Post on 21-Apr-2018
Safeguarding Civilization
TRISIS
Joe Slowik & Jimmy Wylie; Adversary Hunters, Dragos Inc.
The First Safety Instrumented System Malware
Introduction
• Joe Slowik, Threat Intelligence & Hunter• Current: Dragos Adversary Hunter• Previous:
• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out
Introduction
• Jimmy Wylie, Reverse Engineer• Current: Dragos Adversary Hunter• Previous:
• Focal Point Academy: MA Course Dev, Instructor, Researcher
• Fortego, LLC: Malware Analyst/Reverse Engineer, Developer
• University of New Orleans: B.S. & M.S. Computer Science
Agenda
• Background• Event• Malware• Response
Background: By the numbers
5ICS Tailored Malware
3
• Stuxnet• Havex• Blackenergy2• CRASHOVERRIDE• TRISIS
• Stuxnet• CRASHOVERRIDE• TRISIS
Designed to Disrupt Industrial Processes
1
SIS Focused
TRISIS is tailored to impacting Triconix SIS exclusively
BACKGROUND EVENT MALWARE RESPONSE
SIS Background
BACKGROUND EVENT MALWARE RESPONSE
• Failsafe for the industrial process
• Should be independent of industrial process
• Not arbitrary: • Hazard / Operability
Studies• Process Hazard Analysis• FMEA
Timeline
BACKGROUND EVENT MALWARE RESPONSE
Nov 17
• Dragos finds TRISIS and begins high-level analysis
Late-November
• Dragos confirms the malicious nature of TRISIS with an understanding that it has been used at least at one victim site
• Dragos coordinates with DOE and DHS to confirm there are no considerable sensitivities given the focus of the malware and that notifications would not ruin ongoing investigations
• FireEye learns that Dragos has copies of the malware; coordination is done through interested parties to ensure sensitivities are respected
December 6
• The initial advisory is sent to Dragos ICS WorldView customers
December 8
• The in-depth Technical Report was completed and sent to Dragos ICS WorldView Customers
December 10
• Dragos prepares a public report to have available for whenever the information is leaked to the public or in case someone else publishes; focus is on nuance and defense
December 12
• FireEye publishes report on TRISIS (TRITON); Dragos follows up with its own publication
TRISIS Event
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Event
• Unspecified gas facility in Saudi Arabia attacked, August 2017
• Infection resulted in system shut-down during intrusion• Not assessed as shut-down due to attack
• Attack focused on Schneider Electric Triconex system, 3008 PowerPC processor version
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Attack Path
• SIS-connected workstation compromised• Malicious compiled Python moved to
Workstation with payloads• EXE handles connectivity to and interaction
with SIS
BACKGROUND EVENT MALWARE RESPONSE
Establish Access on SIS-
Connecting System
Transfer TRISIS
Package to System
Use TRISIS Base EXE to
Upload TristationProgram
TristationProgram
Compromises SIS
Leverage Access for ICS Disruption via
SIS
Potential TRISIS Attack Scenario
BACKGROUND EVENT MALWARE RESPONSE
Establish Access on SIS-
Connecting System
Transfer TRISIS
Package to System
Use TRISIS Base EXE to
Upload TristationProgram
TristationProgram
Compromises SIS
Leverage Access for ICS Disruption via
SIS
TRISIS Attack Observed
BACKGROUND EVENT MALWARE RESPONSE
Something Breaks Here!
What TRISIS Means
• Deliberate targeting of SIS accepts risk:• Physical damage• Potential injury or loss of life
• New norm established in ICS targeting and operations
BACKGROUND EVENT MALWARE RESPONSE
BACKGROUND EVENT MALWARE RESPONSE
Engineering Workstation
LIBRARY.ZIP + TRILOG.EXE
TRISIS Components
SIS
INJECT.BIN IMAIN.BIN
TRILOG.EXE + Library.zip
• Py2Exe executable masquerading as legitimate software
• Library.zip contains external python library dependencies • Artifact of the Py2Exe process• Contains attacker written libraries along
with standard libraries
BACKGROUND EVENT MALWARE RESPONSE
TRILOG.EXE Initialization
BACKGROUND EVENT MALWARE RESPONSE
TRILOG.EXE – Test + Upload
BACKGROUND EVENT MALWARE RESPONSE
TRILOG.EXE – Cleanup
BACKGROUND EVENT MALWARE RESPONSE
TRILOG.EXE – Summary/Impact
• Summary1. Connects to Triconex using IP argument2. Concatenates inject.bin to imain.bin3. Tests for code upload4. Uploads inject+imain, removes if necessary.
