered and that's what's a unique and a unique opportunity to uh truly dive into them and understand what what what the new capabilities are so chernovite is the the threat group that we associate with building uh pipe dream uh they didn't actually deploy up or uh activate pipe dream that had a effect that we're aware of within within um well the world and it looks to be that a lot of the the cues in there are towards targeting net liquid natural gas facilities uh and i'll speak to that uh

through some of the targeting that uh they illustrate with their tool set uh but the important aspect there is how these tool kits were developed allow for a much broader range of uh being able to deploy this tool set so it would be very simplistic to say oh well i'm not in the lng vertical so i don't need to worry about that i think would be the wrong take away when you're looking at the pipe dream capabilities itself what chernovite and the pipedream software targets are a range of uh plcs so pro program logic controllers uh these are uh again something that you could see at the ics village if you stop by there later today but

they're really just dumb little computers if you if you haven't had a chance to touch a plc they're taking input uh and they're doing some logic on that input and then they're they're doing some sort of output uh so input may be uh sensing the volume of of liquid in a tank uh and then the logic identifies that that tank is full so the output it turns off a valve to stop filling up that tank as a simple example of what a plc would do the pipe dreams kit is focused on affecting these range of embedded devices so omron plc schneider electric plcs uh uh and and some of the software associated with that uh but again one of

the takeaways is while that software is configured to target these there's nothing to suggest that you can't load in another configuration and target a much broader set of plc's so again the takeaway isn't oh i don't have the schneider tm-251 so i'm good uh the the takeaway is actually some of the underlying software that it's affecting that i'll talk to uh such as codesys is applied in hundreds of uh vendors uh plcs uh and thousands of different uh makes and models uh so the the scope of this is much larger than just what's on here the software itself is focused configuration wise on these uh these devices so i'm going to step by there's five

tools that are embedded within pipe dream pipe dream is more of an overarching term for each of these binaries uh and as i walk through here you um will kind of set the stage for what these attack sequences could look like using all of these tools we don't think they were designed in a way that uh they're used sequentially it's more of a a key chain of sorts that the the adversary would have in order to leverage that as needed and they could also be used independent of each other ultimately the first one dubbed lazy cargo is really focused on your more traditional enterprise network environment it is it's essentially the dropper that is uh used by shernovite and the

dropper itself is using a a known exploit uh i don't have the cve the cve is a 20 20 50 15 368 which is a a signed binary it's a driver for motherboards it will work on any pc though it's not particularly focused on any motherboard and that signed driver allows for remote code execution for unsigned binaries so it's essentially the dropper that shernavite uses on windows hosts in what you would uh traditionally think of as uh the delivery and exploitation stages of the ics kill chain uh and then the next tool is dubbed dust tunnel is really the c2 mechanism the persistent mechanism that would again be deployed in a traditional it environment or

higher up in in the uh the various levels of the ics environments where uh the system operators the the engineers would be all working on traditional windows equipment and then it gets a little bit more unique from there so opc ua is a protocol that is seen in industrial control systems environments it is a translation protocol so if your human machine interface which is ultimately like an operator machine that is accessing getting data points from a plc it may not understand the proprietary protocol of that plc the glue between that is opc that will have a driver for that that protocol and to speak to that hmi so it's really like a a translation mechanism that's used by

opc uh and there's there's kind of two paths here with uh using mouse hole with opc ua one of them is certainly just a reconnaissance of identifying opc ua servers enumerating the the um equipment that are behind those servers and understanding some of the the tagging information that would be behind there when i say tag it would be a particular i o point on a particular controller might be tagged as uh tank one as an example and if you access that tag you're talking about the the data value that's behind it so it's 500 or 1000 or you can manipulate that tag and turn it to zero uh which would have a uh downstream effect uh to to that

device what's notable with opc uh is the the predecessor to opc ua is opcda which is a older protocol doing the exact same thing it's actually based on ole from if you're from back in the day without windows 3.1 windows 95 you had object linkable what is stand for object link embedded pieces of code and opcda is based off that which is to say very insecure but regardless uh opcda was used in the uh ukraine 2016 uh attack in ukraine that led to a transmission substation outage uh by crash override also known as in destroyer uh that basically changed the the uh and turned on our open breakers within the substation whereby de-energizing the the lines

