Assistente AI
Trascrizione
00:04:706Alessandro Brighente: Hi, everyone.
00:14:850Alessandro Brighente: So let's get back to the detection of attacks worse in the control system. So what we'll see today is, just a bit of how how we can design the attack. Right? So we said, we have ways of detecting whether something is going wrong with the business poofing attack. We know, for instance.
00:36:390Alessandro Brighente: on them, on the values reported by the census and industrial control system.
00:43:260Alessandro Brighente: and the way in which we can do that is through hypothesis testing right? So we see that we have a algorithm so to see whether time series originated from your tracker and to see whether there's a sudden change in the hypothesis under which a certain time series has
01:00:590Alessandro Brighente: originated. So here, yeah, we want to
01:06:170Alessandro Brighente: to to create an accent that cannot be detected by those approaches. Right? So we want to be sensitive. So it means that it's in a certain way what we would like to do is generate spook values that do not have sudden changes, or that from a statistical perspective. Do not report significant changes, and therefore cannot be
01:30:980Alessandro Brighente: detective. So here's some assumptions, right? So the 1st assumption is that the attacker knows that such detection. Mechanisms exist and how they work, which is not reasonable. We know.
01:49:538Alessandro Brighente: usually these publicly known. So let's assume that the attacker knows them and some other assumptions that we need in order to design a really self. The attacks is that we need to assume that the attacker knows exactly in a model
02:10:557Alessandro Brighente: that we use. Right? So the matrix is a B and C, the controller, the the how, the inputs to the system, the the controller and possible noise impact on the behavior of the system the parameters style and me that we've seen the sign. We we estimate from the statistics of the of the data. That account for the bias right that allows us to have the non parametrics. Estimate of the distributions
02:38:360Alessandro Brighente: of the existing segment
02:40:290Alessandro Brighente: and the control common signals. Right? So what the Controller said during the Central System room. So some of these assumptions are kind of
02:51:720Alessandro Brighente: how heavy right? The attacker knows a lot of stuff but I mean, let's see, what can an attacker do by knowing all these things. Right? So somehow, we we want the attacker to be as strong as possible. This is a somehow a common assumption. Right? So if you want to design a system that is secure
03:09:769Alessandro Brighente: you do not. You do not want to rely on the fact that okay, the attacker doesn't know this thing right? Because if the attacker eventually knows that thing, then you're done right. So usually you want to have a an attacker that is as strong as possible, because if you can defend against that as strong as possible attack, then we should be
03:31:260Alessandro Brighente: kind of good.
03:33:380Alessandro Brighente: Okay? So the 1st attack that we see is the is the search attack
03:39:880Alessandro Brighente: right? So what the attacker tries to do is to maximize the the damage as soon as possible. Right? A spike, something that lightning, right? Something like that that the objective in here is not to give enough time to the algorithms that we've seen during the last lecture to be able to detect the presence of the top right? So the the changes
04:03:250Alessandro Brighente: so sudden that we cannot. We've not had the time to write useful statistics for
04:13:340Alessandro Brighente: good. So
04:20:40Alessandro Brighente: so here's a strategy for for the attacker. And so the attacker needs to solve this question here. Because when when the statistics reaches the threshold, we want to maintain that with right, we do not want to to go over the threshold. Because otherwise, if we go over the threshold, then the algorithm can detect our attack. So we said, assignment.
04:45:900Alessandro Brighente: Our threshold is Tau, and so we want the attacker to provide a smooth value that as soon as possible reaches the the value Tau, and then stays like that right? Because if this statistic is not above Tau, then we don't have a problem.
05:01:550Alessandro Brighente: Good. So
05:03:380Alessandro Brighente: this is what it will look like for the y 4, 5 and 7 in here, right? This this isn't what we've seen sign. So that's what the the attacker does. If Si time k plus one is lower equal to Tau I, and we keep the minimum value for y
05:27:231Alessandro Brighente: instead, it's above Tau. I. We want to use these value here. And then it's just the formulation that we've seen last time. Instead of using the function statistic, we use the difference between the value that we have with the and the predicted value and the and the better serve because we want to account for the for the average value of our statistics.
05:51:489Alessandro Brighente: Yes, that is what you will have for web 7 that, you see is basically in the same just annotation. It's a bit
05:58:650Alessandro Brighente: a different.
06:01:850Alessandro Brighente: Then the second kind of attack is the bias attack. In this case the attacker just adds a a small constant value
06:10:550Alessandro Brighente: at each time. Step right? So what happens is that every time the the tracker adds up these value Ci to the value reports
06:21:910Alessandro Brighente: right? And in this case we can write these statistics in here. And then statistic, right? It's exactly what we've seen last time. So if you assume that the attack starts at time 0,
06:39:540Alessandro Brighente: and that every time we add these Ci values for and steps, this is what the attacker needs to solve right? So the attacker doesn't want this to go above the threshold. And so it means that this is the value that the attacker needs to add for end time steps without actually being detected.
07:05:920Alessandro Brighente: Oops.
07:19:150Alessandro Brighente: Okay? So well, I'll fix it later.
07:24:930Alessandro Brighente: good. So this means that's the this is the bias that the the attacker creates. And if the attacker
07:36:870Alessandro Brighente: wants to maximize the damage that it brings, it needs to. Select that the smallest possible n, right and the smallest possible. N is one right? So what that means is that the attacker just adds an impulse value to these this time series. Right? If you said the attacker wants to have an impact over longer
08:00:815Alessandro Brighente: time intervals, then this N can be large, and it means that the constant value that adds is is just smaller, right? So it's just solving
08:12:510Alessandro Brighente: these designing here.
08:19:960Alessandro Brighente: So here's another version of the attack.
08:27:10Alessandro Brighente: which is a geometric attack, right? So dramatic attack is a dramatic.
