 Hello, thank you very much for being here with us. My name is Javier Perez and I work as a director of research and development for Dream Lab Technologies. And I'm Juan Escobar and I work as a senior cybersecurity consultant for Dream Lab Technologies. This talk is basically now our experience in the field of security audits, instead of response, as well as in the research of new vulnerabilities and how they are applied in the ICS cyberkill change. ICS are devices that generally operate in critical infrastructures. These are not well known since they operate in a different environment compared with companies that have common information technologies. Also, many incidents involving ICS devices and the OT environment have had very important geopolitical connotations, which has changed the world related to the vulnerabilities existing in them, which has led governments to take measures that classify them as a critical element of the nation. As many of you probably know, today we are in what is called Industry 4.0, which is characterized by broad interconnectivity, data collection, analysis and communication, which results in the optimization of the flow and quality processes. Also, the benefits are many. This convergence between the IT and OT worlds increases the attack surface and as well as the number of new controls to implement. Based on this premise is that in the 90s, Theodore Williams, along with members of the Purdue University Consortium, developed the Purdue Enterprise Reference Architecture as a model for enterprise architectures, where the Purdue model defines the different levels of critical infrastructure that are used in production lines and the way to secure them. But as we know, it's very difficult to implement, maintain and monitor all cybersecurity systems. We must remember that not all companies are the same. Therefore, the security mechanisms and architectures are different. But at the base, the activities to be carried out by an attacker will almost always be the same. That is why Michael, Asant and Robert Lee adapted the cyber kill change model created by Lockheed Martin to the ICS world to understand, visualize and organize the steps required for an adversary to reach their goal. So the ICS cyber kill chain consists of two phases. Cyber intrusion, preparation and execution is related to the IT world and the ICS attack development and execution is related to the IT world. So in this talk, we will try to emulate the most common vector attacks to get access to a remote power plant. Let's see what these steps are. For the stage one, the first one is reconnaissance. Recognizing is an activity to obtain information about something through observation and or other detection methods. This activity is divided into passive and active reconnaissance where the passive is in charge of searching for the information available in public sources and the active interacts directly with the target for the collection information. Okay, let's continue. First, let's define our target and the attacker. In this case, the target is a nuclear power plant called Macross and the attackers will be a group called APT666. If we search for this nuclear plant in Google, we have a result and we can see that this plant is located in Sicily. It also has another energy project. Continuing with passive reconnaissance, we can do search in Chalan or Sumai, where probably there is not much information, which always should be the case. In LinkedIn, we find one per five related to the company and not much else in the Internet. It is when the attackers carry out an active reconnaissance, obviously, both activities can be carried out in parallel. As we know, the plant is located in Switzerland, so we proceed to scan the entire country looking for any reference to the company. One of the protocols consulted is SNMP, although there are not many vulnerabilities for it, it provides information that may be important to carry out an attack. For this purpose, an automated tool is created and launched nationwide using the default community stream to perform the authentication. As a result, we can see that there is an IP related to the company. So in this tool, we will set the name of the database, the community, and the files with the IPs. So in Switzerland, there is around 20 millions IP, so this will take a couple of hours to finish, but now we can see that we have the result related to the macros electric power plant. So in this IP address that was not linked to any site like Shodan or Sumai, we will scan to see what it is in this IP address related to the macros electric power plant. Now we will see what information this service can give us. For this, we can use several tools, but now we will use one called SNMP check that will give us the data in an orderly way. As we see, it gives us quite a lot of information, but an interesting piece of information corresponds to the network connections. Here, we can highlight a connection established to port 22, which is generally used for remote administration, and we can see that it's accessible. Now we know that someone is connected, so we can assume that it's someone who managed this system. Let's see what we find in this source IP. We launch a quick scan and see that port 80 is open. We access through the browser and see there is a login page. With a little more research, we see that type of device it is and what part of the world the IP is assigned. This is a home router located in the United State. As we take a look and do some research about it and we don't have any vulnerabilities on this device. So as a summary of the first step, we have one LinkedIn account, one website, one Linux servers, one SNMP service, one interest in IP address, and one internet boarder device with no vulnerabilities. Next step, the preparation. In this step, there