PLC的后开发和持久化技术

  • 一、摘要
  • 二、威胁建模
  • 三、攻击方法
    • (一)获取远程访问
    • (二)权限提升及收集信息
    • (三)持续化
  • 四、攻击场景
  • 五、结论

一、摘要

  从对最近ICS重大事件的调查中可以看出,有针对性的后开发链对于攻击的成功起着至关重要的作用。在获得对系统的初始访问后,通常是通过以前未知(zero-day)或未修补的漏洞、弱凭据或内部协助,应用系统架构的特定知识,以在物理过程中断之前实现系统中的隐形和持久存在。本文中,我们提出了一套针对WAGO PFC200系列PLC的后开发和持久化技术,这将有助于提高对构建在CODESYS(控制器开发系统)运行时变体之上的PLC的隐蔽性和持久性威胁的认识。

二、威胁建模

  远程攻击者利用控制器以前未知或未修补的漏洞进行一般攻击。然而,关于特定部署系统和物理过程的初步知识是有限的。威胁行动者通过其中一个远程暴露的接口获得对系统的访问,并寻求系统中的长期秘密持久性,这将允许收集足够的操作信息集,以对物理进程进行有针对性的攻击。

三、攻击方法

  目标: 攻击者对系统进行一次性未经授权的访问是为了确保在PLC上长期隐藏恶意负载。这允许对系统及其状态变化进行被动观察,对部署的配置进行指纹识别,并确保将来的远程访问。
  技术: 在PLC处于运行状态时,支持这些攻击目标的一种常见方法是在其软件组件中放置一个持久后门。我们将概述攻击周期和系统组件,它们可以执行恶意负载的调用,并且适合放置后门可执行文件。

(一)获取远程访问

  未经授权访问场景:管理界面中的漏洞、身份验证缺陷、通过文件上传执行代码、易受攻击的扩展包、利用网络服务。
  在未打补丁的系统中,类似于上述场景的漏洞链可使攻击者未经授权访问受影响的PFC200系统。一旦建立了一次性访问,就需要对系统有更具体的了解,以执行攻击后操作并准备对物理进程的攻击。

(二)权限提升及收集信息

  权限提升:访问控制系统、特权服务中的漏洞
  信息收集:日志记录、运行时配置、控制程序分析、可视化小程序提取

(三)持续化

  CBM模块注入、Web组件、进程迁移候选者、通用技术、Crontab记录、终端会话

四、攻击场景

  WAGO PFC200控制器运行固件版本03.01.07(13),其中包含攻击者已知的未修补漏洞。远程攻击者通过公开的TCP端口访问WBM服务,并使用身份验证漏洞来获取登录凭据(图1)。

图1 E1第一阶段:认证绕过

  攻击者制作恶意ipk包,并使用远程代码执行漏洞在系统中执行该包,从而将权限提升到超级用户。攻击者使用相同的漏洞将为ARMv7指令集编译的特制后门上传到PLC上的永久分区(图2)。

图2 E1第二阶段:代码执行

  在后攻击期间,攻击者分析位于var/log/wago/wagolog.log和/var/log/messages的日志文件。观察到,系统维护是通过串行接口上的命令行会话在控制器上完成的。为了实现恶意后门的持久性,攻击者在/etc/wago screen prompt.sh中添加一条附加记录,以便在操作员每次登录时调用先前上载的二进制文件(图3)。

图3 E1第三阶段:后开发

五、结论

  在这项工作中,我们为WAGO PFC200系列PLC提出了一套后开发和持久化技术,并制作了攻击场景示例。考虑到持久性链使用的内部系统组件,我们进一步分析了检测和防御选项。
  防御和检测:在受影响的PLC上设置持久后门的目的是从长远角度将检测风险降至最低。假设的检测机制可分为以下几类:

  • 通用Linux rootkit检测实用程序
  • 网络活动异常检测
  • 系统行为分析
  • 系统内手动调查

  我们强调指出,在ICS领域,除了提供渗透系统方法的初始漏洞外,有针对性的攻击后技术在攻击成功中起着至关重要的作用。除了针对PLC的攻击外,这也与广泛的其他ICS设备有关。

