ISSSource White Papers

Posts Tagged ‘shodan’

Monday, March 18, 2013 @ 06:03 PM gHale

To show just how vulnerable SCADA systems are, it took just 18 hours for attacks to occur on series of honeypot SCADA systems set up by Trend Micro.

On top of that over a 28-day period, these honeypots suffered an attack 39 times from 11 different countries. China accounted for the majority of the attack attempts at 35 percent, followed by the U.S. at 19 percent. The UK accounted for eight percent.

243 Days to Discover Attack
Security Report: Use more Honeypots
Honeypot Now SQL Injection Capable
USB Malware Heart of Investigation

For some background, Trend Micro set up three separate honeypots, designed to look like genuine industrial machines, connected to the Internet. One was on Amazon’s public cloud, another on a private Dell server, while the final one included an actual Programmable Logic Controller (PLC) controller used in the industrial environment.

“The findings concerning the deployments proved disturbing,” Trend Micro said in its report, delivered during the Blackhat Europe conference in Amsterdam.

“In addition to the many attacks seen on the honeypot environment, there were also a surprising number of malware exploitation attempts on the servers.

“Utilizing the popular malware honeypot, Dionaea, four samples were collected over the testing time frame, two of which have not been seen in the wild as they had unique MD5 checksums.”

As reported over the past three years or so, SCADA systems are vulnerable. Research conducted by ICS-CERT found in 2012, 171 unique vulnerabilities affected 55 different ICS vendors.

It is easy to determine what SCADA systems connect to the Internet. Tools such as Shodan can also help attackers figure out where vulnerable industrial controls are sitting, while Pastebin contains information such as relevant IP addresses.

Trend Micro had to contact a number of companies that had systems attached to the Internet with no security mechanisms preventing unauthorized access.

“Until proper [industrial control system] security is implemented, these types of attacks will likely become more prevalent and advanced or destructive in the coming years,” the security firm added.

Click here for a copy of the report.

Tuesday, February 5, 2013 @ 02:02 PM gHale

By Gregory Hale
Tridium Niagara is dealing with an unpatched Zero Day that two security researchers found and demonstrated live at the Kaspersky Security Analyst Summit (SAS) Tuesday.

While a patch is imminent, the researchers, Billy Rios and Terry McCorkle of Cylance, did not go into the technical details of the flaw, other than to say they were able to get root access to the device. The key, they said at the SAS in Puerto Rico, was gaining a way to access the file that contains configuration files for the device. After that, the researchers, who between them have reported over 1000 vulnerabilities to vendors, were able to get into the framework’s station, which is the interface administrators interact with to manage whatever the device is running. From there, they were able to leverage a privilege escalation bug in order to get access to the platform level of the device stack which runs on Java.

SAS: Learn from your Attackers
SAS: Keeping an Eye on Mobile Devices
DDoS Attacks Steady; Others on Rise
Users a Top Security Threat

Tridium Niagara Framework sees use in running building maintenance systems including access control, video, intrusion, elevator control, lighting, HVAC, and energy.

“A platform written in Java – and we can get through Java –we own everything,” Rios said. “Once you own the platform, you own everything. Once you own the platform, it is game over.”

The researchers conducted a little research project on just how many Tridium Niagara devices were out there connected to the Internet. After a quick Shodan search, there were able to find over 21,000 devices facing the Internet, McCorkle said. That means these devices if not properly protected – which most, if not all, are not – they would be vulnerable to attack.

They found in part of the company literature the devices work connected to the Internet. “They are designed to connect control systems and building systems to the Internet,” McCorkle said.

While they were not entirely sure what devices were running where from their Shodan search, to narrow the possibilities they were able to look up case studies on the web site and they could narrow down where the devices were. They could also find out what these devices were controlling.

“We found hospitals, banks buildings on the Internet,” McCorkle said.

The next question is what should users do if they are running Tridium Niagara today?