within the substation which uh hole is interesting in that it takes that idea of the attack but it extends it into a new protocol a more modern protocol uh and adds a little bit more sophistication more depth and understanding of that protocol rather than the the simple one kind of encoded binary or encoded packet that the crash override would send out this is a much more deep understanding of that protocol itself which ultimately allows for multiple muscle mousil to not only communicate with the uh these pieces of equipment but also change settings within that equipment now that's interesting that that you may assume that allows for a great effect within these industrial environments whether it's a substation

or a lng facility but without understanding those pieces of equipment how they operate and the the the the industrial control systems process itself it's kind of just spraying and praying at that point you need to have a solid understanding of the engineering aspect that's behind the industrial process in order to have a larger effect so that's mouth cell the mouse hole the first kind of uh tool that's really focused on developing a capability within the the ics environment uh and and optionally giving giving the attacker some ability to to execute the attack with the the right prerequisite knowledge that's embedded in that facility moving on to something a little bit more sophisticated evil scholar is the next tool set uh this is a

framework that's actually in python it um because of some of the libraries it uses it only runs on linux hosts you can think of it more of something like metasploit where you have a shell capability to to actively interrogate manipulate and and change the the states of the schneider electric plcs it it's interesting in that it has a lot of capabilities in in the back end so this wasn't something that was whipped up very quickly it has support for three different protocols uh two of them are proprietary protocols and it's not simply replaying a packet it is uh that the library that that is within evil scholar is a fairly robust implementation of the protocols in the day so the first one uh

schneider electric broadcast uh protocol essentially as it sounds is uh broadcast uh to the the broadcast domain looking for schneider electric devices so these uh plc are these plcs or devices will respond back uh when when receiving this broadcast so that's identifying all those pieces of equipment the next protocol the the codesys protocol which rides on the 1740 is going to then provide uh enumerated details of that of that plc so what was that the model number was the make uh what are the the cards all within the backplane of the device and some of the other auxiliary information thereof and then modbus is actually a less sophisticated uh implementation in evil scholar is basically

a open source library called pi modbus that you can find on github and they they did some extensions of that library itself but modbus is a a protocol that is widely used has been around uh since before the internet before modbus it was it was a implementation on serial devices and then that serial protocol moved its way to modbus and allows you to read and write variables from the memory space of the plcs and i'll get into an example of how that can be used shortly ultimately evil scholar represents a a robust sort of framework for the adversary to once they have gained access into these environments to explore the environment understand the environment and develop capabilities

around the schneider electric plcs it does have full file system access to these devices so it can modify files on the plc it can look for files and list files download files it can do denial of service it can crash it can wipe the memory of the plc it has a full capability towards there one of the features it does have that makes it exceptionally unique is the ability to proxy so one of the the focuses of industrial control systems or for the threat actors is ultimately understanding the name of the game which is once you have access in the environment you can largely do whatever you want so defenders focus on segmentation and and removing that that

carp launch access into these environments which means firewalls lots of firewalls and lots of places the evil scholar actually can route uh through a a firewall to a piece plc and then use that plc to send traffic to other plcs so that a very traditional sort of communication structure would be an engineering workstation which is what would program a plc would have legitimate access uh to that pill plc so there would be uh authorized communication even if there were a firewall to communicate to that device and evil scholar uses that to his advantage to then also embed uh commands and send them to other devices uh uh in the next layer down that the the engineering workstation

would not have access to uh so if the adversary is looking on gaining access to other parts of the network beyond what the firewall allow them to do this would allow them to tunnel and have that capability which is a unique and and something that certainly is new from a threat model perspective that the the industry hasn't uh fully uh grappled with yet next up is bad omen so while evil scholar was focused on schneider electric plc's uh bad omen is focused on omron plc's uh this is essentially uh what's interesting about the industrial control system space is with um i.t you're used to linux and and windows and cisco in in the ics space you have

