Application control solutions for protecting critical infrastructures

13 October 2019

Application Control Solutions (ACS) are easy to deploy and manage protective security controls in process automation. From my point of view, they are essential when it comes to critical infrastructures. The major SCADA vendors recommend and certify them for use with their product suites.

Rick Gorskie, Global Sales Manager Cybersecurity at Emerson Automation Solutions, recommends “using both solutions for an effective “one-two” punch against malware infection. Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result.”(1)

Schneider Electric recommends the application control for their Power SCADA systems: “Power SCADA has been validated with the McAfee Application Control whitelisting application. Power SCADA and McAfee whitelisting can make your system more resilient to zero-day threats.”(2)

In addition to the protection against zero-days, application control allows to reduce the patch frequency and to extent the life of legacy systems.

The ACS kicks in during the exploitation phase of the Cyber Kill Chain. It checks every object at execution time whether it is known in the white list. Since new malware is not on the list, ACS just blocks the execution. This is a plain, but very effective approach.

Cyber Kill Chain - Application Control Solutions

Cyber Kill Chain – Application Control Solutions

This works for file-less malware like Nodersok (3) as well as for file-based malware like Reductor (4) or COMpfun (5). Even crypto worms like WannaCry are blocked.

In the case of COMpfun, for example, two DLLs are loaded into the users AppData directory. Both DLLs are not on the white list, so the execution is blocked although they are defined as COM objects.

Reductor uses two delivery methods, COMpfun and infected software installers. If COMpfun is used for delivery, the ACS blocks the malware.

But if the Reductor is delivered through infected software installers, ACSs will not work because they have their Achilles heels.

ACSs must be suspended during deployment or update of software.

A malware, for example a trojan disguised as part of a software suite, will become a legitimate program after the ACS is enforced again. Thus, the malware will never be blocked because it’s on the white list.

ACSs allow exceptions.

Some SCADA vendors request exceptions for the execution of some of their software tools. If malicious actors exploit these exceptions, they can inject malware outside regular installations.

So, we have a residual risk, depending on the threat actor and the environment.

For non-critical infrastructures, ACSs provides great protection against all threat actors. But in the case of critical infrastructures, APT and, to some extent, cyber criminals have the resources and the know how to exploit the Achilles heels of ACSs.

Additional security controls must be implemented to reduce this risk. Operators and engineering service providers must work together to solve this issue.

This may include an extended integrity check of all software before installation in the SCADA network and the encryption of all media during transport.

By the way, ACSs provide effective protection against zero-days only if they are not suspended. So, it’s a good idea to check regularly if the ACS agents are operated in enforced mode on the systems.

Have a great week.


References

  1. Gorskie R. Should You Be Using Application Whitelisting? [Internet]. Emerson Exchange 365. 2017 [zitiert 22. September 2019]. Verfügbar unter: https://emersonexchange365.com/products/control-safety-systems/f/deltav-discussions-questions/6792/should-you-be-using-application-whitelisting
  2. Schneider Electric. Power SCADA Operation 9.0 System Guide | Schneider Electric [Internet]. 2019 [zitiert 22. September 2019]. Verfügbar unter: https://www.schneider-electric.com/en/download/document/PowerSCADAOperationSystemGuide/
  3. Microsoft. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware [Internet]. Microsoft Security. 2019 [zitiert 28. September 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
  4. GReAT. COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist [Internet]. Kaspersky Securelist. 2019 [zitiert 12. Oktober 2019]. Verfügbar unter: https://securelist.com/compfun-successor-reductor/93633/
  5. G Data. COM Object hijacking: the discreet way of persistence [Internet]. G Data Blog. 2014 [zitiert 12. Oktober 2019]. Verfügbar unter: https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.

NetCAT – a new side-channel vulnerability. Who should be concerned?

15 September 2019

Swati Khandelwal’s report (1) on NetCAT, published on 9/11/2019 in The Hacker News, scared me somewhat. Security researchers (2) from the Vrije University in Amsterdam discovered a new type of side-channel attack in Intel server processors which can be exploited across the network. This is really frightening.

As always in the case of hardware vulnerabilities, NetCAT is broadly discussed in the security community. A Google search for “CVE-2019-11184” shows 6.340 hits (as of 9/14/2019 8 pm).

CVE-2019-11184 CVSS V3 Specification

CVE-2019-11184: CVSS V3.1 Specification

Intel (3) classified CVE-2019-11184 as follows: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack vector Adjacent is defined in the CVSS V3.1 specification document as follows: “The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.”

With this, the attacker must have compromised the network before he can start the attack. In addition, the attacker must compromise “a machine which communicates over RDMA to an application server that supports DDIO”.(2)

So, NetCAT is not that dangerous than the reports suggest.

