Stuxnet Why am I here?

. Give and Take... . Give... . A Glimpse into IT Security field . Take... . Spread the word of our Company . Long term recruitment... . Give and Take!?! . Spreading interest for Security

2017-02-22 / Advenica 2 2017-02-22 Stuxnet / Advenica 3 Main product families

Encryption Cross-Domain Solutions

2017-02-22 Stuxnet / Advenica 4 Digitalt ansvar

2017-02-22 Stuxnet / Advenica 5 Håkan Ahrefors

. Håkan Ahrefors . MS Computer Engineering, 1997 . PhD, Software Engineering, 2002 . Assistant Professor, 2003-2005 . IT-Security, 2005-2009 . IT Security Consultant, 2009-2010 . Advenica 2010 -

2017-02-22 Stuxnet / Advenica 6 Stuxnet

. Stuxnet . Stuxnet is a kind of … . …let’s start there.

2017-02-22 Stuxnet / Advenica 7 Malware/Worms/Trojans/Viruses

. Malicious Code . Unapproved, Unwanted, Malicious Intent . Different Goals . Spread, Destroy, Steal, Herd, Sabotage, $$$ . 1949, von Neumann, Self-replication . Early 70s, Creeper Virus (DARPA Net) . 1986 – The Brain, 1988 – Morris Worm

2017-02-22 Stuxnet / Advenica 8 Anti-Virus/Protection

. Symantec, AVG, Avast, Avira, Microsoft, ESET, McAfee, Panda, Kaspersky... . However, can't always run AV software . General rules of avoidance: . NO INTERNET CONNECTION! . Limited or no local network connection . Run non-common, but trusted, software

2017-02-22 Stuxnet / Advenica 9 New Malware

. 17th of June 2010 . VirusBlokAda (Belarusian AV Company) detected and put a signature on a new threat, “Trojan-Spy.0485” . Not that out of the ordinary (~20 million new threats, 2010, AV- TEST) . Did, however, have some “new” interesting code

2017-02-22 Stuxnet / Advenica 10 First Analysis

. Showed . Embedded “0-days” exploit . Signed code (Certificate from RealTek) . Enormous effort . Years in development, (500kB virus) . Several people, even several groups of people . QA

2017-02-22 Stuxnet / Advenica 11 Continued Analysis

. Remote and Local updates . Remote from external servers . Local from other copies . Kill date... 24 June 2012 . But Wait... . More exploits (4+) . Strange code strains . WinCC servers...SIEMENS Controllers, PLC

2017-02-22 Stuxnet / Advenica 12 …

. Spreads . Local LAN – Printer Spool Exploit . USB (to make air-gap jumps) . Localization . India, Malaysia... and... . Iran . Industrial Espionage? Information Gathering?

2017-02-22 Stuxnet / Advenica 13 Local Net Internet Company X

”sneaker net” Internal Network

Extra sensitive Specific Purpose Network

2017-02-22 Stuxnet / Advenica 14 Controllers

. WinCC -> SIEMENS Hardware for Controllers . STEP7 – Framework/Language (STL) for programming Controllers . Controllers . PID, PLC

. SCADA - supervisory control and data acquisition

2017-02-22 Stuxnet / Advenica 15 Who is the target? ? . Iran, Indonesia, India, Pakistan, US, Russia... . WinCC -> SIEMENS Controllers... . Frequency converter ID's in S7 code

Uranium enrichment... uses Centrifuges Many plants built with Siemens equipment

2017-02-22 Stuxnet / Advenica 16 News and a Suspect

Natanz

2017-02-22 Stuxnet / Advenica 17 .jpg Analysis

. Different sources helped the analysis . STEP7 Code showed signs of groups of structures . Grouped on 4, 8, 12, 16, 20... of “something” . Even the President of Iran “helped” . On his blog in 2008 . Pictures from a visit at Natanz

2017-02-22 Stuxnet / Advenica 18 …Info Bit

. .stub . mrxnet.sys

2017-02-22 Stuxnet / Advenica 19 Stuxnet News

. Stuxnet was Huge News during 2010

. Research have continued and is still ongoing . Stuxnet code is more or less out there for the taking

2017-02-22 Stuxnet / Advenica 20 Stuxnet – Timeline

January 25, 2010 JuneJuly 17,AugustJuly 16,2010 19, 20102010 2, Oct2010 12, 2010 VirusBlokadaMicrosoftSiemens reports Advisoryreports investigation .lnk files Stuxnet Driver signedMicrosofton WinCCMicrosoft ReleasesSCADA Releases MS10-046 MS10-073 Verisign revokes Realtek Cert November, 2008 With Realtek cert"RootkitTmphiderSymantecPatchPatch → .LNKW32.Stuxnet Kernel ”vuln .elevation vuln. Trojan.Zlob (MS10-046)

April 2009 Magazine Hakin9 (MS10-061) June, 2009 March, 2010 JulyJulyJulySeptember 13, 17,22, 2010 20102010 14, 2010 Earliest Stuxnet First VersionEsetSymantec toidMicrosoftVerisign new adds Stuxnetrevokes releases uniquedriver MS10-061 Sample Compile date. exploit MS10"W32.Temphid"Cert:-Micron061.Patch Micron TechCorp of Printer TechCorp signature.Cert Spooler. vuln.

