Tag Archives: Organized Crime

Plundervolt. Don’t panic!

16 December 2019

Last Tuesday, Intel (1) published a patch for a new hardware vulnerability dubbed Plundervolt (CVE-2019-11157). As always with hardware vulnerabilities, Plundervolt got a lot of attention in the media.(2)(3)(4) A Google search for “plundervolt intel” shows about 167.000 hits as of today. The vulnerability was detected by a research team lead by Kit Murdock (5) some month ago.

In parallel, Microsoft published a patch for the privilege escalation vulnerability CVE-2019-1458.(6) CVE-2019-1458 is actively used in attacks (7), so it also got some media attention (Google search “CVE-2019-1458”: 88.000 hits as of today).

Plundervolt logo.

Plundervolt logo.

From my point of view, hardware vulnerabilities are always somewhat overvalued, especially in terms of their benefit in cyber operations. The vulnerabilities named RyzenFall, FallOut, Chimera and MasterKey in AMD processors, which were discovered last year, are maybe the best examples.(8) So, lets take a closer look on PlunderVolt and CVE-2019-1458.

The table below shows the CVSS V3.1 Severity for the vulnerabilities.

Plundervolt CVE-2019-1458 comparison

Plundervolt / CVE-2019-1458 comparison

The main difference is in the Privileges Required (PR) to exploit the vulnerability. For Plundervolt, Murdock et al. “assume the standard Intel SGX adversary model where the attacker has full control over all software running outside the enclave (including privileged system software such as operating system and BIOS).”(5) That means that the system must already be fully compromised before Plundervolt can be exploited.

In contrast, CVE-2019-1458 allows the attacker to acquire high privileges on a system once he hijacked a standard user account. So, by exploiting CVE-2019-1458 the attacker sets up the environment to exploit Plundervolt.

From an attacker’s point of view, CVE-2019-1458 is more valuable than Plundervolt. Once one system is compromised, the attacker can use it as base of operations for the exploration of the victim’s network. In the worst case, the Active Directory is compromised within some minutes, so the attacker has access to all secrets, or he can push ransomware to all computers.

For organized crime and APTs, CVE-2019-1458 is a universally exploitable tool to achieve goals.

Plundervolt gets interesting if the attacker is interested in encryption key details which are used internally only, for example in Transparent Database Encryption (TDE) or in trusted execution environments. Murdock et al. “demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts.”(5) In the worst case, this results in the loss of all data in a TDE secured database, since vendors use Intel’s AES-NI on-chip implementation to speed up cryptographic computations.

So, Plundervolt is interesting for organized crime and APTs when it comes to industrial espionage or in attacks against targets which are relevant for national security.

Fortunately, the time frame for exploitation is short. The patch for CVE-2019-1458 will be automatically rolled out through the WSUS infrastructure within the next weeks. Plundervolt should be patched, with high priority on critical systems, if a company is target of espionage or operates critical infrastructures.

Do you know your threat profile and critical systems? Without this knowledge efficient vulnerability management is not possible. Not sure? So, take it as a New Year’s resolution…

References

  1. Intel Security Center. INTEL-SA-00289 [Internet]. Intel Security Center. 2019 [cited 2019 Dec 13]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
  2. Gatlan S. Intel Patches Plundervolt, High Severity Issues in Platform Update [Internet]. BleepingComputer. 2019 [cited 2019 Dec 13]. Available from: https://www.bleepingcomputer.com/news/security/intel-patches-plundervolt-high-severity-issues-in-platform-update/
  3. O’Donnell L. Modern Intel CPUs Plagued By Plundervolt Attack | Threatpost [Internet]. threatpost. 2019 [cited 2019 Dec 13]. Available from: https://threatpost.com/intel-cpus-plundervolt-attack/151006/
  4. Khandelwal S. New PlunderVolt Attack Targets Intel SGX Enclaves by Tweaking CPU Voltage [Internet]. The Hacker News. 2019 [cited 2019 Dec 13]. Available from: https://thehackernews.com/2019/12/intel-sgx-voltage-attack.html
  5. Murdock K, Oswald D, Garcia FD, Van Bulck J, Gruss D, Piessens F. Plundervolt: Software-based Fault Injection Attacks against Intel SGX}. In: Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P’20) [Internet]. San Francisco, CA; 2019 [cited 2019 Dec 13]. Available from: https://plundervolt.com/
  6. MSRC. CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability [Internet]. Microsoft Security. 2019 [cited 2019 Dec 16]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458
  7. Kaspersky Global Research and Analysis Team. Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium | Securelist [Internet]. SECURELIST. 2019 [cited 2019 Dec 16]. Available from: https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/
  8. Cimpanu C. AMD Confirms RyzenFall, MasterKey, Fallout, and Chimera Vulnerabilities [Internet]. BleepingComputer. 2018 [cited 2019 Dec 16]. Available from: https://www.bleepingcomputer.com/news/hardware/amd-confirms-ryzenfall-masterkey-fallout-and-chimera-vulnerabilities/

Rogue 7. A new attack on Simatic S7 PLCs. Who should be concerned?

18 August 2019

Pierluigi Paganini’s post (1) on Rogue 7, which popped-up in my LinkedIn news feed last Tuesday, immediately caught my attention. And troubled me somewhat because I am living a mile north from one of the largest German chemical industrial parks where lots of Simatic S7-1200 and S7-1500 PLCs are in operations.

The facts.