hundreds or really even thousands of oems that are producing software some of them are on linux some of them are on embedded windows devices but the make and model numbers are so great so omron is just another manufacturer that has their own implementation for plc's and bad omen is targeting that that plc device on a number of years ago i guess like 15 or 20 years ago plcs started adding uh web servers uh to their plc's from an administration perspective similar to how your router may have a a web administration interface and this is what bad omen takes advantage of so bad omen actually uses the cgi interface off a web a web server that's listening on the

omron devices and all of its functionality is based on exactly that uh uh this this tool bad omen looks much more dev friendly and that uh it can take packet captures uh up from uh from its tool it can enumerate the file system uh it has the ability to implant uh binaries within the the um the plc itself so think like rootkit sort of behavior on this embedded equipment it has the ability to take backups to restore backups says the ability to change the the program logic that's on the plc and uh be able to tamper and wipe with uh the memory of the controller itself so carp launch access to really uh manipulate uh the the omron psc uh plc

itself speed up a little bit uh this is a a bit of what the communication structure uh looks like on the the cgi interface as far as the i mean it's just http it's sending hdv commands to a cgi uh asking for a set uh structure of changing the program mode and then clearing the memory and then resetting the the controller and then putting it to a run state which is um it's empty at that point so it's it's a brick if this series of if the wiper aspect were implemented and again this is command line interface uh like shell sort of prompt where they're they have a set commands and they're just issuing them to to the devices not

unlike metasploit so the attack scenarios uh if you were to stage these together really what you're looking at is a a series of tools that could be deployed in stage one of the ics skill chain as well as stage two lazy cargo and dust tunnel are really that that initial delivery and exploitation piece within the either the traditional enterprise network or or the the higher levels of the industrial control systems environment as well as dust panel dust tunnel being able to deliver the the c2 mechanism receive new commands uh and implement those on the windows devices the next stage down there is where it gets more interesting on the stage two uh components there so mouse hole

all three mousel evil scholar and bad omen allow for the enumeration of these devices uh that are within the industrial environments uh as well as increasingly the manipulation thereof now that the challenge and the challenge of attacking industrial control systems environments in general is that you have to understand what that industrial process is doing and how to change it so certainly if you just prayed and sprayed with uh opc and doing a bunch of rights across a bunch of devices you may have any facts but you'll have no idea what that effect is or or if it's meaningful in any substantial way without understanding the industrial process behind that and what it is so a more graphical representation of

what that this sort of scenario would look like uh dust tunnel on the enterprise side level four which is on the more enterprise network uh mousel being ideally suited for uh level 3.5 which is where a lot of the the software aspects that need translation occur in that level 3.5 or level 3 and then as you move further and further down you can see how evil scholar and bad omen are gaining access to plcs as well as safety equipment that can be used and manipulated i'm not going to go through the recommendations all of surenovite and the pipedream malware capability is a not only the 7th malware that has these capabilities it's also it's the

one that has the most depth of capability the most understanding of some of these protocols and what they signify but also has the most breadth of being able to tack a numerous level of plcs rather than one particular model one particular make some of the libraries that it focuses on with code sys which is the kind of the the development environment that would be embedded on these plcs it is used much more broadly as i said than schneider electric it is used across hundreds of manufacturers so really it only takes some minor tweaks to have a large impact across these plc's additionally the grid here is the ice miter attack framework for industrial control systems

and and pipe dream represents about 30 36 percent is i believe the exact number of uh coverage of all known ttps for a miter attack for ics uh and so that's a broad range of just the tools techniques procedures uh that that is being used that is understood to be valuable in inside of the industrial control systems environment that that's a broad coverage and broad capability that they have there are a number of resources uh if you are interested in in industrial control system space and and some of this certainly the pipe dream report is available uh the year in review which is what i was going to present on uh is is also gives a high level view of the the

uh trends that we're seeing from a vulnerability perspective and threat perspective and then the ics cyber kill chain which was quite a bit old at this point but it was written by mike asante and rob lee in 2015 has more or less stood the test of time from a good model of looking of what these intrusions look like from an ics perspective so that is my talk i'll welcome the b-sides glad to be here i hope this uh added some some flavor for y'all appreciate it you