“Take it off the Internet and make sure it’s protected, and monitor that traffic,” McCorkle said. “Finding these is trivial. You can do privilege escalation on them and elevate to local admin on the LAN and pivot from there.”

“We are not the only ones doing this,” Rios said. “There are people not standing on a stage talking about this. People have to realize we are not living in the stone age. There are people out there that want to exploit these devices.”

In many ways, the researchers found these very same issues back in the 90s in the IT environment.

“We are jumping back in time to the early days of Windows,” McCorkle said. “This isn’t a new problem. We are just trying to shed some light on the situation.”

Friday, October 26, 2012 @ 03:10 PM gHale

Researchers compiled a list of more than 500,000 Internet facing control system-related devices on the SHODAN search engine using supervisory control and data acquisition (SCADA) and other ICS-related search terms.

The researchers brought their findings to the attention of ICS-CERT, saying an adversary could use the search engine as a shortcut to find vulnerable systems and thereby threaten or attack critical infrastructure, according to a report on ICS-CERT.

Internet Facing Control System Alert
ICSJWG: Basic, but Effective Security
ICSJWG: Attack Tree Blooms
ICJWG: Whitelisting Project
ICSJWG: Cyber Exercises a Key
ICSJWG: Knowledge Sharing
ICSJWG: Researchers on Same Team

ICS-CERT is working with the researchers and industry partners to notify the owners of the identified IP addresses, but recommends asset owners and operators activate and take a proactive approach and audit their systems to ensure strong authentication/logon credentials and defensive measures are in place.

Owners, operators, and security personnel may use search engines, such as SHODAN or ERIPP, to audit their networks and devices to locate Internet-facing control system devices that may be susceptible to compromise.

Asset owners should query various search engines using the vendor product, model, and version of a device, to determine if their IP address block is within the search results, according to ICS-CERT.

If they discover the control system devices using these tools, asset owners should take the necessary steps to remove these devices from direct or unsecured Internet access as soon as possible.

Wednesday, July 25, 2012 @ 07:07 PM gHale

By Gregory Hale
There are plenty of myths when it comes to air gaps. But one thing is true. Air gaps themselves are myths.

First what are some of the myths? Myth one is they are the default in industrial systems. Myth two is they are easy to deploy. Myth three is they are inexpensive. Myth four is they don’t make attacks possible. All those myths are not true, said Eireann Leverett, industry consultant, during his talk at Black Hat USA 2012 in Las Vegas Wednesday.

Black Hat: New Security Paradigm
ICS-CERT: Attacks on Rise
Cyber Secure Device Certification
Robustness Testing: Saves Lives, Money

With the idea that air gaps show there is no way there is a connection to the outside world, Leverett said “when you sit down and think about it, it just can be true.”

Just by doing some research and using Shodan, Leverett was able to go out and, without too much trouble, was able to find Internet facing control systems.

He then went out and took a video tour of all the sites are where they were located.

“Globally we are facing a problem. We are statistically failing,” Leverett said.

He was able to find 12,000 industrial control systems and UPSes, plus 22,000 building management systems.

While it may be popular to pick on one vendor or another as having vulnerable systems facing the Internet, Leverett showed just about all vendors had systems that were open to the Internet.

On a good note, “big companies are taking security more seriously,” he said. “We just need to improve things.”

Tuesday, June 26, 2012 @ 02:06 PM gHale

By Gregory Hale
There was a mindset industrial control systems were a fixed capital asset, but those days are going away and the system is now more of an operational cost.

That mindset changes things.

Summit: Productivity Key to Growth
Risk is Not a Game
Survey: Security a Thought, Not a Focus
Fed CIO’s say Security Top Concern

“Now everything is connected to everything else,” said Marty Edwards, director of Control Systems Security Program at ICS-CERT with the U.S. Department of Homeland Security during a talk today at the 2012 Siemens Automation Summit. “We hear people say ‘my system is air gapped’ and, no, it is not.”

Not only do you have to have security programs on your platform, you have to understand what is going on at all times, Edwards said. Know your traffic.