What goals can be achieved by exploiting this vulnerability?

In secured networks with latest patches applied, this technique can be used to spy on all kind of secrets, e.g. the passwords of high privileged accounts, for the complete takeover of the network.

What organizations should be concerned?

CVE-2019-11184 Threat Landscape

CVE-2019-11184 Threat Actor Targets

My conclusion: From a technical point of view, NetCAT shows again the shortcomings of the current processor architectures. Regarding the applicability in attacks, NetCAT is somewhat overestimated.

Have a great weekend.


References

  1. Khandelwal S. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs [Internet]. The Hacker News. 2019 [cited 2019 Sep 12]. Available from: https://thehackernews.com/2019/09/netcat-intel-side-channel.html
  2. Kurth M, Gras B, Andriesse D, Giuffrida C, Bos H, Razavi K. NetCAT: Practical Cache Attacks from the Network. 2019. Available from: https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
  3. Intel Security Center. INTEL-SA-00290 [Internet]. Intel Security Center. 2019 [cited 2019 Sep 12]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html

Threat Intelligence – What is it good for?

31 August 2019

I attended a virtual summit on threat intelligence this week. I watched two interesting presentations and found that I am still not convinced of the value of threat intelligence.

In vulnerability management for example threat intelligence speeds up decision making. But is speed in the decision-making phase of vulnerability management an issue?

OODA Loop

OODA Loop

When we deal with critical vulnerabilities, e.g. vulnerabilities of the WannyCry Class, speed is crucial. The OODA procedural model is perfectly suited as execution procedure for environments where speed is crucial for survival.

OODA, an acronym for Observe, Orient, Decide, Act, was developed by John Richard Boyd in the 1950’s as survival strategy in aerial combat. Colonel Boyd, one of the most influential military strategists ever, transferred OODA to other domains after he retired from the US Air Force.

The picture below shows the OODA procedural model adapted for vulnerability management.

OODA for Vulnerability Management

OODA for Vulnerability Management

We must decide whether urgent action is required if a new critical vulnerability is published. Data collected from OSINT sources, asset details, and experience in the evaluation of vulnerabilities are required for creating a well-founded decision.

Threat intelligence speeds up the Observe and Orient phase by e.g. providing data on exploits seen in the wild. But threat intelligence will neither replace current asset data, which are crucial for the Orient phase, nor speed up the Act phase, where the affected assets are patched, and their correct operations is verified.

So, if you decide on investing in threat intelligence ask yourself the question: What benefits do I expect to gain from threat intelligence in what use cases? Otherwise, it is very likely that you get disappointed.

Have a good weekend.

New LYCEUM Threat Group targets Oil and Gas firms. Don’t panic! Enforce 2 Step Verification!

29 August 2019

Lindsey O’Donnell’s report (1) on a new APT named LYCEUM is well worth reading.  LYCEUM targets oil and gas firms in the middle east. The group leverages PowerShell once they created a foothold on computers in the victim’s network to exfiltrate company secrets. PowerShell is a good choice because the attackers can go undetected for a long time.

For launching the attack, LYCEUM draws on industry attack standards like password spraying: “LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.”(2)

The group aims at company mail accounts hosted by cloud service providers. Why? Credibility matters most in [spear] phishing attacks. A spear phishing email on a popular topic, send from a company account has a very high level of credibility and increases the attack’s probability of success.

This increase in credibility justifies the effort required for collecting email addresses from OSINT sources. Password spraying is then used to get a valid password for login with the victim’s account to the cloud service.

Here, the industry defense standard against password attacks, 2SV (Two Step Verification) or MFA (Multiple Factor Authentication), comes into play.

Yubikey for 2 Step Verification. Own work.

On 27 August, Catalin Cimpanu reported on ZDNet that Microsoft sees 300 million fraudulent sign-in attempts to O365 every day.(3) Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, explained that “enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.“(3)

So, by enforcing 2SV/MFA for login to all company cloud services we can stop all threat actors which use similar password mining technologies, including LYCEUM.

Alastair MacGibbon, National Security Advisor, Australian Cyber Security Center, shows the direction:

“Cyber security is about risk management. You can’t eliminate risk, but you can strengthen your defences to reduce the likelihood of the risk being realised, and the harm caused when it is.”

Let’s get started with 2SV. We have no time to waste.