08:34:559Alessandro Brighente: I'm serious. Basically so what happens with the dramatic attack is that the attacker aims at varying the the reported value slowly at the beginning and maximize the damage at the end. Right? So I just add these small value at the beginning and make it bigger and bigger and bigger. According to a dramatic distribution. Right? It's not clear in this. in this situation here.
09:03:360Alessandro Brighente: Okay, so this is the value that we report for the attack. And so you see that here you have these time series and our aim is to find the values of Beta and Alpha such that Si at time N is equal to Tau. I right? So it's not detected as an attack before. Tau, I
09:31:700Alessandro Brighente: okay. So again, we can solve our equation right? So that's the the equation that we have, according to the fact that we are ending every time. This beta i. Times 5 to the power. N, minus.
09:45:590Alessandro Brighente: okay.
09:47:332Alessandro Brighente: And what you observe, if you if you do the monthly that you have a dramatic regression, and that's the the values that you need to
09:55:950Alessandro Brighente: 3 to other. So you can fix one of the 2 terms right? You can fix the the value of alpha, and select the proper beta to satisfy the equation above right and avoid being
10:08:360Alessandro Brighente: detected.
10:11:00Alessandro Brighente: Good. So these are just different ways in which we can create our attack, right? So, depending on how fast we want the the system to to be compromised or
10:26:320Alessandro Brighente: or if we just don't care about disrupting the system abruptly. But if we want to do that over longer than periods we can assign based on these these different generation methodologies.
10:39:830Alessandro Brighente: Good. So what about the detectability? Right? So how good are we in detecting the attacks?
10:49:380Alessandro Brighente: Well, ideally, we would like to be able to detect also these steady attacks. Right? So given that we know that they exist, we are good at detecting them. If we are good in selecting a proper value for the parameter. Tau.
11:07:340Alessandro Brighente: Okay, so
11:10:00Alessandro Brighente: here's some some statistics, right? So based on the value of Tau distraction value that we select. We have different percentages of the number of static
11:23:920Alessandro Brighente: attacks that are successful. Right? So if the threshold value is very low, then we we have 0 successful static attacks. But if we increase the value of those, we see that we have more and more successful attacks, so we need to be good at detecting a threshold value that helps us in detecting these
11:49:200Alessandro Brighente: attacks, and at the same time do not cause the false positives in our system. Right? We do not want to detect as attacks some behavior that
12:00:430Alessandro Brighente: that is legitimate and potentially is not causing any damage to our industrial process.
12:07:320Alessandro Brighente: Right? So that deals with the parameterization of all these statistics and information that we're seeing here. What you would do is having your industrial system doing the math right? So testing the behavior industrial system against these different kinds of tax and derive the the parameters that are the most suitable for you. In the environment that you actually control that you want to
12:35:321Alessandro Brighente: to to keep under control.
12:38:990Alessandro Brighente: Okay? So this is something that you could test. With the with the second project, you will have access to these controller system. Basically, it's a python based libraries in which you can interact with the within the system. You can derive, or you can collect basics out of that and see how the system behaves and try to implement some of these attacks.
13:09:800Alessandro Brighente: Okay, so did.
13:14:180Alessandro Brighente: This was just to conclude a bit what we've seen last time regarding the the
13:22:710Alessandro Brighente: detection of a possible attacks in here. So now we switch to something which is a bit more computer science related if you want. So we are dealing with software.
13:34:550Alessandro Brighente: And
13:39:990Alessandro Brighente: what we'll see today are
13:44:700Alessandro Brighente: is the the example of the 1st type of weapon that we have against the industrial control system. Right? So we are talking about the stocks and war. Okay? So we're talking about soft malware, right? Malicious software that we can use to attack some of the physical systems. Right? So the idea is again, you have your Scada systems supervisor controlling that acquisition. Right? We've seen that it has these very wide architecture. Layered architecture
14:14:415Alessandro Brighente: in which you have different kinds of of computing machineries in there. Right? So you have standard computers. Then you have the the devices that you need in order to program the plcs, you have the plcs, and you have the the the field devices, right? So all of these different layers.
14:36:40Alessandro Brighente: And now again, we want to find the ways, the design software that leverages exploits in in the system, and that potentially harms or jeopardizes the safety of
14:53:140Alessandro Brighente: of the industrial control systems. So just to give you an idea of how we target vulnerabilities in industrial system and what we observed during the years. Right? So we have here this basic classification of what could go wrong in an industrial control system. Right? So we have computer based accidents.
15:16:410Alessandro Brighente: So one of the news reported that a nuclear power plant was forced into emergency shutdown for 48 h after. An operator installed the software data on the business network used to monitor chemical. And then of the data, right? So this is not an attack. This is not an attack. I mean, the operator was
15:35:480Alessandro Brighente: time, it will say, to do its job.
15:38:362Alessandro Brighente: But then, due to the to the software, update, right? The the issues related to the software update, we had some service interruptions. Right? We they were not able to monitor the the chemical and diagnostic data. And it's a big problem for an industrial system right? You don't know what it's happening, and you don't know whether your system is going towards an unsafe sale right again. So this is not an attack, but again, due to the fact that we have these
16:07:753Alessandro Brighente: huge interconnection or stronger interaction between the it components and ut components. These is a problem right? We would like to avoid them.
16:16:950Alessandro Brighente: This kind of stuff. Then you have
16:21:180Alessandro Brighente: a second example in here which are known targeted attacks.
16:24:380Alessandro Brighente: Right? So
16:26:980Alessandro Brighente: in here we have a taxes that are related to the it infrastructure, and they are not targeted in the sense that they do not target specific vulnerabilities in the devices that you have in an industrial system. They're not targeting vulnerabilities in the in the sensors, or they're not doing
16:47:290Alessandro Brighente: launching physical attacks against the census, for instance. No. What we have in here. Are attacks against the Internet connected right? So classical attacks that you have only the infrastructure, but at the same time they can bear the
17:02:450Alessandro Brighente: working principles of the industrial system.