• IMPACT: Provides a ‘documented’ procedure for uploading control programs
BACKGROUND EVENT MALWARE RESPONSE
LIBRARY.zip – The Workhorse
• TsLow.py – Socket layer implementation of Tristation/TCM Protocol
• TsBase.py –Tristation Network Commands• TsHi.py – Uses TsBase to provide Read/Write
program functionality
BACKGROUND EVENT MALWARE RESPONSE
LIBRARY.zip – The Workhorse
• Ts_cnames.py – Enumeration of TristationCode
• crc.py – Provides a variety of CRC functions • sh.py – Data dumping and changing
endianness
BACKGROUND EVENT MALWARE RESPONSE
TsLow.py – Tristation Protocol
• Tristation Protocol defines the packet format to send network commands
• Options include uploading code, reading controller state, etc.
• TCM is the wrapper packet for a TristationProtocol message
• Communications occur over UDP/1502
BACKGROUND EVENT MALWARE RESPONSE
TsLow.py – TCM & Tristation
BACKGROUND EVENT MALWARE RESPONSE
MessageType LengthOfData Data CRC16
TCM Wrapper
Dir Cid Cmd MsgCount Unk Checksum LengthOfCmdData CmdData
Tristation Message
TsLow.py – tcm_exec
BACKGROUND EVENT MALWARE RESPONSE
tcm_result() parses the reply
TsLow.py – ts_exec
Whoops!
Attackers are Human Too
• ts_exec returns either a ts_result tuple or a Boolean• ts_result == (error_code, reply, cmd)• tcm_reconnect() -> Bool
• TsBase.py repeatedly calls the following sequence:
result = ts_exec(cmd, ex_reply)
return ts_cut_reply(result)
BACKGROUND EVENT MALWARE RESPONSE
Attackers are Human Too
BACKGROUND EVENT MALWARE RESPONSE
First line of function can cause a program crash
TsLow.py – detect_ip
BACKGROUND EVENT MALWARE RESPONSE
TsLow.py – Summary/Impact
• Summary• Implements both TCM and Tristation protocol
messages• Includes ability to scan network for Triconex SIS
• Impact• Previously undocumented protocol now easily
re-implemented• Defenders benefit from attacker’s investment
BACKGROUND EVENT MALWARE RESPONSE
TsBase.py – Network Commands
• Series of network commands with similar structure
• ”Exploit” Interaction
BACKGROUND EVENT MALWARE RESPONSE
TsBase.py – Impact
• Documents subset of available Tristationnetwork commands• Built-in ability to upload/download
programs and functions• ”ExecuteExploit” reveals which function the
BIN files attempt to hook
BACKGROUND EVENT MALWARE RESPONSE
TsHi.py – SafeAppendProgramMod
• Fairly involved control flow:1. Enumerates Functions and Programs2. Reads last program in SIS’s program table3. If program contains custom TRISIS codesign,
it will overwrite that program with argument4. Otherwise, it will allocate a new program
appending the TRISIS codesign5. Runs program and checks state
BACKGROUND EVENT MALWARE RESPONSE
TsHi.py – Exploit Interaction
BACKGROUND EVENT MALWARE RESPONSE
TsHi.py – Summary/Impact
• Summary• Provides semi-automated function/program
upload/download and enumeration• Can query SIS state
• Impact• Template of ordering and use of TS protocol
for SIS modification – Exploit not required!• Exploit Funcs could be used for detection
BACKGROUND EVENT MALWARE RESPONSE
IMAIN.BIN + INJECT.BIN
• Schneider Electric provided a deep-dive at S4x18 • Summary
• inject.bin leverages 0-day to hook a TristationCommand, likely GetMPStatus, with imain.bin
• imain.bin adds extra functionality to command allowing R/W/E
• Removal from program table does not remove rootkit - reboot required
BACKGROUND EVENT MALWARE RESPONSE
TRISIS RAT?
• Current reporting suggests IMAIN is a RAT• Given that it hooks an OS command, it
functions more like a memory resident rootkit• RAT connotes more reachability than is
present• No custom C2, only TS protocol• It’s as accessible as the SIS
• Trilog.exe doesn’t support remote C2 either
BACKGROUND EVENT MALWARE RESPONSE
Open Questions
• Does the rootkit bypass the keyswitchsetting once installed?
• What is the nature of the exploit? • No CVE published
• What crashed the SIS?• We are currently exploring these issues
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Mysteries
• TRISIS capability implies expert knowledge of the Triconex SIS
• Implications event was a test: ‘script_test.py’• But why test in target environment – if
hardware access required to develop TRISIS?• Why not confirm rootkit presence in TRILOG
checks?