1. Abbasi, A., Hashemi, M.: Ghost in the PLC: designing an undetectable pro-
grammable logic controller rootkit via pin control attack, pp. 1–35. Black
Hat, November 2016.https://research.utwente.nl/en/publications/ghost-in-the-
plc-designing-an-undetectable-programmable-logic-con
2. Ahmed, C.M., et al.: Noiseprint: attack detection using sensor and process noise
fingerprint in cyber physical systems. In: Proceedings of the 2018 on Asia Con-
ference on Computer and Communications Security. ASIACCS 2018, pp. 483–497.
Association for Computing Machinery, New York (2018).https://doi.org/10.1145/
3196494.3196532
3. Bytes, A., Adepu, S., Zhou, J.: Towards semantic sensitive feature profiling of
IoT devices. IEEE Internet Things J., (2019).https://doi.org/10.1109/JIOT.2019.
2903739
4. Cardenas, A., Amin, S., Sastry, S.: Secure control: towards survivable cyber-
physical systems. In: 2008 28th International Conference on Distributed Comput-
ing Systems Workshops. ICDCS 2008, pp. 495–500, June 2008
5. Casey, P., Topor, M., Hennessy, E., Alrabaee, S., Aloqaily, M., Boukerche, A.:
Applied comparative evaluation of the metasploit evasion module. In: 2019 IEEE
Symposium on Computers and Communications (ISCC), pp. 1–6 (2019)
6. Castellanos, J.H., Ochoa, M., Zhou, J.: Finding dependencies between cyber-
physical domains for security testing of industrial control systems. ACM, December
2018.https://doi.org/10.1145/3274694.3274745
7. Cobb, P.: German steel mill meltdown: rising stakes in the internet
of things (2015).https://securityintelligence.com/german-steel-mill-meltdown-
rising-stakes-in-the-internet-of-things/
8. Costin, A., Zaddach, J.: Embedded Devices Security and Firmware Reverse
Engineering. ResearchGate, July 2013.https://www.researchgate.net/publication/
259642928EmbeddedDevicesSecurityandFirmwareReverseEngineering
9. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux mal-
ware. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 161–175 (2018)
10. Dragos: CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids—
Dragos, April 2019.https://dragos.com/resource/crashoverride-analyzing-the-
malware-that-attacks-power-grids. Accessed 14 Apr 201911. Garcia, L.A., Brasser, F., Cintuglu, M.H., Sadeghi, A.R., Zonouz, S.A.: Hey,
my malware knows physics! Attacking PLCs with physical model aware rootkit.
ResearchGate, January 2017.https://doi.org/10.14722/ndss.2017.23313
12. Govil, N., Agrawal, A., Tippenhauer, N.O.: On ladder logic bombs in industrial
control systems. In: Katsikas, S.K., et al. (eds.) CyberICPS/SECPRE -2017. LNCS,
vol. 10683, pp. 110–126. Springer, Cham (2018).https://doi.org/10.1007/978-3-
319-72817-98
13. Hsiao, S.W., Sun, Y.S., Chen, M.C., Zhang, H.: Cross-level behavioral analysis
for robust early intrusion detection. In: 2010 IEEE International Conference on
Intelligence and Security Informatics (ISI), pp. 95–100. IEEE (2010)
14. Huang, T., Zhou, J., Bytes, A.: ATG: an attack traffic generation tool for security
testing of in-vehicle CAN bus. ResearchGate, pp. 1–6, August 2018.https://doi.
org/10.1145/3230833.3230843
15. IEC 61131–3 industrial control programming standard.https://www.isa.org/
standards-publications/isa-publications/intech-magazine/2012/october
16. Firmware from Rockwell Automation - Software Download, April 2019.https://
www.rockwellautomation.com/rockwellsoftware/support/firmware.page. Accessed
15 Apr 2019
17. Operating System Update for SIMATIC S7–1200 CPU Firmware V3 - ID:
64789124 - Industry Support Siemens, April 2019.https://support.industry.
siemens.com/cs/document/64789124/operating-system-update-for-simatic-s7-
1200-cpu-firmware-v3?dti=0&pnid=13615&lc=en-WW. Accessed 15 Apr 2019
18. Support Packages for the hardware catalog in the TIA Portal (HSP) - ID: 72341852