“It is mostly about understanding your system. You should know all the nodes on your system and know when things are happening,” he said.

Edwards said when a company suffers an attack, the company may suffer a financial or data loss, but no one suffers an injury. One issue behind the danger of an industrial control system being under attack is “when you make a change, a physical thing can happen.”

On top of that there are tools available on the Internet to help attackers gain access to code to help them exploit a system somewhere. In addition a potential hacker can look through tools like SHODAN and find Internet facing devices with no real defense.

There are different kinds of attacks, Edwards said, the lowest level on the spectrum is those that just download items off the Internet and try to wreck havoc for the victim.

The next level up is the criminal element that can try to extort money from the potential victims. If a victim reports what happened, law enforcement agencies can get involved and file charges if they can find the criminal.

“We have strong laws on the books and we can prosecute,” Edwards said.

Another form of attack is the Advanced Persistent Threat (APT) like the famous Stuxnet event. Stuxnet was a virus that affected the Siemens system at the Natanz nuclear enrichment facility in Iran. The virus was on the system at least a year before anyone discovered it. The virus helped destroy centrifuges at the plant. ISSSource reported the U.S. and Israel were the brains behind Stuxnet.

Last year, there were reports of another potential attack hitting a water plant in Springfield, IL, coming from Russia and Germany, Edwards said.

The Curran-Gardner Water District network feared they were victims of an attack and the word spread they suffered a compromise at the hands of Russian attackers.

In a post Stuxnet world, the initial report ended up leaked and the story spread across the world. While the water district did suffer a pump failure, it was not at the hands of a hacker, but rather it was just a pump gone wrong.

Before anyone knew the end result, investigators from the FBI and from ICS-CERT flew in to investigate.

As it turned out the German and Russian IP addresses found on the water company’s system came from a contractor that worked on the network was on vacation – in Germany and Russia.

After a detailed analysis, DHS and the FBI found no evidence of a cyber intrusion into the SCADA system.

In a charged atmosphere where everyone involved didn’t really know what was happening at first ended up being quickly resolved because the water district had a forensic response plan in place so they knew what to do and when to do it.

Monday, June 25, 2012 @ 06:06 PM gHale

There are additional systems running with default usernames and passwords that are accessible via the Internet and end users need to be aware of the dangers involved, according to a report issued from ICS-CERT.

In fact, configuration of these systems is not in sync with common best practices such as being behind a firewall or changing documented default credentials.

Utilities Under Daily Attack
Security Firm Finds Attack Signs
Tool Automates an Attack
Malware’s Next Move: DNS

The report comes as a follow up to a December ICS-CERT alert about tracking and multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems.

ICS-CERT coordinated the information with the control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack. In most cases, exposed systems were put together not knowing the potentially unsecure access authentication and authorization mechanisms.

ICS-CERT will work with the asset owner/operators and vendor or systems integrators whenever possible to remove any default credentials and secure these systems from attack.

When they do identify unauthorized access, ICS-CERT helped control system owners and operators with system and firewall data analysis to determine the extent of the intrusion and whether they should make any configuration changes to the system.

The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.

Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. The design of these control systems were to allow remote access for system monitoring and management. All too often, remote access configuration allows for direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often available in public space documentation.

In all cases, ICS-CERT has worked with these organizations to remove default credentials and strengthen their overall security.

The most recent scenarios include:

• ICS-CERT becoming aware of multiple systems with default usernames and passwords that are accessible via the Internet. These systems do not have configurations that work securely with common best practices such as being behind a firewall or changing documented default credentials. These reports include the Echelon i.LON product commonly deployed within ICS devices such as motors, pumps, valves, and sensors, which contain a default username and password. This is not an inherent vulnerability, but left unchanged, it does pose as a security risk, especially when configured as Internet accessible. Users should replace the default username and password with a strong username and password configuration, especially when the device is Internet accessible.
• ICS-CERT released several products concerning weak authentication mechanisms. Weak authentication mechanisms are often difficult to remedy because users cannot typically change passwords. The products below highlight weak authentication vulnerabilities reported to ICS-CERT and patched by the vendor:
ICSA-11-173-01- ClearSCADA Remote Authentication Bypass
ICSA-11-356-01- Siemens Simatic HMI Authentication Vulnerability
ICSA-12-146-01A – RuggedCom Weak Cryptography for Password Vulnerability.