17:06:420Alessandro Brighente: And then we have a 3rd class, which is targeted attacks. Right? So when we talk about targeted attacks it means that the attacker knows that it's targeting an industrial system, right? A server physical system of a certain time
17:20:601Alessandro Brighente: entity imposed by a certain infrastructure, and then the the scope of the docket, in the sense is to design a strategy. That aims at damaging the physical system. Right? So we have the the example of such thing here. Right? So
17:43:330Alessandro Brighente: why is the so important? Again, we have a malware. I think it's a war in the end, and it's a malware that has been designed to attack an industrial system. And it's so famous because
17:59:458Alessandro Brighente: while it's exploited for 0 day vulnerabilities right for 0 in your lifetime as a security expert or
18:09:380Alessandro Brighente: working in the security domain. You're lucky to find 1 0 day vulnerabilities right? It's a tremendous amount of effort to find such vulnerabilities. Here we have 4 0 day vulnerabilities. Right? It's a lot of work. So it means that the the the team behind the development of this work was kind of.
18:28:216Alessandro Brighente: There were a lot of people working on that. And indeed, you see that such a malware is highly complex. It's not just the exploitation of force. But it's a malware that really contains a lot of line of code is written in different programming languages. It targets specific devices. It's able to to update itself right? It's not steady. I mean, it's not once you got the the malware installed on a specific device. It's
18:57:740Alessandro Brighente: it's it's done. It says like that, knowing it can talk with the Communication and control service to to update itself and bypass a new patches. Security patch might be applied to the devices that you have in that control system. Right? So it's
19:13:730Alessandro Brighente: it's really huge work. And the other thing for which is very famous is again, because it's the 1st example of a cyber weapon. So this is indeed a weapon, right? So what the the objective of assassin is is to
19:33:86Alessandro Brighente: to have the the centrifuge of a nuclear power plant to spin at the pace which is too high for them to bear. Right? So what happened in here is that
19:44:950Alessandro Brighente: someone
19:46:230Alessandro Brighente: targeted the nuclear power plant right? And because of damage to them, you see, some of these centrifuges to? They exploded right? So they cause the significant damage to the nuclear program nuclear program. Yes.
20:03:760Alessandro Brighente: Okay, so which account for 10% of that. Right? So indeed, it's a weapon it causes physical damages and losses to the victim. Right? So
20:15:770Alessandro Brighente: I guess it's around 2010 that
20:24:22Alessandro Brighente: we had a confirmation that these was indeed the weapon. Right? It's under the operation Olympic game. Something like that.
20:34:351Alessandro Brighente: And you see that under Bush's government, right? So there was this idea to have
20:42:830Alessandro Brighente: and they so they aren't
20:47:730Alessandro Brighente: nuclear program as a threat, and he wanted to do something against that right. They never confirmed nor disconfirmed.
20:59:120Alessandro Brighente: Not confirm this this thing in here, but we don't care about politics right? That's not our job. What we care about is how does this damn thing work right? It's really interesting. Why is it so? Complex? And what does it do right? How can we develop a malware like that?
21:20:693Alessandro Brighente: Good. So we are talking again, about success, which is, is malicious computer more. It was 1st discovered in 2010. And again, it targets super easily control and attack decision system.
21:34:180Alessandro Brighente: Okay, specifically, targets and plcs from siemens, right? So we have siemens step 7 software that. Is what you use to control these these Psc's right, and we have vulnerabilities in there.
21:50:660Alessandro Brighente: So in in. Why did Saxon needed to to exploit these for 0 days? Vulnerabilities. Well, if you remember what we discussed is that we have devices that are of a different kind. Right? We have,
22:06:540Alessandro Brighente: Pcs like laptops, windows, machines. Right? Then we have the controllers that we have. Ps, and we have. Hmis blah blah, right? So how do we design something that is able to propagate.
22:21:194Alessandro Brighente: Along with these these machines, where
22:25:210Alessandro Brighente: very often you don't have an Internet connections towards that right? So it's not like the Psc is connected to the Internet. And then you can just send it an email with the phishing address and installs a malware like it's not going to work. You need to be able to propagate the this malware in in your network. So you don't want these to be detected right? So at the beginning, what you observed when they in these power plants, they observed the 1st issues
22:54:610Alessandro Brighente: is that in in some windows machines you were observing this blue screen, and then the blue screen that
23:00:530Alessandro Brighente: you don't want to see right as at the at the beginning. This was
23:07:500Alessandro Brighente: This was not good enough, but eventually it got to something that is not detectable. And so you want to have vulnerabilities in there in order to propagate your warm, and then you want to have an exploit vulnerabilities in the Pscs. Right? So you don't want. If you just have your malware that lets the centrifuge spin at a very high pace. Then, on the other hand, when you have the human machine interface, you will see human operators will see that there's such
23:35:190Alessandro Brighente: huge increase in terms of speed, right? And
23:39:120Alessandro Brighente: if that is the case, the operator would just shut down the the part of the Ics that deals with with urine.
23:46:700Alessandro Brighente: Right? So at the same time you you want to compromise the the PC. You want to compromise the centrifuge. But you don't want these observable malicious data to be reported to the, to the human operators. Right? So you need to to to have something in that sense. And in this case, what did is implemented in the middle of the top right? So it was providing
24:10:190Alessandro Brighente: malicious instructions to the centrifuge, but at the same time preventing the sensors monitoring the reputational speed of the centrifuge to to report the the.
24:21:460Alessandro Brighente: the legitimate data back to the
24:23:930Alessandro Brighente: the control station. Right? So you the couldn't observe the fact that you had this problem right? They didn't see it in such a speed there to be there.
24:34:900Alessandro Brighente: Okay. So and let's go step by step and try to understand the
24:43:160Alessandro Brighente: how we get from an industrial control system that is not infected to the point where we have malicious worms spreading around infecting the different machines.