References

  1. O’Donnell L. New Threat Group Found Targeting Critical Infrastructure Firms With Spear [Internet]. threatpost. 2019 [cited 2019 Aug 27]. Available from: https://threatpost.com/oil-and-gas-firms-targeted-by-new-lyceum-threat-group/147705/
  2. Secureworks Counter Threat Unit. Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign [Internet]. Secureworks. 2019 [cited 2019 Aug 27]. Available from: https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
  3. Cimpanu C. Microsoft: Using multi-factor authentication blocks 99.9% of account hacks [Internet]. ZDNet. [cited 2019 Aug 28]. Available from: https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/

Rogue 7. A new attack on Simatic S7 PLCs. Who should be concerned?

18 August 2019

Pierluigi Paganini’s post (1) on Rogue 7, which popped-up in my LinkedIn news feed last Tuesday, immediately caught my attention. And troubled me somewhat because I am living a mile north from one of the largest German chemical industrial parks where lots of Simatic S7-1200 and S7-1500 PLCs are in operations.

The facts.

A group of Israeli security researchers managed to compromise PLCs of the Simatic S7-1200 and S7-1500 series. They presented the results at the Black Hat 2019 (2). For more technical details see the accompanying conference paper (3).

The SIMATIC developers learned from the past attacks on the S7 protocol, and integrated cryptographic protection in the latest version of the protocol. This includes a key exchange protocol for secure session set-up between the TIA and the PLC, message integrity protection, and payload encryption.

The Israeli researchers re-engineered the protocol and found some design weaknesses in the implementation which they used to execute start/stop attacks on the PLC, program download and stealth program injection attacks.

Countermeasures.

To fix the design flaws in the protocol will take some time.

With CPU access protection (4), the design weaknesses can be mitigated. Unfortunately, the default is “No Protection”, that is,” the hardware configuration and the blocks can be read and changed by all users”. So, it’s time to switch CPU access protection on, at least for high risk environments, e.g. if the PLC is directly accessible from the internet and port 102 is open.

Should we be concerned, or, to put in another way: Who should be concerned?

That depends on the target industry and the threat actor.

Critical Infrastructures.

IEC 62443 request’s that PLCs should be isolated in a separate network zone inside the SCADA partition of the production network. In the best case, communication is allowed from systems in the SCADA partition to the PLC only. If the operator follows this defense in depth strategy during production network build the risk of Rogue 7 style attack on a PLC is low.

Fortunately, operators of critical infrastructures are forced by regulations to implement a defense in depth strategy. But the effort for implementation and operation of an IEC 62443 compliant network is high. To reduce the effort, even large deviations from the IEC 62443 requirements are accepted.

Protection against APTs: The more the better? Own work. Paris 2019.

Protection against APTs: The more the better? Own work. Paris 2019.

State guided or sponsored threat actors, also called APT (Advanced Persistent Threat), and to a certain extent Organized Crime leverage these deviations in attacks on critical infrastructures. Hacktivists and Script Kiddies can be neglected because they lack the specific network infiltration and SIMATIC S7 know how.

Recall Triton, the attack on a Schneider Electric Triconex safety controller in 2017. The attackers (APT) compromised the Petro Rabigh corporate network in 2014. “From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access.”(5)

Petro Rabigh Chemical Plant.

In June 2017, the first unplanned shutdown of a safety controller took place. Finally, on Aug. 4, 2017, at 7:43 p.m., two safety controllers brought parts of the Petro Rabigh complex offline to prevent a gas release and explosion.(6)

The attackers compromised also the PLC. “But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.”(6)

This describes exactly the result of the Rogue 7 program download and stealth program injection attack. The PLC runs the malicious code while the operator believes that everything is in order.

Other production environments.

The S7 protocol uses port 102 for accessing the PLC from the TIA portal, the HMI and the engineering station. The Rouge TIA or the Rogue Engineering station must connect to this port on the PLC for running the start/stop attack or the program download attack. If this port is accessible from the network, in the worst case from the internet, APTs and Organized Crime can easily compromise the PLCs. The risk that Hacktivists or Script Kiddies compromise PLCs is low because they lack of the very specific SIMATIC S7 know how.

How big is the problem? A quick check on Shodan (query: SIMATIC CPU-1200, executed 8/18/2019) shows that about 350 S7-1200 systems are directly connected to the internet, thereof only few with Port 102 open. So, no reason to panic. Most of the operators have already implemented the Siemens recommendations on ICS security.

Summary

I welcome the fact that the Israeli security researchers published the weaknesses in the S7 protocol. We can assume, that, like EternalBlue, these weaknesses are already available in stand-by in the arsenals of intelligence agencies around the globe. So, we can prepare for the next leak and, hopefully, prevent a future attack of WannaCry extent.

Direct actions are required to evaluate the current risk.