2017-02-22 Stuxnet / Advenica 21 ”Worm Stalking”

. July 20th 2010, Symantec started to monitor the C & C traffic . Each Stuxnet sample kept a log of its own events . Stuxnet was a targeted attack on five organizations . Organizations were targeted in June 2009, July 2009, March 2010, April 2010, and May 2010. Three organizations were targeted once, one was targeted twice, and another was targeted three times. . 12,000 infections originated from these initial 10 infections. All targeted organizations have a presence in Iran. The shortest span between compile time and initial infection was 12 hours. . In November 2014 published the name of the domains.

2017-02-22 Stuxnet / Advenica 22 4 Exploits!

CVE ref. Patched CVE-2008-4250 Oct 23, 2008 Vulnerability in Server Service MS08-067 Could Allow Remote Code Execution CVE-2010-2568 Aug 2, 2010 Vulnerability in Windows Shell MS10-046 Could Allow Remote Code Execution CVE-2010-2729 Sept 14, 2010 Vulnerability in Print Spooler MS10-061 Service Could Allow Remote Code Execution CVE-2010-2743 Oct 12, 2010 Vulnerabilities in Windows MS10-073 Kernel-Mode Drivers Could Allow Elevation of Privilege

2017-02-22 Stuxnet / Advenica 23 CVE-2010-2568

. CVE-2010-2568 . Windows Shell in XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010- 2772 in Siemens WinCC SCADA systems. . .LNK Files

2017-02-22 Stuxnet / Advenica 24 …Gets Iffy

What Icon to Show? .cpl = .dll Link to a .cpl

. … and then extract the icon from the loaded .cpl (dll) file...

. ...but...

2017-02-22 Stuxnet / Advenica 25 …

OK if it looks like this

…but if it looks like this . We load what ever dll is in the ~WTR4141.tmp file... (on Removable Media) . = BAD! . And as msdn.microsoft.com can tell us about the LoadLibrary function... . "...If the specified module is a DLL that is not already loaded for the calling process, the system calls the DLL's DllMain function with the DLL_PROCESS_ATTACH value. ..." . = WORSE!!

2017-02-22 Stuxnet / Advenica 26 ”Holy Exploit, Batman!”

. NOTE,... No AutoRun needed... the display of the icon triggers the exploit! . Took just days before this vulnerability was added to Metasploit... But with some added feature...

Remote malicious .dll loading!

2017-02-22 Stuxnet / Advenica 27 What happened here?

August 2, 2010 Microsoft Releases MS10-046 November, 2008 Patch .LNK vuln. Trojan.Zlob (MS10-046) 1-1½ year!

April 2009 Magazine Hakin9 (MS10-061) September 14, 2010 Microsoft releases MS10-061 Patch of Printer Spooler vuln.

2017-02-22 Stuxnet / Advenica 28 Hard-coded Wonders!

Login WinCC uid/pwd? . Posted on Siemens Software forums since 2008... MS SQL have since been removed... but... it's still "out there" . uid=WinCCConnect;pwd=2WSXcde . Of course can't change it at db...... program would stop

2017-02-22 Stuxnet / Advenica 29 Stuxnet

. Glimpse of the future? . Directed attacks far more difficult to handle . SCADA systems . Just one of many huge areas where “IT” security are not implemented . Not only about the “I” of IT anymore

2017-02-22 Stuxnet / Advenica 30 And then what?

. What happened then...? . 2011 . . 2012 . . Gauss . (Wiper) – Retailation?

2017-02-22 Stuxnet / Advenica 31 Flame

. Spread across LAN or via USB stick. . Created for Information Gathering . Record audio, screenshots, keyboard activity and network traffic . Also records Skype conversations . Can turn infected computers into Bluetooth beacons . harvest information about nearby Bluetooth-enabled devices

2017-02-22 Stuxnet / Advenica 32 Flame II

. Data sent to world wide net of C&C Servers . Found initially in May 2012 . Spread mostly in the Middle-East . Iran, Israel, Sudan, Syria, Lebanon etc. . After exposure, “kill” command was sent

2017-02-22 Stuxnet / Advenica 33 Huge Flame is Huge

. 20 MB of Malware! . Modules . LUA, C++ . SQLite db . Anti-”Anti-Virus” depending on what AV-software was installed . Active since at least 2010

2017-02-22 Stuxnet / Advenica 34 Certificates Again

. Signed with a fraudulent Microsoft Certificate . Used a highly advanced attack against MS Terminal Services Licensing Server to generate a “valid” but fraudulent certificate . Utilize MD5 collision attacks . Made Man-In-The-Middle attack possible on Windows Update

2017-02-22 Stuxnet / Advenica 35 And then what II?

