Posts Tagged ‘shodan’
Monday, March 18, 2013 @ 06:03 PM gHale
To show just how vulnerable SCADA systems are, it took just 18 hours for attacks to occur on series of honeypot SCADA systems set up by Trend Micro.
On top of that over a 28-day period, these honeypots suffered an attack 39 times from 11 different countries. China accounted for the majority of the attack attempts at 35 percent, followed by the U.S. at 19 percent. The UK accounted for eight percent.
For some background, Trend Micro set up three separate honeypots, designed to look like genuine industrial machines, connected to the Internet. One was on Amazon’s public cloud, another on a private Dell server, while the final one included an actual Programmable Logic Controller (PLC) controller used in the industrial environment.
“The findings concerning the deployments proved disturbing,” Trend Micro said in its report, delivered during the Blackhat Europe conference in Amsterdam.
“In addition to the many attacks seen on the honeypot environment, there were also a surprising number of malware exploitation attempts on the servers.
“Utilizing the popular malware honeypot, Dionaea, four samples were collected over the testing time frame, two of which have not been seen in the wild as they had unique MD5 checksums.”
As reported over the past three years or so, SCADA systems are vulnerable. Research conducted by ICS-CERT found in 2012, 171 unique vulnerabilities affected 55 different ICS vendors.
It is easy to determine what SCADA systems connect to the Internet. Tools such as Shodan can also help attackers figure out where vulnerable industrial controls are sitting, while Pastebin contains information such as relevant IP addresses.
Trend Micro had to contact a number of companies that had systems attached to the Internet with no security mechanisms preventing unauthorized access.
“Until proper [industrial control system] security is implemented, these types of attacks will likely become more prevalent and advanced or destructive in the coming years,” the security firm added.
Click here for a copy of the report.
Tuesday, February 5, 2013 @ 02:02 PM gHale
By Gregory Hale
Tridium Niagara is dealing with an unpatched Zero Day that two security researchers found and demonstrated live at the Kaspersky Security Analyst Summit (SAS) Tuesday.
While a patch is imminent, the researchers, Billy Rios and Terry McCorkle of Cylance, did not go into the technical details of the flaw, other than to say they were able to get root access to the device. The key, they said at the SAS in Puerto Rico, was gaining a way to access the file that contains configuration files for the device. After that, the researchers, who between them have reported over 1000 vulnerabilities to vendors, were able to get into the framework’s station, which is the interface administrators interact with to manage whatever the device is running. From there, they were able to leverage a privilege escalation bug in order to get access to the platform level of the device stack which runs on Java.
Tridium Niagara Framework sees use in running building maintenance systems including access control, video, intrusion, elevator control, lighting, HVAC, and energy.
“A platform written in Java – and we can get through Java –we own everything,” Rios said. “Once you own the platform, you own everything. Once you own the platform, it is game over.”
The researchers conducted a little research project on just how many Tridium Niagara devices were out there connected to the Internet. After a quick Shodan search, there were able to find over 21,000 devices facing the Internet, McCorkle said. That means these devices if not properly protected – which most, if not all, are not – they would be vulnerable to attack.
They found in part of the company literature the devices work connected to the Internet. “They are designed to connect control systems and building systems to the Internet,” McCorkle said.
While they were not entirely sure what devices were running where from their Shodan search, to narrow the possibilities they were able to look up case studies on the web site and they could narrow down where the devices were. They could also find out what these devices were controlling.
“We found hospitals, banks buildings on the Internet,” McCorkle said.
The next question is what should users do if they are running Tridium Niagara today?
“Take it off the Internet and make sure it’s protected, and monitor that traffic,” McCorkle said. “Finding these is trivial. You can do privilege escalation on them and elevate to local admin on the LAN and pivot from there.”
“We are not the only ones doing this,” Rios said. “There are people not standing on a stage talking about this. People have to realize we are not living in the stone age. There are people out there that want to exploit these devices.”
In many ways, the researchers found these very same issues back in the 90s in the IT environment.
“We are jumping back in time to the early days of Windows,” McCorkle said. “This isn’t a new problem. We are just trying to shed some light on the situation.”
Friday, October 26, 2012 @ 03:10 PM gHale
Researchers compiled a list of more than 500,000 Internet facing control system-related devices on the SHODAN search engine using supervisory control and data acquisition (SCADA) and other ICS-related search terms.