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Defense
• Unique attack:• Tied to specific Triconex System and
configuration• 3008 PowerPC-based system
• Malware is not SIS scalable• Attack capabilities do not resemble standard
Windows malware
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Detection - AV
• Standard antivirus inadequate• Heuristics are focused on Windows malware• Behavioral heuristics only applicable at EWS• Signatures are backward-looking
• Typical antivirus is not designed for threats such as TRISIS
BACKGROUND EVENT MALWARE RESPONSE
TRISIS AV Detection
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Detection - Anomaly
• Anomaly detection lacks appropriate context• Scope of SIS events may be small• But baseline will be narrow• Any ‘not normal’ activity will trigger
• Anomalous SIS activity is alarming• But single anomaly data point insufficient• Lack of context and evidence impedes
investigationBACKGROUND EVENT MALWARE RESPONSE
TRISIS Current Guidance
• Keep keyswitch in ‘Program’ mode• Deploy SIS on isolated networks• Terminals should never be connected to any
network other than dedicated safety network• Removable media and laptops should be
scanned prior to introducing to safety network
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Current Guidance
• Unfortunately…• Uncertain if keyswitch can mitigate existing
infection• Network isolation may not be possible• Proper function likely requires some
connectivity• Scanning introduced media will use standard AV
– not effective against new, ICS-specific threats
BACKGROUND EVENT MALWARE RESPONSE
Threat Behavior Focused Defense
• Adequate defense against TRISIS-like attacks requires a threat-focused approach
• Identify:• Pre-requisites for SIS access and attack• Necessary steps to impact SIS• Critical path nodes between IT, ICS, and
SIS
BACKGROUND EVENT MALWARE RESPONSE
Focus on General Behaviors
• TRISIS as observed will never happen again• Specific to the target environment• Will not scale or port to future attacks
• TRISIS as a potential method can be re-used• Focus on general behaviors in attack• Defend against variances and permutations
BACKGROUND EVENT MALWARE RESPONSE
TRISIS Defense in Depth
BACKGROUND EVENT MALWARE RESPONSE
Initial Intrusion & C2
• Identify suspect items at IT-ICS link
• Minimize IT-ICS communications to known, monitored paths
ICS Intrusion & Lateral Movement
• Identify and monitor critical path links to SIS, other sensitive areas
• Know existing network communication pathways and identify new, suspicious items
SIS Activity
• Limit communication to SIS to subset of hardened, generally isolated devices
• Record and monitor firmware and configuration changes
Monitor Strategic Nodes
BACKGROUND EVENT MALWARE RESPONSE
Search for Suspicious Artifacts
BACKGROUND EVENT MALWARE RESPONSE
rule compiledPython{
meta:
description = "Identify compiled Python objects - Should be rare to
non-existent in ICS environments”
author = "Dragos Inc."
strings:
$s1 = "PyImport_" nocase wide ascii
$s2 = "PyErr_" nocase wide ascii
$s3 = ".pyd" nocase wide ascii
$s4 = "py2exe" nocase wide ascii
$a1 = "cyberoam" nocase wide ascii fullword
$a2 = "plctalk" nocase wide ascii fullword
$a3 = "greenbow" nocase wide ascii fullword
$a4 = "mbnet" nocase wide ascii fullword
$a5 = "mbconnect" nocase wide ascii fullword
….
$a** = "trilog" nocase ascii wide fullword
condition:
uint16(0) == 0x5a4d and 2 of ($s*) and 1 of ($a*)}
Developing Knowledge from Data
BACKGROUND EVENT MALWARE RESPONSE
• Any of the previous items in isolation is an anomaly
• But when correlated with other events and knowledge in the environment, yields a behavior
• Focus on identifying threat behaviors at earliest possible moment
Enrichment to Identify Behavior
BACKGROUND EVENT MALWARE RESPONSE
• Identifying possible firmware binary = data point
• Proper response requires enrichment:• Source and path for binary in network• Communications path to SIS, SIS
controller• Nature and means of SIS interaction
Architecting SIS Defense
BACKGROUND EVENT MALWARE RESPONSE
Identify Required Adversary Behaviors
Determine Necessary Visibility to Detect Adversary
Actions
Align Defense and Monitoring to Requirements
Train and Educate Security Personnel
on Threat Environment
Emphasize Root Cause Analysis
when System Fail
Initial Intrusion
Gain Persistence
Survey Network
Identify Objective
Deliver Effect
Complete Effect
Defense has the Advantage
Questions?jslowik@dragos.com, @jfslowikjwylie@dragos.com, @mayahustle