- Industry Support Siemens, April 2019.https://support.industry.siemens.com/
cs/document/72341852/support-packages-for-the-hardware-catalog-in-the-tia-
portal-(hsp)?dti=0&pnid=13615&lc=en-US. Accessed 15 Apr 2019
19. Keliris, A., Maniatakos, M.: ICSREF: a framework for automated reverse engineer-
ing of industrial control systems binaries. In: The Network and Distributed System
Security Symposium (NDSS) (2019)
20. Krotofil, M., Gollmann, D.: Industrial control systems security: what is happen-
ing?, pp. 664–669. ResearchGate, July 2013.https://doi.org/10.1109/INDIN.2013.
6622963
21. Lee, E.A.: cyber-physical systems: design challenges. Technical report UCB/EECS-
2008-8, EECS Department, University of California, Berkeley, January 2008.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-8.html
22. Lipovsky, R.: New wave of cyber attacks against Ukrainian power industry, January
2016.http://www.welivesecurity.com/2016/01/11
23. Lufkin, D.: Programmable Logic Controllers: A Practical Approach to IEC 61131–3
using CoDeSys (12 2015)
24. McLaughlin, S.: On dynamic malware payloads aimed at programmable logic
controllers, p. 10. ResearchGate, August 2011.https://www.researchgate.net/
publication/262355936Ondynamicmalwarepayloadsaimedatprogrammable
logiccontrollers
25. McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation
for Programmable Logic Controllers, pp. 439–449. ResearchGate, October 2012.
https://doi.org/10.1145/2382196.2382244
26. McLaughlin, S., Zonouz, S., Pohly, D., McDaniel, P.: A trusted safety verifier for
process controller code. ResearchGate, January 2014.https://doi.org/10.14722/
ndss.2014.23043
27. Mulder, J., Schwartz, M., Berg, M., Van Houten, J., Urrea, J.M., Pease, A.: Analy-
sis of field devices used in industrial control systems. In: Butts, J., Shenoi, S. (eds.)
ICCIP 2012. IAICT, vol. 390, pp. 45–57. Springer, Heidelberg (2012).https://doi.
org/10.1007/978-3-642-35764-04
28. Noergaard, T.: Embedded Systems Architecture: A Comprehensive Guide for
Engineers and Programmers. Newnes (2013).https://books.google.com.sg/books/
about/EmbeddedSystemsArchitecture.html?id=piGhuAAACAAJ&source=kp
bookdescription&rediresc=y
29. Online: Wago-i/o-system codesys 2.3 webvisu password extraction (2019).
https://packetstormsecurity.com/files/127438/WAGO-I-O-SYSTEM-CODESYS-
2.3-WebVisu-Password-Extraction.html
30. Siddiqi, A., Tippenhauer, N.O., Mashima, D., Chen, B.: On practical threat sce-
nario testing in an electric power ICS testbed. In: Proceedings of the Cyber-
Physical System Security Workshop (CPSS), co-located with ASIACCS, June 2018.
https://doi.org/10.1145/3198458.3198461
31. Toolchains - eLinux.org, April 2019.https://elinux.org/Toolchains. Accessed 15
Apr 2019
32. Giraldo, J., Urbina, D., Cardenas, A.A., Tippenhauer, N.O.: Hide and seek: an
architecture for improving attack-visibility in industrial control systems. In: Deng,
R.H., Gauthier-Uma˜na, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol.
11464, pp. 175–195. Springer, Cham (2019).https://doi.org/10.1007/978-3-030-
21568-29
33. Urias, V., Van Leeuwen, B., Richardson, B.: Supervisory Command and Data
Acquisition (SCADA) system cyber security analysis using a live, virtual, and con-
structive (L VC) testbed. In: 2012 Military Communications Conference - MILCOM
2012, pp. 1–8 (2012)
34. Valentine, S., Farkas, C.: Software security: application-level vulnerabilities in
SCADA systems, pp. 498–499. ResearchGate, August 2011.https://doi.org/10.
1109/IRI.2011.6009603
35. Codesys. The system.https://www.codesys.com/the-system.html
36. Security for controller pfc100/pfc200 v 1.1.0, 5 December 2018.https://www.wago.
com/medias/mxxxxxxxx-CyberSecurity-0en.pdf
37. Wago controllers brochure.https://www.wago.com/infomaterial/pdf/60386168.
pdf