• In February 2011, independent security researcher Rubėn Santamarta used SHODAN to identify online remote access links to multiple utility companies’ supervisory control and data acquisition (SCADA) systems. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that other systems were using default user names and passwords.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.
• • In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response included international partners and 63 other CERTs in the effort to notify the identified control system owners and operators their control systems/devices suffered exposure on the Internet.

• Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources.

It goes without saying, but control system owners and operators should audit their control systems — whether or not they think their control systems are connected to the Internet — to discover and verify removal of any default administrator level user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.

Monday, March 5, 2012 @ 02:03 PM gHale

It has been known embedded web servers are an easy mark when it comes to being able to hack into them.

That knowledge has existed for quite a few years. With that knowledge it may be easy to assume companies would move to protect their systems. Wrong.

Patched Hole Doesn’t Stop Attackers
Malware Shifts from Safe to Malicious
Malware Strains Meld by Accident
Rail Hack: Govt. Works with Industry

Embedded web servers (EWS) are just as easy to access now than they were years ago. With multi-function printers or video conferencing systems, there can be serious data leaks: Printers store scanned, faxed and printed files on hard disks and then disclose these often sensitive documents. Video conferencing hardware allows outsiders to monitor rooms remotely or listen to meetings that are in progress, said Zscaler’s Michael Sutton at the RSA Conference in San Francisco.

Sutton wanted to scan a million web servers and create a catalogue of all the embedded web servers he found. His first tests involved Nmap and the Google Hacking Database (GHDB). However, neither tool proved very successful, as Nmap doesn’t detect enough EWS fingerprints and will, therefore, produce useless device information. Google, on the other hand, doesn’t allow search queries via scripts and would have required time-consuming manual scans.

The security researcher ended up using the Shodan online scanner. Sutton said Shodan has a huge database containing the HTTP header information of EWS systems, allowing such devices to undergo identification with accuracy. The researcher entered typical character strings from the embedded web servers’ web pages into Shodan. To automate the process, Sutton used a Perl script that only sent HEAD queries via Shodan. The script hosted on several EC2 micro instances in Amazon’s cloud which, according to the researcher, only cost a few dollars.

The scan managed to examine the targeted one million web servers in a short time and came up with the following results: Thousands of multi-function devices (more than 3,000 devices by Canon, 1,200 Xerox photocopiers, 20,000 Ricoh devices, among others), 8,000 Cisco IOS devices and almost 10,000 VoIP systems and phones didn’t require any log-in authentication. The latter included 1,100 devices by the German manufacturer Snom. These devices include packet tapping features and PCAP tracing by default. Imported into Wireshark, the trace can convert into a sound file of the telephone conversation.

The majority of the detected devices did not enjoy password protection, Sutton said. This means that any web user can access their web interfaces through a browser and view the documents stored on such photocopiers and printers, forward incoming faxes to an external number, or record scan jobs. With HP devices, a script can carry out such intrusions that every second calls a URL whose only variable is UNIX epoch time, which is easy to figure out.

The scan run by Sutton also identified more than 9,000 video conferencing systems by Polycom and Tandberg (now Cisco). The most likely reason why these devices were openly accessible on the net is they all use the H.323 protocol and require numerous open ports in the firewall. Sutton thinks administrators shy away from this, placing their systems in a DMZ instead. The IT security expert used a video to demonstrate how he managed to monitor the targeted conference rooms via an accessible video conferencing system that provided sound and images.