A group of Israeli security researchers managed to compromise PLCs of the Simatic S7-1200 and S7-1500 series. They presented the results at the Black Hat 2019 (2). For more technical details see the accompanying conference paper (3).

The SIMATIC developers learned from the past attacks on the S7 protocol, and integrated cryptographic protection in the latest version of the protocol. This includes a key exchange protocol for secure session set-up between the TIA and the PLC, message integrity protection, and payload encryption.

The Israeli researchers re-engineered the protocol and found some design weaknesses in the implementation which they used to execute start/stop attacks on the PLC, program download and stealth program injection attacks.

Countermeasures.

To fix the design flaws in the protocol will take some time.

With CPU access protection (4), the design weaknesses can be mitigated. Unfortunately, the default is “No Protection”, that is,” the hardware configuration and the blocks can be read and changed by all users”. So, it’s time to switch CPU access protection on, at least for high risk environments, e.g. if the PLC is directly accessible from the internet and port 102 is open.

Should we be concerned, or, to put in another way: Who should be concerned?

That depends on the target industry and the threat actor.

Critical Infrastructures.

IEC 62443 request’s that PLCs should be isolated in a separate network zone inside the SCADA partition of the production network. In the best case, communication is allowed from systems in the SCADA partition to the PLC only. If the operator follows this defense in depth strategy during production network build the risk of Rogue 7 style attack on a PLC is low.

Fortunately, operators of critical infrastructures are forced by regulations to implement a defense in depth strategy. But the effort for implementation and operation of an IEC 62443 compliant network is high. To reduce the effort, even large deviations from the IEC 62443 requirements are accepted.

Protection against APTs: The more the better? Own work. Paris 2019.

Protection against APTs: The more the better? Own work. Paris 2019.

State guided or sponsored threat actors, also called APT (Advanced Persistent Threat), and to a certain extent Organized Crime leverage these deviations in attacks on critical infrastructures. Hacktivists and Script Kiddies can be neglected because they lack the specific network infiltration and SIMATIC S7 know how.

Recall Triton, the attack on a Schneider Electric Triconex safety controller in 2017. The attackers (APT) compromised the Petro Rabigh corporate network in 2014. “From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access.”(5)

Petro Rabigh Chemical Plant.

In June 2017, the first unplanned shutdown of a safety controller took place. Finally, on Aug. 4, 2017, at 7:43 p.m., two safety controllers brought parts of the Petro Rabigh complex offline to prevent a gas release and explosion.(6)

The attackers compromised also the PLC. “But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.”(6)

This describes exactly the result of the Rogue 7 program download and stealth program injection attack. The PLC runs the malicious code while the operator believes that everything is in order.

Other production environments.

The S7 protocol uses port 102 for accessing the PLC from the TIA portal, the HMI and the engineering station. The Rouge TIA or the Rogue Engineering station must connect to this port on the PLC for running the start/stop attack or the program download attack. If this port is accessible from the network, in the worst case from the internet, APTs and Organized Crime can easily compromise the PLCs. The risk that Hacktivists or Script Kiddies compromise PLCs is low because they lack of the very specific SIMATIC S7 know how.

How big is the problem? A quick check on Shodan (query: SIMATIC CPU-1200, executed 8/18/2019) shows that about 350 S7-1200 systems are directly connected to the internet, thereof only few with Port 102 open. So, no reason to panic. Most of the operators have already implemented the Siemens recommendations on ICS security.

Summary

I welcome the fact that the Israeli security researchers published the weaknesses in the S7 protocol. We can assume, that, like EternalBlue, these weaknesses are already available in stand-by in the arsenals of intelligence agencies around the globe. So, we can prepare for the next leak and, hopefully, prevent a future attack of WannaCry extent.

Direct actions are required to evaluate the current risk.

  • Check the firewall rule base to make sure, that the S7 protocol port 102 is not open for systems outside the SCADA network partition or the internet.
  • Evaluate the risk of activating CPU access protection. If acceptable, update your operating procedures, train the staff, and active CPU access protection.

For critical infrastructure operators.

  • Document every deviation from the IEC 62443 concept. Evaluate the risk with regards to the capabilities of APT and Organized Crime. Take effective protective means if the risk is not acceptable.

Have a great week.

References

  1. Paganini P. Boffins hacked Siemens Simatic S7, most secure controllers in the industry [Internet]. Security Affairs. 2019 [cited 2019 Aug 16]. Available from: https://securityaffairs.co/wordpress/89720/hacking/siemens-simatic-s7-hack.html
  2. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. PPT: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs [Internet]. Powerpoint Presentation presented at: Black Hat USA 2019; 2019 Aug 8 [cited 2019 Aug 16]; Mandalay Bay / Las Vegas. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf
  3. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs. In Mandalay Bay / Las Vegas; 2019 [cited 2019 Aug 16]. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs-wp.pdf
  4. Siemens AG. Simatic S7-1500 Security [Internet]. Siemens AG; 2013 [cited 2019 Aug 16]. Available from: https://www.automation.siemens.com/salesmaterial-as/interactive-manuals/getting-started_simatic-s7-1500/documents/EN/sec_en.pdf
  5. Giles M. Triton is the world’s most murderous malware, and it’s spreading [Internet]. MIT Technology Review. 2019 [cited 2019 May 11]. Available from: https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
  6. Sobczak B. SECURITY: The inside story of the world’s most dangerous malware [Internet]. 2019 [cited 2019 May 11]. Available from: https://www.eenews.net/stories/1060123327