38. Wago ethernet web-based management authentication bypass vulnerability.
https://ics-cert.us-cert.gov/advisories/ICSA-16-357-02
39. (May 2014).https://www.wago.com/infomaterial/pdf/51236524.pdf. Accessed 15
Apr 2019
40. Vulnerabilities in W AGO PFC 200 Series (2017).https://sec-consult.com/en/blog/
advisories/wago-pfc-200-series-critical-codesys-vulnerabilities/index.html
41. (Apr 2019).https://www.wago.com/sg/download/public/IoT-Brosch%25C3
%25BCre/AU-NA-DE-DE-FP-180827001%2BIoT-Box%2BBrochureweb.pdf.
Accessed 15 Apr 2019
42. Codesys device directory, April 2019.https://devices.codesys.com/device-
directory.html. Accessed 15 Apr 2019
43. W AGO Global—swreglinuxc, April 2019.https://www.wago.com/global/d/
swreglinuxc. Accessed 15 Apr 2019
44. W AGO—Controllers with Embedded Linux, April 2019.https://www.wago.com/
sg/embedded-linux. Accessed 15 Apr 2019
45. W AGO—IoT PLC Controllers with MQTT Protocol for Industry 4.0, April 2019.
https://www.wago.com/sg/automation-technology/plc-mqtt-iot. Accessed 15 Apr
2019
46. W AGO—WebVisu, April 2019.https://www.wago.com/global/automation-
technology/discover-software/webvisu. Accessed 15 Apr 2019
47. Talos Vulnerability Report 2019–0923 (2020).https://talosintelligence.com/
vulnerabilityreports/TALOS-2019-0923
48. Talos Vulnerability Report 2019–0950 (2020).https://talosintelligence.com/
vulnerabilityreports/TALOS-2019-0950
49. Talos Vulnerability Report 2019–0961 (2020).https://talosintelligence.com/
vulnerabilityreports/TALOS-2019-0961
50. Talos Vulnerability Report 2019–0962 (2020).https://talosintelligence.com/
vulnerabilityreports/TALOS-2019-0962
51. Technical basics: Preempt RT (2020).https://wiki.linuxfoundation.org/realtime/
documentation/technicalbasics/start
52. W AGO e!Cockpit authentication hard-coded encryption key vulnerability (2020).
https://talosintelligence.com/vulnerabilityreports/TALOS-2019-0898
53. W AGO e!COCKPIT Firmware Downgrade Vulnerability (2020).https://
talosintelligence.com/vulnerabilityreports/TALOS-2019-0951
54. W AGO PFC 200 Web-Based Management (WBM) Code Execution Vulnerability
(2020).https://talosintelligence.com/vulnerabilityreports/TALOS-2020-1010
55. W AGO PFC100/200 Web-Based Management (WBM) FastCGI configuration
insufficient resource pool denial of service (2020).https://talosintelligence.com/
vulnerabilityreports/TALOS-2019-0939
56. W AGO PFC200 Cloud Connectivity Multiple Command Injection Vulnerabilities
(2020).https://talosintelligence.com/vulnerabilityreports/TALOS-2019-0948
57. W AGO PFC200 Cloud Connectivity Remote Code Execution Vulnerability (2020).
https://talosintelligence.com/vulnerabilityreports/TALOS-2019-0954
58. W AGO PFC200 iocheckd service “I/O-Check” getcouplerdetails remote code exe-
cution vulnerability (2020).https://talosintelligence.com/vulnerabilityreports/
TALOS-2019-0864
59. W AGO PFC200 iocheckd service “I/O-Check” ReadPCBManuNum remote
code execution vulnerability (2020).https://talosintelligence.com/vulnerability
reports/TALOS-2019-0873
60. W AGO PFC200 iocheckd service “I/O-Check” ReadPCBManuNum remote
code execution vulnerability (2020).https://talosintelligence.com/vulnerability
reports/TALOS-2019-0874
61. W AGO PFC200 iocheckd service “I/O-Check” ReadPCBManuNum remote
code execution vulnerability (2020).https://talosintelligence.com/vulnerability
reports/TALOS-2019-0863
62. W AGO PFC200 iocheckd service “I/O-Check” ReadPSN remote code execution
vulnerability (2020).https://talosintelligence.com/vulnerabilityreports/TALOS-
2019-0871
63. Weinberger, S.: Computer security: is this the start of cyberwarfare? Nature174,
142–145 (2011)
64. Zonouz, S., Rrushi, J., McLaughlin, S.: Detecting industrial control malware using
automated PLC code analytics. IEEE Secur. Priv. Mag.12(6), 40–47 (2014).
https://doi.org/10.1109/MSP.2014.113