Sutton’s company is now providing the brEWS scanner free of charge, which specializes in detecting embedded web servers. To avoid placing the weapon into the hands of criminals, scans can only be run in a /24 subnet. At a later stage, the researcher also plans to offer a browser add-on that will allow administrators to examine protected internal networks; this add-on will carry out the scan and then send the results to the brEWS server for identification.

Monday, February 20, 2012 @ 04:02 PM gHale

In the aftermath of researchers revealing vulnerabilities before informing a vendor and an increase in attacks, ICS-CERT is issuing an alert to keep manufacturers aware of the heightened threat posture in the industry.

Several new exploit tools hit the street last week that specifically target programmable logic controllers (PLCs), the building blocks of industrial control systems (ICSs). These tools target PLCs from GE, Rockwell Automation, Schneider Electric, and Koyo. In addition, one targets the EtherNet/IP protocol, which numerous PLC vendors use. The payloads can affect any device that uses the EtherNet/IP protocol and could allow an attacker to crash or restart affected devices, according to the ICS-CERT report.

DoD Readies for Stuxnet-like Attack
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime
Government Tries to Define Cyber Security
DHS Unveils Cyber Strategy Plan

Multiple threat elements are combining to increase the ICSs threat landscape. Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems.

Asset owners should take these changes in threat landscape seriously, and ICS-CERT strongly encourages taking immediate defensive action to secure their systems using defense-in-depth principles, according to the ICS-CERT report.

Manufacturers should not assume their control systems are secure or they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.

The ERIPP and SHODAN search engines can easily find Internet facing ICS devices, thus identifying potential attack targets. In fact, these search engines are seeing use to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before, according to the ICS-CERT report.

Manufacturers should actually use those search engines to audit their own IP address space. If you find control system devices by using these tools, a manufacturer should take the necessary steps to remove these devices from direct Internet access as soon as possible.

Increased interest in ICS product security has resulted in a significant increase in product vulnerability reports. Security researchers and others have released tools exploiting vulnerabilities identified in these reports. These targeted exploits are readily available through various software tools and from exploit developers. Easy access to free or low cost exploit tools has dramatically lowered the skill level required for novice hackers and has likewise reduced the development time for advanced attackers.

While end users may or may not know the software they are running is vulnerable, they should be auditing their systems on a routine basis.

That is why as far as a mitigation approach goes, ICS-CERT recommends manufacturers audit device configurations for Internet accessibility, regardless of whether they believe they have Internet accessible devices. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.

Wednesday, January 25, 2012 @ 02:01 PM gHale

Eireann Leverett, a computer science doctoral student at Cambridge University, developed a tool that matches information about industrial control systems connected to the Internet with information about known vulnerabilities.

What he can do with that tool, as he discussed last week at the S4 conference in Miami Beach, is prove how easy it is for an attacker to locate and target an industrial control system (ICS). Leverett used the SHODAN search engine, which allows users to find Internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could hijack the systems.

Symposium Releases Vulnerabilities
Wago, Wellintech Vulnerabilities
GE Hit by Vulnerability
Schneider: More Patches for Module Hole

Leverett found over 10,000 devices connected through a search of two years worth of data in the SHODAN database. He was not able to determine how many of the devices uncovered were actually working systems nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities.

He did say, though, a few of the systems he investigated actually belonged to water facilities in Ireland and sewage facilities in California.

He also said 17 percent of the systems he found online asked him for authorization to connect, suggesting that administrators either weren’t aware their systems were online or failed to install secure gateways to keep out intruders.

To avoid obtaining unauthorized access to the systems, Leverett didn’t try to connect to the systems himself but passed the information to the Department of Homeland Security last September, which took on the task of notifying the owners of systems or their ISPs.

Leverett’s tool showed how easy it is for a dedicated attacker or just a recreational hacker to find vulnerable targets online to sabotage.

He told conference attendees he worked on the tool full time for three months and part time for an another three months, saying if “a student can put this together, surely a nation state can do it.”

Archived Entries