The researchers brought their findings to the attention of ICS-CERT, saying an adversary could use the search engine as a shortcut to find vulnerable systems and thereby threaten or attack critical infrastructure, according to a report on ICS-CERT.
Internet Facing Control System Alert
ICSJWG: Basic, but Effective Security
ICSJWG: Attack Tree Blooms
ICJWG: Whitelisting Project
ICSJWG: Cyber Exercises a Key
ICSJWG: Knowledge Sharing
ICSJWG: Researchers on Same Team
ICS-CERT is working with the researchers and industry partners to notify the owners of the identified IP addresses, but recommends asset owners and operators activate and take a proactive approach and audit their systems to ensure strong authentication/logon credentials and defensive measures are in place.
Owners, operators, and security personnel may use search engines, such as SHODAN or ERIPP, to audit their networks and devices to locate Internet-facing control system devices that may be susceptible to compromise.
Asset owners should query various search engines using the vendor product, model, and version of a device, to determine if their IP address block is within the search results, according to ICS-CERT.
If they discover the control system devices using these tools, asset owners should take the necessary steps to remove these devices from direct or unsecured Internet access as soon as possible.
Wednesday, July 25, 2012 @ 07:07 PM gHale
By Gregory Hale
There are plenty of myths when it comes to air gaps. But one thing is true. Air gaps themselves are myths.
First what are some of the myths? Myth one is they are the default in industrial systems. Myth two is they are easy to deploy. Myth three is they are inexpensive. Myth four is they don’t make attacks possible. All those myths are not true, said Eireann Leverett, industry consultant, during his talk at Black Hat USA 2012 in Las Vegas Wednesday.
With the idea that air gaps show there is no way there is a connection to the outside world, Leverett said “when you sit down and think about it, it just can be true.”
Just by doing some research and using Shodan, Leverett was able to go out and, without too much trouble, was able to find Internet facing control systems.
He then went out and took a video tour of all the sites are where they were located.
“Globally we are facing a problem. We are statistically failing,” Leverett said.
He was able to find 12,000 industrial control systems and UPSes, plus 22,000 building management systems.
While it may be popular to pick on one vendor or another as having vulnerable systems facing the Internet, Leverett showed just about all vendors had systems that were open to the Internet.
On a good note, “big companies are taking security more seriously,” he said. “We just need to improve things.”
Tuesday, June 26, 2012 @ 02:06 PM gHale
By Gregory Hale
There was a mindset industrial control systems were a fixed capital asset, but those days are going away and the system is now more of an operational cost.
That mindset changes things.
“Now everything is connected to everything else,” said Marty Edwards, director of Control Systems Security Program at ICS-CERT with the U.S. Department of Homeland Security during a talk today at the 2012 Siemens Automation Summit. “We hear people say ‘my system is air gapped’ and, no, it is not.”
Not only do you have to have security programs on your platform, you have to understand what is going on at all times, Edwards said. Know your traffic.
“It is mostly about understanding your system. You should know all the nodes on your system and know when things are happening,” he said.
Edwards said when a company suffers an attack, the company may suffer a financial or data loss, but no one suffers an injury. One issue behind the danger of an industrial control system being under attack is “when you make a change, a physical thing can happen.”
On top of that there are tools available on the Internet to help attackers gain access to code to help them exploit a system somewhere. In addition a potential hacker can look through tools like SHODAN and find Internet facing devices with no real defense.
There are different kinds of attacks, Edwards said, the lowest level on the spectrum is those that just download items off the Internet and try to wreck havoc for the victim.
The next level up is the criminal element that can try to extort money from the potential victims. If a victim reports what happened, law enforcement agencies can get involved and file charges if they can find the criminal.
“We have strong laws on the books and we can prosecute,” Edwards said.
Another form of attack is the Advanced Persistent Threat (APT) like the famous Stuxnet event. Stuxnet was a virus that affected the Siemens system at the Natanz nuclear enrichment facility in Iran. The virus was on the system at least a year before anyone discovered it. The virus helped destroy centrifuges at the plant. ISSSource reported the U.S. and Israel were the brains behind Stuxnet.
Last year, there were reports of another potential attack hitting a water plant in Springfield, IL, coming from Russia and Germany, Edwards said.
The Curran-Gardner Water District network feared they were victims of an attack and the word spread they suffered a compromise at the hands of Russian attackers.
In a post Stuxnet world, the initial report ended up leaked and the story spread across the world. While the water district did suffer a pump failure, it was not at the hands of a hacker, but rather it was just a pump gone wrong.