24:54:100Alessandro Brighente: Alright. So
24:56:920Alessandro Brighente: the the 1st point is, how do we bring some malicious software into an environment where we have no Internet connection place. Well, the the 1st thing that's been observed is that the the stocks that the main components
25:18:40Alessandro Brighente: leverages.
25:20:114Alessandro Brighente: Those mechanisms that you use for USB drives, for instance, right? When you connect an external device, you make some calls words a certain memory region. So you
25:32:780Alessandro Brighente: and functions right? That are specific for that.
25:35:450Alessandro Brighente: And so the original infection may have been introduced by removable drive. It means the USB safe with the with the malware in that it was connected to one of the machines in the system right. And from that point on the malware start to propagate itself along the the net, right? So at that point, when you have access to one of the devices in in the scalar system.
26:03:864Alessandro Brighente: Then, what happens is that the different devices are connected to one another. Right? It's something that we've seen before. We have these industrial networks, and somehow we can treat them as as peer to peer networks right where the malware can thread around and sees, thanks to these connections.
26:30:720Alessandro Brighente: Good. So
26:32:700Alessandro Brighente: the 1st thing that's the the problem, let's say that needed to solve is how to spread around right how to pass from a device to another one through the through the local and a network.
26:47:490Alessandro Brighente: And then the other problem is
26:51:840Alessandro Brighente: well, in order to exploit 0 day vulnerabilities. It means that, you know which kind of devices are connected to your industrial system. Right? So otherwise we don't find 0 day vulnerabilities. You need to know exactly which kind of plcs are being used. Right? So if we want to find 0 day vulnerabilities in the step, 7 software of seamless plcs that you need to know that you have a step 7 software in the Cms plc, right? So
27:17:490Alessandro Brighente: one of the the key observations in in the design of the Saxon worm is the fact that the attackers
27:27:80Alessandro Brighente: had the access to all the information needed in order to understand which kind of devices were connected to the scalar system. Right? So they knew that we're talking about Siemens Dncs. They they knew that the many of the machines that were connected to them, and that we lose operating system right? In which version of that
27:46:220Alessandro Brighente: good. So by having access to the schematics of the industrial control system, then, the the attackers designed these this one here excited to explore this vulnerabilities and then the other. The other key feature is the fact that I mean, it's not like in 20 or 7 or 2010. We didn't have a anti malware software where certificates there were a lot of security checks that you can perform.
28:14:740Alessandro Brighente: And the other thing is therefore, that in order to pose as a legitimate software. Saxon needed to have access to certificates right? So it needed certificates to prove its legitimacy to these anti malware system right or to the antivirus software in
28:33:607Alessandro Brighente: in windows operating system. And so the 1st question was, okay, how did the stocks and have access to such certificates. Right? It's not like something you can create on behalf of a trusted authority. Right? If I want to pose as a as a a windows software certificate
28:51:388Alessandro Brighente: windows. Legitimate windows software. I need to have the certificate from windows and cannot create myself because it's not windows.
28:59:360Alessandro Brighente: So what happened is that those that create this document stole such certificates right? So. And they had the therefore so you see that we we have a series of problems that the attackers needed to solve
29:18:770Alessandro Brighente: in order, I don't know to to have a kind of and effective at that.
29:26:660Alessandro Brighente: Good. So what is the main components of the stocks? Net software? Well, we have what is called the original subsection, which is the the main component of the the call form. And we have this piece of code ensures different features
29:45:647Alessandro Brighente: the 1st one is to exploit vulnerabilities, such as the Msn. 0 46, which is associated to that Cv. In there 2010 2568 which is a vulnerability that allows the the software to infectable system and gain execution privileges. Right?
30:07:180Alessandro Brighente: So it means that I have a vulnerability that allows me to infect the machine with the malicious software, and it gives me privileges right? Like, if I am the
30:22:540Alessandro Brighente: and
30:25:130Alessandro Brighente: and user, right? So if I have all the permissions that I need in order to execute the code and to write the stuff in the memory of a machine.
30:34:360Alessandro Brighente: Right? So we'll take a look at this CD in just a couple of slides then the second requirements. And what the second ensure is that the malware can self replicate across the different devices connected to to the network, right? So it needs to copy the core components of subset
30:58:00Alessandro Brighente: and its payload to appropriate memory locations in the neffective system. Right? This is fundamental. We cannot just simply rely on the fact that the malicious.
31:06:720Alessandro Brighente: an effective USB. Key is passed from a machine to another. That's not going to happen right? We may be lucky, and this happens 2 or 3 times. But then we want the market to be able to spread the autonomously through the whole network.
31:22:830Alessandro Brighente: Good. So when these malware passes from a machine to another. What we when we, what we wanted to do is to be able to extract and repeat the embedded components of the malware and to be able to install all the additional modules that you need in order to to be effective right? And in order to install these additional modules.
31:46:400Alessandro Brighente: It uses certificates, because otherwise the machine will realize that someone is trying to solve.
31:53:290Alessandro Brighente: these are additional modules that come from an untrusted source. Right? So that's where we need the the stolen certificates.
32:03:930Alessandro Brighente: Alright. So this is the the one obviously. And the 0 days of the exploited
32:11:484Alessandro Brighente: so these you have in here. The description on the Cv is a window shell that allows local users or a mobile taxers to execute the arbitrary code via crafted dot lnk or dot eif short file
32:26:874Alessandro Brighente: not properly handled during iphone display in windows. Explorer. What does this group of words mean? It means that when you plug in USB. Key in your machine, for instance. What happens? You have the windows. Explorer, I have this windows that pops up and shows you the content of the the USB key, the mobile media.