is weaponization and targeting. Both can take place, but this is not required. Basically, this step is to prepare the tools according to identify objective. In this case, we will use two vectors, the social engineering one and the other we will call it infrastructure. I will go for the social engineering vector is that the victim visits a malicious website and exploit a vulnerability in order to take control of her computer. Our school excuse will be an interview for a magazine specialized in cyber security issues in industrial environments. So for this vector, we will create a fake website where we locate our exploit for browser. And also, we create a fake LinkedIn account for a journalist who is working on this fake magazine called Skywire.com. Okay, and now our plan for the vector two infrastructure is also similar to the previous one. We want to redirect all the web traffic to our malicious sites, but since we don't know who is behind this device, we need to hack the device and change the configuration of the DNS server. So in this way, the traffic can be redirected to our malicious DNS server. So we don't know the password, we have to find a way to enter to this device. So what are we going to do is try to find a vulnerability. So we will try to find our CODA. What we're going to do is try to pass the parameters of this web application and try to find some kind of remote execution because these devices are common vulnerability to this kind of vulnerabilities. So we will try to pass all these parameters in the post records. So what we did was using a dictionary with a lot of commands in Unix, try to find a way to execute some commands and we can see in payload six and payload seven, we have the answer what we need. So in this moment, we find our word a remote code execution on this device. So this is a zero-day vulnerability. So now in the field keypad, sending a specific request concatenated to the parameter, we have a remote code execution. In this case, we send the command ID to identify who is running the process. In this case, it's a remote code execution with root privilege. So now we finish the preparation and weaponization and targeting. Now we go to the next step is cyber-intuition, management, enablement, and sustainment, entrenchment, development, and execution. So basically, this is the moment we can act. So can we delivery, exploit, install, or modify to gain access to the system of the victim. We launched our command and control using methods such as a connection to previously installed capability or have used trusted communications such as the VPN. Then we have the sustainment, entrenchment, development, and execution phase when in this phase documents a variety of end goals that an adversary may have. In this phase is when the adversary acts. So we can discover, do lateral movement, everything we know in common IT attack. So now our first victim will be an operator of the SCADA of the company, Macross Power Plant. And now we will send her a message through LinkedIn. So we will put a link of our SCADA wire magazine. And now we will try to exploit vulnerability and her browser. So for this, first we need to activate our exploit on the website. And now we can send the message. So we sent a message saying that I'm a journalist for a magazine. And if she wants to participate in an interview and we add the link for the website. So now we can see in the LinkedIn profile of the victim, she received the message and she probably links, click the link and she will have access to the website and see there is a normal magazine related to industrial technologies. But in the background you will see we execute the exploit on the browser and we have immediately access to her machine. So we can start and look for credentials. And also we can look for interesting files like VPN or software like for password management like e-packs, for example. And also we can start look for some files related to the company. Also for the second vector in PlasticTour, we already find a remote code execution so we will try to get some information about the device. In this case we have the credentials of the device. So we will now try to crack it. So now we have the password of the device. So now we can login in the device. And we're now going to change the DNS server. So now we apply the change. So now we can take a look on the victim machine and we can see the DNS has changed. So for example if it goes to dml.com so we can see it's trying to connect to dml. So any domain he wrote in the Europe bar is redirected to our malicious site. So now we can see we have almost the same information like credentials. A lot of VPN config files and probably more information that we need to prepare the next step for the attack. So as a part of command and control we are using the same application. In this case it's metasploit and as we showed previously we have a lot of information related to the victims. In this case we have the Windows credentials and we can see this person is working not only for macros like this also for another power plant companies. And we can get of course password manager like key pass and some sensitive files like details of the infrastructure. So if we take a screenshot of the victim we can see assistant administrator for external company work for macros power plant. Also we can use Kilogears for have the password for the key pass and we can see he have this is something for almost a lot of sensitive infrastructure like the CM, SCADA and the active directory. So probably this will give us domain admin immediately without any other attack. Also sensitive files same for Lisa. Lisa is a operator of this SCADA so we are interested also in their password management database so we add a Kilogear in the attack. So as a summary we have access to two important