. (Jan, 2013) . Miniduke (27th Feb, 2013) . NetTraveler (4th Jun, 2013) . Careto (11th Feb, 2014) . (23rd Feb, 2014) . Duqu 2.0 (Jun, 2015) . Shamoon 2 (Nov, 2016)

. … and…

2017-02-22 Stuxnet / Advenica 36 …Stuxnet 0.5

. Symantec revealed new information about early versions of Stuxnet . v0.5 . Less developed but more aggressive . Designed to modify the pressure valves of centrifuges of Uranium-rich gas.

2017-02-22 Stuxnet / Advenica 37 Even Further Back!

C&C Servers Registered 2005

5 years!

Sample of Code 2007

2017-02-22 Stuxnet / Advenica 38 Meanwhile in Russia…

2017-02-22 Stuxnet / Advenica 39 Kaspersky labs -- 2015-02-16

. ! . NSA . ”Threat Actor” . Highly sophisticated . Engaged in network exploitation since (at least) 2001 . …perhaps even further back (1996) . Multipe malware platforms . Hightly advanced tools . Uses lots of

2017-02-22 Stuxnet / Advenica 40 Equation Group II

. Module present in several of their malware . To stay persistent . Re-programs HDD firmware . Samsung, WD, Hitachi, Seagate, Toshiba… . Fanny . Worm created 2008 . Used 2 zero-day exploits . Stuxnets ’infamous’ .LNK exploit . Mapping of airgapped networks…

2017-02-22 Stuxnet / Advenica 41 Olympic Games

. Speculations . 24 Sept 2010, The Guardian . 1 June 2012 – New York Times . 23rd June 2013, – Associated Press . (Cartwright pardoned by Obama 2017)

. June 2013, Edward Snowden . Tailored Access Operations (TAO)

42 Sources

. Stuxnet . "W32.Stuxnet Dossier" / Symantec . "Stuxnet under the microscope" / ESET . “Stuxnet 0.5 – The missing Link” / Symantec . “Stuxnet: Zero Victims” / Kaspersky (Nov-2014) . ”Countdown to Zero Day – Stuxnet and the Launch of the World’s first Digital Weapon” / Kim Zetter (2014) . Ralph Langner . On Vimeo, search for Ralph Langner . TED talks, Ralph Langner (Feb, 2011) . Documentary. Zero Days (Jul, 2016, www.imdb.com/title/tt5446858/) . Equation Group . ”Equation Group FAQ v1.5” / Kaspersky Labs (Feb-2015)

2017-02-22 Stuxnet / Advenica 43 The end…

Håkan Ahrefors [email protected] advenica.com/ digitaltansvar.se/

2017-01-17 Advenica Public 44 Expanded slides

2017-02-22 Stuxnet / Advenica 45 Controllers

. WinCC -> SIEMENS Hardware for Controllers . STEP7 – Framework/Language (STL) for programming Controllers . Controllers . PID, PLC

. SCADA - supervisory control and data acquisition

2017-02-22 Stuxnet / Advenica 46 News and a Suspect

NATANZ

2017-02-22 Stuxnet / Advenica 47 .jpg Analysis

. Different sources helped the analysis . STEP7 Code showed signs of groups of structures . Grouped on 4, 8, 12, 16, 20... of “something” . Even the President of Iran “helped” . On his blog in 2008 . Pictures from a visit at Natanz

2017-02-22 Stuxnet / Advenica 48 July 19, 2010 Stuxnet – Timeline Siemens reports investigation on WinCC SCADA January 25, 2010 Symantec → W32.Stuxnet Stuxnet Driver signed August 2, 2010 With Realtek cert Microsoft Releases MS10-046 Patch .LNK vuln. July 16, 2010 June 17, 2010 Microsoft Advisory .lnk files VirusBlokada reports Verisign revokes Realtek Cert November, 2008 "RootkitTmphider” Trojan.Zlob (MS10-046) Oct 12, 2010 Microsoft Releases MS10-073 Patch Kernel elevation vuln.

April 2009 Magazine Hakin9 July 13, 2010 September 14, 2010 (MS10-061) July 22, 2010 Symantec adds unique Microsoft releases MS10-061 Verisign revokes "W32.Temphid" signature. Patch of Printer Spooler vuln. Micron TechCorp Cert

June, 2009 March, 2010 July 17, 2010 Earliest Stuxnet First Version to Eset id new Stuxnet driver Sample Compile date. exploit MS10-061. Cert: Micron TechCorp.

2017-02-22 Stuxnet / Advenica 49 2017-02-22 Stuxnet / Advenica 50