32:53:30Alessandro Brighente: right? So what happens with the
32:57:200Alessandro Brighente: with this vulnerability, and what the success actually exploited is the fact that you can create this malicious dot Lnk file in the removable drive right? And these contains a reference to a malicious binary. Malicious piece of code. On that removable media. Right? So we are talking about the the device that actually spreads
33:21:21Alessandro Brighente: the the warm actually press the malware, and due to the vulnerability we have that when these dot and K file was displayed right when the the windows
33:32:216Alessandro Brighente: pops up to show you the content of the USB key without the user being aware, this order is executed right? So automatically executed. And these is a very
33:45:860Alessandro Brighente: bad motivity, right from
33:49:580Alessandro Brighente: problem in point of view, because it doesn't require the user interaction, and just with the the single action of inserting the USB key in the machine. Automatically, some code, the random code and trusted code in this sense of is executed.
34:07:110Alessandro Brighente: Alright. So that's the the initial point. How do we get the the malware to spread into our machines?
34:13:670Alessandro Brighente: Okay, so here you have the whole execution flow from from the USB, right? So you have the the impacted over drive with these these files in here. So you see that you have the dot Lnk file, and then you have these 2 dot tmp, files in here
34:32:530Alessandro Brighente: right? And so you have these 5 different steps, right? So you want to infect the machine you want to. Hook some of the Apis that makes the code towards the kernel of of the system. You want to go unnoticed, and you want to identify whether the machine that you infected is actually a proper target.
34:53:639Alessandro Brighente: Right? So you don't want to to to have a system crashes. And so if you have system crashes, then it's bad. Because someone
35:02:318Alessandro Brighente: could realize that something weird is happening in in their machine. Right? So how do you avoid system crash as well? If the the machine that you compromise is not the target machine. It's not the the Plc. In our case.
35:16:630Alessandro Brighente: You can stop the exploit. You can avoid going in that. In that you can just sit there and spread the the worm to the other machines. Right? You don't need to do anything more than that or non target machines, right. And so in these steps, in here you are checking also. For these.
35:35:770Alessandro Brighente: this kind of information. So the 1st step, right? So we have these Wtr, 41, 41
35:44:429Alessandro Brighente: so it's 1 that encrypted and compressed payload components of stocks. And it contains the actual malicious code. Right? So the malicious code that you want to execute, and it exploits the the Cv. That we've seen before. Right? So that's the moment where you insert the the USB drive in the machine. And then you have these malicious software that these
36:08:962Alessandro Brighente: executed right? So what it does is to load these. Wti 41 41.mp. In the computers. On the access manual right? And then we have these this setting here. Right? So we want to pass the control to these. Wpi 41, 41.
36:28:750Alessandro Brighente: Right? So what does it mean? It means that we direct the redirect, the execution flow of the operating system to start running our malicious code, right? So it's something like the OS is doing its thing. And then, at a certain point to the fact that we have that malicious code loaded in the run. We just want to to run right? We don't want the the us to to go on doing what what it was doing. But we want these specific code to run
36:57:290Alessandro Brighente: right? So in order to do that
37:01:98Alessandro Brighente: which observed from the from the start. Execution is that indeed? It takes up memory regions, I think, overnights memory regions to to enter the execution flow of the different steps that you have in here right, and we'll get back to that. So
37:20:660Alessandro Brighente: The second thing now is,
37:23:320Alessandro Brighente: we have some malicious code that we can execute on the victims. Device, right? It's in the, in the memory. We can enter the execution, flow and start doing that. So how do we proceed for that? Well, the 1st thing is to to hook 32 dot pll right? Which is one of the key components of the the windows operating system kernel.
37:48:840Alessandro Brighente: And what it does is to provide the functions for memory management input output dealing with input and output and the process creation and effect creation. Right?
38:00:670Alessandro Brighente: When we talk about the hooking, it means that, we want our software, malicious software to be connected to the execution flow of these camera. 32. Okay, so we want to intercept all the calls that these libraries making towards the cabinet. We want to modify some of the content. This specific function. We want to manipulate basically the behavior of the the operating system.
38:28:623Alessandro Brighente: When we do this kind of operations right? When we have this this target in general. For malware, we talk about the Api hooking right? So this was that the happen from the user space in the canvas space in the Us. Happens through these Apis, right? So. And when we do api hooking in malware. We want to alter the behavior of these codes.
38:56:142Alessandro Brighente: Good. So how what are these different steps that we need for Api looking. So the 1st thing is located target function, right? So we want to to identify the addresses of the specific function that, the the current 32 pll is using. And we look for certain functions right? Ideally, we know which functions we are interested in and which we want to.
39:21:180Alessandro Brighente: Then the second step is very direct. These function calls right? So we want to modify the the address of this function in the import access import address table.
39:32:200Alessandro Brighente: or directly in the memory of the the machine, right? So where these functions are located in the actual memory of the device and to redirect these calls towards our own malicious code. Right? So ideally, our malicious code has its own address, and we want all the calls made words, the legitimate function to be redirected to our address where we have the the malicious software need that we control.
39:58:250Alessandro Brighente: Then if that is the case, we want to execute the malicious logic, right? So whenever a call towards the receiving function located in a certain address is made by the operating system. We we want the structure code to execute first, st right and alter the input output of this function or to bypass the original function right to skip a step, basically.
40:23:240Alessandro Brighente: and not to execute the function at the 7
40:32:00Alessandro Brighente: While doing this right, we don't want the the operating system to realize something weird is going on. So we want to preserve the system stability. And how do we do that? So the point is to avoid these pressures, right or being detected every now and then. We want to pass the control back to the original function, so have the operating system execute its flow of action, as you suppose. To do right
41:02:750Alessandro Brighente: any questions at the end
41:07:610Alessandro Brighente: and celebrate.
41:25:60Alessandro Brighente: okay, let's history side.
41:31:122Alessandro Brighente: Good. So we have all of these nice things that we do through api booking.