computers and now we have remote access to the plan with the configured files they have in their computer also we can pivot from their computers too. We have credentials for almost all the infrastructure and the details of the infrastructure. So next is the stage two and I give you Juan Escobar to explain this part. Thank you Javier. I'm continuing with the ICS cyber kill chamber in its second stage most recently in the development phase. In this phase the attacking group tries to create new offensive abilities using the information from the previous stage and this is possible because the attackers have discovered a cell document with a list of devices. In this case we can see an standard electric PLC using the MADBUS protocol. And first it's necessary to understand the MADBUS protocol. Luckily for us this protocol is really very simple. We are going into too much details the field seven bytes of the packets in red correspond to the header fields. Continue with one byte reserved to the clarea function. This can be ebt1 to 127 in hexadecimal. Finally we have the data segment the content of this field will depend on the function code we use. As you can see the request is very simple. This one is a valid request using the function code one or read coils. And if a request is valid the response will keep the function a field corresponding to a byte with the same value as the original request. But what happens when the request contains an error? In this case the response will return to byte reserved for exception. We have exception function code which is one byte and exception code. The field the exception function code is equal to the total sum of the value of the function used. One in this case plus 80 in hexadecimal. So for example if the function code in the response will be the value 81. If we use the function code one and if we use for example a function code two the response if the request contains an error will be 82 and if we use function three and we in the request contain an error will be 83 and so on. The second field the exception code is represented by a numerical value that will depend on the following flow. So if a request can pass the first condition illegal function this means that the function is valid. In other words if the exception code is different from one the function is valid. So basing the error messages is possible to determine the existence or the existence of implemented function and this is very helpful to build various attacks. It's also important to consider that an unable multiple function is always a possible attack. So with this knowledge it is possible to build a tool that can lead the implemented function. The tool sends value models frames always trying to force error messages and leads all the possible functions or the attack vector. So to continue our simulation we or the attackers will focus in function 43 which is a read device identification and also function 90 UMAS which is a Snyder electric proprietary function. This function was discovered with a new animation tool. So what is a function 43? In short it is a function that will provide device information. So for example a vendor name, product code, revision number, etc. Here are some first tests with the solution function 43. So we can see some information about the PLC and the project. The other interested function of a Snyder electric device is the function called 90. Among the many functionalities or sub-functions available we are interested in the following tree 40, 41 and 20. We are start PLC, start PLC and read memory block. So for the final attack we are looking for a request that can easily generate a stop on the target device. For which in our controller environment request has been sent to our PLC using only function 19 which are in hexadecimal 5a but with random data. So finally it was possible to generate a denial of service condition by sending two null bytes as you can see here in the sub-function read a memory block. Finally a tool was developed for this attack which we call Modbus Killer. So the next phase is validation. In the validation phase the aim is to certify the new abilities or development in a controlled environment with a specific hardware. All tests have been performed in a laboratory environment just as the one we show below. So the following demo evidenced a denial of service with the Modbus Killer tool. So here we are setting a value 1 for the slide ID 1 using the function called f5 to start the motor. And then we present some bannergramming with the check argument with the Modbus Killer script. This is performing a bannergramming using function 43. And then we are sending the exclude argument. We will use a function umas or function called 90. So we can see that the motor or the device is stopped when we send the the two null bytes. So as you can observe the resulting denial of service of all the plc functionalities and also disconnect it from the network first in a physical restart. And the final phase is called ICS attack. This stage is used to deploying and executing the attack. So we have another video that simulates the final step in the simulated macros electric plant. So as you can see we send the kill command and the device was unresponsive. So this is a system to control the temperature of the weather. And when the plc stopped working the alarm will be reactivated. And also the temperature will rise. So just in case the vulnerabilities we found have already been reported to the manufacturers and have their respective security patch. And here are some recommendations overview that you can apply to avoid this type of attacks. And finally thank you very much for your time and do not forget visit us in our ICS research blog and our github where we publish exploits and tools that can help you in your security audits. So thank you.