Before anyone knew the end result, investigators from the FBI and from ICS-CERT flew in to investigate.
As it turned out the German and Russian IP addresses found on the water company’s system came from a contractor that worked on the network was on vacation – in Germany and Russia.
After a detailed analysis, DHS and the FBI found no evidence of a cyber intrusion into the SCADA system.
In a charged atmosphere where everyone involved didn’t really know what was happening at first ended up being quickly resolved because the water district had a forensic response plan in place so they knew what to do and when to do it.
Monday, June 25, 2012 @ 06:06 PM gHale
There are additional systems running with default usernames and passwords that are accessible via the Internet and end users need to be aware of the dangers involved, according to a report issued from ICS-CERT.
In fact, configuration of these systems is not in sync with common best practices such as being behind a firewall or changing documented default credentials.
The report comes as a follow up to a December ICS-CERT alert about tracking and multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems.
ICS-CERT coordinated the information with the control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack. In most cases, exposed systems were put together not knowing the potentially unsecure access authentication and authorization mechanisms.
ICS-CERT will work with the asset owner/operators and vendor or systems integrators whenever possible to remove any default credentials and secure these systems from attack.
When they do identify unauthorized access, ICS-CERT helped control system owners and operators with system and firewall data analysis to determine the extent of the intrusion and whether they should make any configuration changes to the system.
The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.
Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. The design of these control systems were to allow remote access for system monitoring and management. All too often, remote access configuration allows for direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often available in public space documentation.
In all cases, ICS-CERT has worked with these organizations to remove default credentials and strengthen their overall security.
The most recent scenarios include:
• ICS-CERT becoming aware of multiple systems with default usernames and passwords that are accessible via the Internet. These systems do not have configurations that work securely with common best practices such as being behind a firewall or changing documented default credentials. These reports include the Echelon i.LON product commonly deployed within ICS devices such as motors, pumps, valves, and sensors, which contain a default username and password. This is not an inherent vulnerability, but left unchanged, it does pose as a security risk, especially when configured as Internet accessible. Users should replace the default username and password with a strong username and password configuration, especially when the device is Internet accessible.
• ICS-CERT released several products concerning weak authentication mechanisms. Weak authentication mechanisms are often difficult to remedy because users cannot typically change passwords. The products below highlight weak authentication vulnerabilities reported to ICS-CERT and patched by the vendor:
ICSA-11-173-01- ClearSCADA Remote Authentication Bypass
ICSA-11-356-01- Siemens Simatic HMI Authentication Vulnerability
ICSA-12-146-01A – RuggedCom Weak Cryptography for Password Vulnerability.
• In February 2011, independent security researcher Rubėn Santamarta used SHODAN to identify online remote access links to multiple utility companies’ supervisory control and data acquisition (SCADA) systems. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that other systems were using default user names and passwords.
• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.
• • In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response included international partners and 63 other CERTs in the effort to notify the identified control system owners and operators their control systems/devices suffered exposure on the Internet.
• Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources.
It goes without saying, but control system owners and operators should audit their control systems — whether or not they think their control systems are connected to the Internet — to discover and verify removal of any default administrator level user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.
Wednesday, January 25, 2012 @ 02:01 PM gHale
Eireann Leverett, a computer science doctoral student at Cambridge University, developed a tool that matches information about industrial control systems connected to the Internet with information about known vulnerabilities.
What he can do with that tool, as he discussed last week at the S4 conference in Miami Beach, is prove how easy it is for an attacker to locate and target an industrial control system (ICS). Leverett used the SHODAN search engine, which allows users to find Internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could hijack the systems.
Leverett found over 10,000 devices connected through a search of two years worth of data in the SHODAN database. He was not able to determine how many of the devices uncovered were actually working systems nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities.
He did say, though, a few of the systems he investigated actually belonged to water facilities in Ireland and sewage facilities in California.
He also said 17 percent of the systems he found online asked him for authorization to connect, suggesting that administrators either weren’t aware their systems were online or failed to install secure gateways to keep out intruders.
To avoid obtaining unauthorized access to the systems, Leverett didn’t try to connect to the systems himself but passed the information to the Department of Homeland Security last September, which took on the task of notifying the owners of systems or their ISPs.
Leverett’s tool showed how easy it is for a dedicated attacker or just a recreational hacker to find vulnerable targets online to sabotage.
He told conference attendees he worked on the tool full time for three months and part time for an another three months, saying if “a student can put this together, surely a nation state can do it.”