41:46:850Alessandro Brighente: Good. So now we are at this point here, right? Not only we want to hook what happens with the calendar tool dot dll, but we also want to hook dll
42:01:586Alessandro Brighente: so in this case, we we look for calls to specific libraries, right? So these are the libraries for which we we want to look for right? So this provides us information about the system. Right? This is something that we use for fingerprinting proposals. We want to understand where the malware ended up in right? So what kind of devices
42:26:610Alessandro Brighente: hosting, let's say, the malware. And also in this case, we we replace the original call of these functions with something that
42:37:982Alessandro Brighente: and the
42:40:500Alessandro Brighente: in particular, we check for 5 with the specific properties. Right? These specific properties again related with the fact that which kind of operating system is it a you see? Is it a plc, is it?
42:55:610Alessandro Brighente: What is it?
42:59:420Alessandro Brighente: So at this point where, all the Apis are hooked up. We load this new here, this Wtr. 41, 32.mp. Which is the thing that contains the main stocks and Dnl, right in the subsection.
43:17:970Alessandro Brighente: and these this sub is extracted in the, in the memory. Right? Then we have the actual installation of the restructuring malware. What you can observe from the implementation is, what remain fixed is the Wtr.
43:33:960Alessandro Brighente: So these 41, 41 and 41, 32 was just random id assigned by the process. Right? So you will not actually see these these ids, every time that you install the malware. It it creates them dynamically
43:52:500Alessandro Brighente: good. So we said that one of the main
43:58:600Alessandro Brighente: issues no, not one of the main, but one of the problems that we have in order to stay unaffected and avoid being detected is swept by certificates.
44:08:940Alessandro Brighente: So when when Saxon needs to change the the libraries, or when it needs to install the the main program, right? So it needs to appear as a valid piece of software. So for that reason it needs to have a certificate.
44:29:600Alessandro Brighente: So the 1st certificates that stocksnet
44:35:810Alessandro Brighente: toll are those from real tech. Right? So Realtech.
44:39:880Alessandro Brighente: Yes, you know. Yeah, it's big company, right? So they managed to solve the the certificates. And so all the software that stocks that was importing into the video machine was, appeared as a real tech legitimate
44:57:236Alessandro Brighente: software. But at a certain point this issue was detected right? So it was affected. The fact that these certificates were were stolen, and so needed to update its behavior. And it changes its certificate. So it switched it to J micro right? So what it ensures that all the windows machines that were
45:20:320Alessandro Brighente: infected by the the mal continues to trust the malicious software right because of this certificate.
45:28:934Alessandro Brighente: So you see in here one of the the behaviors, the complex behaviors we described related to slack set right the fact that it's able to update itself. Right? It's not like, okay, we had the legitimate yeah, that certificates. And now that we seen that these are not working anymore, we just need to
45:50:343Alessandro Brighente: throw in the garbage being the whole software. No, we could tell to the, to the deployed in some of these waiting machine to
46:01:100Alessandro Brighente: to use some updated certificates at the point
46:04:980Alessandro Brighente: still look as legitimate pieces of software.
46:12:840Alessandro Brighente: Good. So getting back to the what the original subsection ensures that the 4th point is established persisting right? So persistence means that if
46:29:680Alessandro Brighente: we turn off our system
46:32:710Alessandro Brighente: and turn it on again, the the malware should still be there. Right? So how do we do this? Well, we achieve the system. But modifying some of the system settings right? So ensuring that every time the system malware is executed we see before that we hope the sum of the the Api calls that happens between the user space and the canvas space. So that's another way of gaining persistence.
47:02:110Alessandro Brighente: Alright. So
47:04:920Alessandro Brighente: And then, of course, the other main point for the system is, avoid being detected. Right? So all the the key files belonging to success should be hidden from the from the user antivirus software, right? So using valid certificates, for instance.
47:20:417Alessandro Brighente: Then we need to check for criteria. Right? So criterias
47:26:709Alessandro Brighente: such as the presence of scenes sub, 7 software, right? So that's our final target. That's where we can have our targeted attack. Right? Again, remember that we are targeting the industrial control system. We're targeting the Plcs and the behavior of the the Ics right? So that's our final goal. And if we detect the the the hosting machine not to be
47:55:20Alessandro Brighente: one of the sub, 7 software and connected PC, we stop any further interaction. Right? We don't want to be detected. So if there's nothing more than we can do than infecting the machine and having the malware to be spread to to other machines we just need to solve. If, instead, we detect that the malware reached one of these 7, 1 of our targets.
48:20:600Alessandro Brighente: Then we can trigger the deployment of the success main payload right, which is the the core component that changes the software in in the Plc, right? We we actually modify the software component of the Plc, which is the part that triggers the non safe behaviors for the those reminds
48:45:800Alessandro Brighente: good, what is
48:47:790Alessandro Brighente: So the the other problem now is, we have our infectant key, right? The USB key. And if you machines that the machines gets infected. And this is something that is going to work right doesn't guarantee that can propagate to other machines that are not directly infected via the the USB key.
49:15:720Alessandro Brighente: And then these
49:19:280Alessandro Brighente: and it's a problem, right? How does the the malware and the worm actually do the worm. So here's another vulnerability, that and the theory of the vulnerability that starts it extraordinary. So we're talking about the Ms. 10 0 61 which has been associated with Cv. 2010, 2729. By the way, you see, Cvs in blue, because you have the direct link to the Mvd. Database, where you have the description of the whole city. You have examples
49:46:530Alessandro Brighente: sometimes on how this is. This has been implemented and patching
49:51:799Alessandro Brighente: so you can take a look at that. But basically what this CD refers to is a vulnerability in the windows. Printer as print spooler service which allows for remarkable execution.
50:04:810Alessandro Brighente: Right? So what happens in here is that stocks can send specially crafted print requests right to these these devices where we have the the print school service active and once these print requests were received by the
50:25:686Alessandro Brighente: the receiver this allowed for stocks, and to execute some some code on on that part.