  • Check the firewall rule base to make sure, that the S7 protocol port 102 is not open for systems outside the SCADA network partition or the internet.
  • Evaluate the risk of activating CPU access protection. If acceptable, update your operating procedures, train the staff, and active CPU access protection.

For critical infrastructure operators.

  • Document every deviation from the IEC 62443 concept. Evaluate the risk with regards to the capabilities of APT and Organized Crime. Take effective protective means if the risk is not acceptable.

Have a great week.


References

  1. Paganini P. Boffins hacked Siemens Simatic S7, most secure controllers in the industry [Internet]. Security Affairs. 2019 [cited 2019 Aug 16]. Available from: https://securityaffairs.co/wordpress/89720/hacking/siemens-simatic-s7-hack.html
  2. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. PPT: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs [Internet]. Powerpoint Presentation presented at: Black Hat USA 2019; 2019 Aug 8 [cited 2019 Aug 16]; Mandalay Bay / Las Vegas. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf
  3. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs. In Mandalay Bay / Las Vegas; 2019 [cited 2019 Aug 16]. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs-wp.pdf
  4. Siemens AG. Simatic S7-1500 Security [Internet]. Siemens AG; 2013 [cited 2019 Aug 16]. Available from: https://www.automation.siemens.com/salesmaterial-as/interactive-manuals/getting-started_simatic-s7-1500/documents/EN/sec_en.pdf
  5. Giles M. Triton is the world’s most murderous malware, and it’s spreading [Internet]. MIT Technology Review. 2019 [cited 2019 May 11]. Available from: https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
  6. Sobczak B. SECURITY: The inside story of the world’s most dangerous malware [Internet]. 2019 [cited 2019 May 11]. Available from: https://www.eenews.net/stories/1060123327

Think Before You Sync. Why just moving to the cloud does not solve the ransomware threat.

27 July 2019

On May 7th, 2019 the city of Baltimore was hit by a ransomware attack.  Although the city hired Microsoft and five other firms it has not fully recovered from the attack yet.(1)

Since the city’s email system was down officials started to use Gmail accounts for communications.(1)(2) This makes sense in the case of an emergency. Not communicating in the case of a publicly visible cyber-attack commonly has a large financial impact on businesses; but in the case of cities this may result in the loss of public security.

The ransomware attack on Norsk Hydro on March 19th, 2019 impressively shows the effect of good communications(3)(4): Investor’s confidence was not endangered at any time, the share price remained unchanged.

But from a strategic point of view, just moving to the whatever cloud is not a good idea. Google’s idea behind ChromeOS was simply clever: If everything (applications and data) is stored in the cloud the impact of e.g. ransomware will be negligible because the malware cannot jump across the https barrier to your cloud storage. The same holds for O365.

Unfortunately, users are not used of this way of working in the browser. It’s often slow, requires a change in working habits, travelling requires extra preparation, etc. So, Microsoft invented OneDrive and Google came up with Sync for Windows. Similar tools are available for Box and DropBox, and for all desktop operating systems, even for Linux.

Linux Setup Online Accounts

Linux setup online accounts during first login

With these syncing tools, the data stored in the cloud is made available on the user’s desktop. Changes to local files are synchronized immediately to the cloud and vice versa. And with this, the ransomware problem still exists because if a ransomware encrypts the synchronized files on the local copy the change is immediately synchronized to the cloud.
Game over.

So, if you want to take advantage of the cloud you have to run a vast change project: The whole working environment with all forms, templates, etc. must be provided in the cloud. And the employees must get used of the new way of working.

We need change!

We need change!

But the effort pays off: Your network becomes more resilient against cyber-attacks, workstations can be easily exchanged, the endpoint complexity can be reduced, windows domains and in the end, the campus network, will become dispensable.

So, think before you sync!

Have a great weekend.


  1. Duncan I. Google Pitches to Baltimore after Ransomware Attacks [Internet]. Government Technology. 2019 [zitiert 27. Juli 2019]. Verfügbar unter: https://www.govtech.com/computing/Google-Pitches-to-Baltimore-after-Ransomware-Attacks.html
  2. Cyber-spies tight-lipped on Baltimore hack. BBC News [Internet]. 27. Mai 2019 [zitiert 27. Juli 2019]; Verfügbar unter: https://www.bbc.com/news/technology-48423954
  3. Norsk Hydro. Update: Hydro subject to cyber attack [Internet]. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.hydro.com/de-DE/medien/news/2019/update-hydro-subject-to-cyber-attack/
  4. Norsk Hydro ASA. Norsk Hydro: Update: Hydro subject to cyber-attack – 19.03.19 – News – ARIVA.DE [Internet]. de. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.ariva.de/news/norsk-hydro-update-hydro-subject-to-cyber-attack-7476743