Post-exploitation and Persistence Techniques Against Programmable Logic Controller相关推荐

  1. ABB AC500 - Programmable Logic Controllers PLCs可编程逻辑控制器

    ABB AC500 - Programmable Logic Controllers PLCs可编程逻辑控制器 ABB AC500 PLC 系列包括各种 CPU.I/O 模块.通信模块.通信接口模块和 ...

  2. Attacking the IEC-61131 Logic Engine in Programmable Logic Controllers in Industrial Control Systems

    攻击ICS中PLC的IEC-61131逻辑引擎 一.摘要 二.介绍 (一)PLC攻击类型 (二)MITRE ATT&CK攻击 三.威胁建模 四.实验评估 (一)SEL-3505 RTAC (二 ...

  3. jmeter(二十):Logic Controller:逻辑控制器(上)

    逻辑控制器用来控制采样器(samplers)的执行顺序,根据实际需要定制执行规则.在控制器层级下面的所有的采样器都会当做一个整体,执行时也会一起被执行. Logic Controller种类: 以上L ...

  4. 【Jmeter】元件详解:逻辑控制器(Logic Controller)

    目录 零.Logic Controller(逻辑控制器) 一.If Controller[如果(If)控制器] 二.Transaction Controller[事务控制器]

  5. 【JMeter】各种逻辑控制器(Logic Controller)

    文章目录 一.JMeter 逻辑控制器 二.逻辑控制器分类 1.简单控制器(Simple Controller) 2.循环控制器(Loop Controller) 3.仅一次控制器(Once Only ...

  6. Jmeter之逻辑控制器(Logic Controller)

    一.简单控制器(Simple Controller): 作用:这是Jmeter里最简单的一个控制器,它可以让我们组织我们的采样器和其它的逻辑控制器(分组功能),提供一个块的结构和控制,并不具有任何的逻 ...

  7. 4-逻辑控制器:Logic Controller

    一.逻辑控制器 1.功能 可以控制采样器(samples)的执行顺序.控制器需要与采样器一起使用,否则控制器就没有什么意义了. 二.分类 1.简单控制器:Simple Controller 作用:这是 ...

  8. JMeter Logic Controller(逻辑控制器)之 ForEach Controller(循环控制器)

    官方文档:http://jmeter.apache.org/usermanual/component_reference.html#ForEach_Controller 1.ForEach Contr ...

  9. 基于逆向工程的内存真值检查来保卫网络物理系统

    基于逆向工程的内存真值检查来保卫网络物理系统 原文 Defending Cyber-physical Systems through Reverse Engineering Based Memory ...

最新文章

  1. [原]three.js 地形纹理混合
  2. 100道Java基础面试题收集整理(附答案)
  3. 处理数字_3_计算表的行数
  4. JAVA js的escape函数、解析用js encodeURI编码的字符串、utf8转gb2312的函数
  5. 如何从零搭建一个hexo博客网站01
  6. Linaro GCC 交叉编译工具链 国内源下载列表 (持续更新)
  7. MapBar和MapInfo中的比例尺[更新:MapBar比例尺是正确的]
  8. MSSQL sum()计算expression转化为数据类型int时发生算术溢出错误解决
  9. 【PostgreSQL-9.6.3】LOG: unrecognized configuration parameter dynamic_shared_memory_type
  10. 有哨兵的双向循环链表、单向循环链表
  11. 网络 猫,路由器,交换机连接设置
  12. QCheckBox::toggled(bool)和QCheckBox::clicked(bool)的区别
  13. 混合游戏环境:让人类一直身处在物联网中(作业 全靠google)
  14. R语言 数据操作小贴士合集
  15. 百度大脑开放日·互联网内容安全线上专场报名中!
  16. VNC源码研究(二十四)vnc-4.0-winsrc版本之winvnc工程分析
  17. 三颗种子开发系统源码
  18. 浏览器被恶意篡改怎么办?
  19. [转]人生就像一张茶几,摆满了各种杯具洗具餐具
  20. [GKCTF2020]CheckIN详解

热门文章

  1. 笔记本一合,显示器就息屏,解决方法
  2. batchnorm原理及代码详解(笔记2)
  3. Clog——基于C语言的日志系统设计
  4. volite java_同步和Java内存模型(五)Volatile
  5. 使用Java延时队列DelayQueue实现订单延时处理
  6. 动漫产业被“熊猫”踢中软肋
  7. easyui datagrid控件使用
  8. C语言中打开一个应用程序可以调用或运行命令
  9. BeautifulReport 实现app UI自动化测试
  10. 浅谈路由器的路由功能