50:33:600Alessandro Brighente: Right? So this is the proper description of what happens. Right. So we have a a printer sharing which is enabled. And at this point the principal service allows the attacker to create files in a system directory. And so that's what slacks and does. It sends these kind of requests and creates a file in the in the receivers Directory, and the such file can be then executed by a crafted print request. Right? So what happens is
51:02:820Alessandro Brighente: again, step by step. I'm the attacker. I know that. The receiver, and there's a the principal service. So I create a file on the on the memory of the receiver. And then, when I send the print request. My print request is crafted such that it triggers the execution of that file, which is malicious software. And that's how we we propagate the
51:26:130Alessandro Brighente: they manage the software also in other peer to peer machines. Right? So we are exploiting this vulnerability for for a multiple execution.
51:40:360Alessandro Brighente: Then.
51:42:370Alessandro Brighente: now we have the 1st machine that has been infected other machines that have been infected through these these other print related 0 day vulnerability. Usually when we talk about malware, a common concept is that the common and control servers.
52:01:640Alessandro Brighente: right? So we have these extended service that controlled by the docker that exchange information with the malware right? So the Malware has some routines that report information back to these common and control service and the common and control server base on what they receive statistics that they observe from the malware. They can provide new instruction to the, to the deploy
52:26:80Alessandro Brighente: malware, and then the fully infected devices.
52:29:111Alessandro Brighente: Good. So with success, we have these command and control service and
52:36:710Alessandro Brighente: what? The success reported this common control services information regarding the system configuration, the presence of the Siemens plcs, the step 7 software. And if the specific machine is a valid target for the payload, right? So if it's actually a Plc
52:55:130Alessandro Brighente: and then the city service played a fundamental role also in adopting the malware, right? So the thing that we we mentioned before that at a certain point the malware needed to change the certificate it was using
53:07:460Alessandro Brighente: right? So this is something that an instruction is provided by the C 2 servers, right? So they they can send comments or, updated instructions to the malware, and that will change its behavior to define the doubt. Of course, all of these communications need to be
53:24:930Alessandro Brighente: need to be selling right so, or as all the other behaviors that we mentioned up to now.
53:30:760Alessandro Brighente: So we have communication that are carefully crafted and they look like Http requests right? They look like legitimate Http requests. But then, if you look the domain name of the service that the successfully communicating to you will see we have some fairly
53:47:770Alessandro Brighente: no legitimate ace, right? And then they look fishing
53:57:620Alessandro Brighente: good. So of course, communicating with the common and control server requires an Internet connection. Right? You need to be able to to communicate with some remotely deployed
54:10:124Alessandro Brighente: service. But the the final target right? The the Plc. In the end, very likely was not equipped with the outbound Internet access, right? So you could not communicate with these common and control
54:28:780Alessandro Brighente: service.
54:29:880Alessandro Brighente: Good. So so this means that all the main functionalities that may usually be deployed through common and control service in the subset the case they they needed to be embedded inside the the code itself. Right? So it's not like, I have a very simple work that propagates through machines. And then when it gets to a certain point I communicate with the common control server that provides me with the
54:53:60Alessandro Brighente: with the payload. Right? So it's not like that in here we need to ensure that if the Saxon form gets to a Plc. That cannot communicate with the common control service still, it will be able to to modify the software on the plc.
55:15:560Alessandro Brighente: okay, so
55:17:440Alessandro Brighente: these are the steps that executes. But then, when it's in a machine, how does it behave? What did? What does it look like? So we have a predefined set of actions that the Snoxet periodically runs
55:33:590Alessandro Brighente: right? So of course, these different set of actions are responsible for these different actions that we've seen up to now, right? So installation, execution, and maintaining persistence.
55:45:750Alessandro Brighente: And
55:51:180Alessandro Brighente: how
55:53:840Alessandro Brighente: how does these original subsection? Behave? Right? So we've seen what it ensures, but not how it behaves. Right? So here are the 3 main points right in the 3 key steps that it executes as a team. Right? So
56:11:698Alessandro Brighente: we have these subsections. We pass around by the different processes. Right? We said that sometimes we execute the Malware processes. Sometimes we give the control back to the to the original operating system. But then, what happens when the the register section is executed is that we have a pointer to the reserve subsession, which is provided as a parameter to the to the expert.
56:40:110Alessandro Brighente: Then we have the expert that interacts with the Dll file the Dll files that we've seen before, so those that we are hooked to.
56:48:860Alessandro Brighente: and we pass these, this pointer as a parameter, mapping to the memory and pull another export from that memory region. And then we pass the pointer to the original subsection as a parameter. Right? So basically, what we have is that we keep track of where the the original.
57:12:780Alessandro Brighente: not the regional, but the
57:15:70Alessandro Brighente: yeah. The original subsection is located in the memory, and we pass this information as parameter to the different process, because we want to keep track of it. And if we find a place where we want to execute some of the main function of the original subsection. We know how to do that
57:35:460Alessandro Brighente: good. So
57:38:820Alessandro Brighente: by observing stocksnet, and the fact that it it changed in time. Right? It it evolved in time. We can see that it has alternative ways of performing the same task.
57:52:677Alessandro Brighente: Here you have an example of an alternative way to call experts beside the logging idea file, right? Which is what we've seen before. So the alternative for this in one successive implementation of stockset. It's to read the execution executable the blade from its resources.
58:15:100Alessandro Brighente: calculate the template with appropriate data and and the example is which Dll file to load, and which expert to call
58:23:520Alessandro Brighente: and inject these populated template to to the process and execute that right? So the
58:37:710Alessandro Brighente: main objective is the same right? We want to execute some of the attackers control the functions through hooking the alert. It's just a matter of how do we get to? To execute these malicious functions?
58:52:520Alessandro Brighente: And here are all the experts that stock set can execute. Right? So when we're talking about experts here, you have the expert Id, and the function, right? So it's the the description of what function the stock set is actually doing? Right? So the expert is the function.
59:12:153Alessandro Brighente: So you see, the 1st one is, in fact, connected mobile drives and start the remote procedure control server and the the thing that we've seen before. Hooking Apis for step 7
59:23:491Alessandro Brighente: calling the remover routine and remove a routine is associated with the fact that if you got to a point where stocks have infected the machine and did it so propagated through the other machine. And we don't need it in that specific machine anymore. We need to have an expert that deletes all the malicious code to prevent from it to
59:45:370Alessandro Brighente: being detected.
59:47:111Alessandro Brighente: Verify if the threat is installed correctly. And so whether we have the point where we have all our hooks where we trigger no advance, whether all is set in order to execute the malware verify version information. We want to understand that the version of the operating system we want to verify the version of the Tsc. We want to verify whether the machine will be infected
00:11:730Alessandro Brighente: is actually exploitable or not right. We have situations in which you see the success check for certain security services, and if it detects specific security services, knows there's nothing you can do right, and it just doesn't execute anything in there. Just try to properly to
00:30:510Alessandro Brighente: to other machines. So it needs to Lubanese.
00:35:331Alessandro Brighente: Then we have calls to export 6. And we have updates, right, the date itself from impacted sub, 7 projects. These are
00:48:850Alessandro Brighente: and what we do. Then we have the final infection team. Initial deployment installation replaces step 7, and which is the the actual final exploit that we want to replace the the software in step 7
01:04:437Alessandro Brighente: uninstalls. The whole impacts removable drive. Right? There's also the case in which we have a a machine that is infected. And then someone connects with a removable drive that is not infected, which is a potential
01:23:980Alessandro Brighente: spreader of the infection. If you want right? Because if there is, a new removal drug is infected and connected to another machine, it can propagate to the the worm
01:36:280Alessandro Brighente: over and over again. Then we have a network propagation routine checking the net connection. And it's something that you need for the control server Rpc server control and the the routines related to auto control. And again, updates. So you see that we have a lot of functions, these experts that all of them need to be embedded need to be embedded
02:00:260Alessandro Brighente: in the in the software itself. Right? It's not something that we can rely on the C 2. Service to to provide it to the world. Because, again, if we get to a point where we have an Internet connection, we need to ensure that all this function can still be
02:14:500Alessandro Brighente: executable?
02:21:00Alessandro Brighente: Good. So how does the injection
02:27:480Alessandro Brighente: work? So whenever we call one of these experts, whenever we want to call one of these sucks and function. What happens is that it sucks that usually injects the entire dll into another process right? And call the specific experts. So it means that somehow we're blocking what the operating system is doing. We provide it with the Ll and the the the particular expert.
02:59:890Alessandro Brighente: we have some trusted process. And how in the operating system, right? Again, it's not like in 2010, we had no security problems. And in particular, we had the some of these specific security products from Casper Sky, Mcafee, or Semantic. Right? So if we have these, then we have some trusted processes in the windows operating system. And so how can we deal with these trusted process? Or can we actually deal with these
03:28:670Alessandro Brighente: trusted processes. Good. So among the the tasks that the success is doing is to search for indicators that the following programs are installed right? So these are antivirus software, basically.
03:43:120Alessandro Brighente: And if we detect one of these products installing the machine, we want to search for the version information and the main image of that. And based on these version number version number of these software the injection can change right? Because sometimes we can perform the injection, sometimes will not.
04:07:260Alessandro Brighente: And if the detected security problem is considered known by possible by the some.
04:14:580Alessandro Brighente: there exists no exploit to bypass that. Then the rejection process will just stop, because if it triggers something for which we have no way around, it means that the malicious software is detected, and we cannot erase that.
04:33:500Alessandro Brighente: Then, some of these operating systems that have a behavior blocking by us. Right? So we have in windows operating system in here. Some routines that check whether some malicious software is trying to to execute right? So it detects the behavior. Certain signatures, if you want of legitimate behavior and non-legiate behavior.
04:58:440Alessandro Brighente: and if if it detects no decision behavior, we have these
05:04:190Alessandro Brighente: post intrusion prevention that blocks and raises an alarm right? So again, that's not something that we want. So here you have an example of the W. 32 staxnet. Right? So how these implementation of staxnet manage to bypass these behavior blocking systems.
05:27:410Alessandro Brighente: And again, we have something that is hooked up to be anti Dlln, dot Dll, and it monitors for requests to to load them specially crafted by names. So what these find names usually look like this is what they're looking for, right? So you have current 32 dot dll dot aslr dot accident. Of course, accident is like excel value. So we are checking for
05:56:220Alessandro Brighente: these kind of causing here and sucks it hooks to these to this, causing here to avoid being detected as a
06:07:122Alessandro Brighente: a possible attack, right? So all of these would be legitimate slacks, and can create such legitimate by names, and therefore look like the and the legitimate process.
06:26:940Alessandro Brighente: Okay, so this is something that we already discussed about the distribution, how we get to infect the application from from another loop
06:36:706Alessandro Brighente: this is this is important, because you can imagine that. we do not necessarily have a propagation only through IP based connections. Right? Because, we have a a connection that happened through Internet or through profit bus, or sometimes seamless use their proprietary protocol. Right? So we need to ensure that the propagation happens also through these. these these protocols.
07:10:120Alessandro Brighente: yeah. And then the point is,
07:14:730Alessandro Brighente: when we get to to a certain machine, right? If that is a controller we need to to launch the the final exploit. Right? So how do we detect?
07:27:186Alessandro Brighente: Whether we are also the machine? Well, there are ways in which we can check for the the operating system version, and we can check which kind of comments we can execute on a machine right? There's a complicated process for printing and printing that is implemented by by which again makes it
07:45:340Alessandro Brighente: something that is complex compared to
07:49:584Alessandro Brighente: to other ones. And then we need to modify the Plc software. But these things while
07:59:370Alessandro Brighente: so enjoy your weekend.