TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for...

Safeguarding Civilization

TRISIS

Joe Slowik & Jimmy Wylie; Adversary Hunters, Dragos Inc.

The First Safety Instrumented System Malware

Introduction

• Joe Slowik, Threat Intelligence & Hunter• Current: Dragos Adversary Hunter• Previous:

• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out

Introduction

• Jimmy Wylie, Reverse Engineer• Current: Dragos Adversary Hunter• Previous:

• Focal Point Academy: MA Course Dev, Instructor, Researcher

• Fortego, LLC: Malware Analyst/Reverse Engineer, Developer

• University of New Orleans: B.S. & M.S. Computer Science

Agenda

• Background• Event• Malware• Response

Background: By the numbers

5ICS Tailored Malware

3

• Stuxnet• Havex• Blackenergy2• CRASHOVERRIDE• TRISIS

• Stuxnet• CRASHOVERRIDE• TRISIS

Designed to Disrupt Industrial Processes

1

SIS Focused

TRISIS is tailored to impacting Triconix SIS exclusively

BACKGROUND EVENT MALWARE RESPONSE

SIS Background


• Failsafe for the industrial process

• Should be independent of industrial process

• Not arbitrary: • Hazard / Operability

Studies• Process Hazard Analysis• FMEA

Timeline


Nov 17

• Dragos finds TRISIS and begins high-level analysis

Late-November

• Dragos confirms the malicious nature of TRISIS with an understanding that it has been used at least at one victim site

• Dragos coordinates with DOE and DHS to confirm there are no considerable sensitivities given the focus of the malware and that notifications would not ruin ongoing investigations

• FireEye learns that Dragos has copies of the malware; coordination is done through interested parties to ensure sensitivities are respected

December 6

• The initial advisory is sent to Dragos ICS WorldView customers

December 8

• The in-depth Technical Report was completed and sent to Dragos ICS WorldView Customers

December 10

• Dragos prepares a public report to have available for whenever the information is leaked to the public or in case someone else publishes; focus is on nuance and defense

December 12

• FireEye publishes report on TRISIS (TRITON); Dragos follows up with its own publication

TRISIS Event


TRISIS Event

• Unspecified gas facility in Saudi Arabia attacked, August 2017

• Infection resulted in system shut-down during intrusion• Not assessed as shut-down due to attack

• Attack focused on Schneider Electric Triconex system, 3008 PowerPC processor version


TRISIS Attack Path

• SIS-connected workstation compromised• Malicious compiled Python moved to

Workstation with payloads• EXE handles connectivity to and interaction

with SIS


Establish Access on SIS-

Connecting System

Transfer TRISIS

Package to System

Use TRISIS Base EXE to

Upload TristationProgram

TristationProgram

Compromises SIS

Leverage Access for ICS Disruption via

SIS

Potential TRISIS Attack Scenario


Establish Access on SIS-

Connecting System

Transfer TRISIS

Package to System

Use TRISIS Base EXE to

Upload TristationProgram

TristationProgram

Compromises SIS

Leverage Access for ICS Disruption via

SIS

TRISIS Attack Observed


Something Breaks Here!

What TRISIS Means

• Deliberate targeting of SIS accepts risk:• Physical damage• Potential injury or loss of life

• New norm established in ICS targeting and operations



Engineering Workstation

LIBRARY.ZIP + TRILOG.EXE

TRISIS Components

SIS

INJECT.BIN IMAIN.BIN

TRILOG.EXE + Library.zip

• Py2Exe executable masquerading as legitimate software

• Library.zip contains external python library dependencies • Artifact of the Py2Exe process• Contains attacker written libraries along

with standard libraries


TRILOG.EXE Initialization


TRILOG.EXE – Test + Upload


TRILOG.EXE – Cleanup


TRILOG.EXE – Summary/Impact

• Summary1. Connects to Triconex using IP argument2. Concatenates inject.bin to imain.bin3. Tests for code upload4. Uploads inject+imain, removes if necessary.

• IMPACT: Provides a ‘documented’ procedure for uploading control programs


LIBRARY.zip – The Workhorse

• TsLow.py – Socket layer implementation of Tristation/TCM Protocol

• TsBase.py –Tristation Network Commands• TsHi.py – Uses TsBase to provide Read/Write

program functionality


LIBRARY.zip – The Workhorse

• Ts_cnames.py – Enumeration of TristationCode

• crc.py – Provides a variety of CRC functions • sh.py – Data dumping and changing

endianness


TsLow.py – Tristation Protocol

• Tristation Protocol defines the packet format to send network commands

• Options include uploading code, reading controller state, etc.

• TCM is the wrapper packet for a TristationProtocol message

• Communications occur over UDP/1502


TsLow.py – TCM & Tristation


MessageType LengthOfData Data CRC16

TCM Wrapper

Dir Cid Cmd MsgCount Unk Checksum LengthOfCmdData CmdData

Tristation Message

TsLow.py – tcm_exec


tcm_result() parses the reply

TsLow.py – ts_exec

Whoops!

Attackers are Human Too

• ts_exec returns either a ts_result tuple or a Boolean• ts_result == (error_code, reply, cmd)• tcm_reconnect() -> Bool

• TsBase.py repeatedly calls the following sequence:

result = ts_exec(cmd, ex_reply)

return ts_cut_reply(result)


Attackers are Human Too


First line of function can cause a program crash

TsLow.py – detect_ip


TsLow.py – Summary/Impact

• Summary• Implements both TCM and Tristation protocol

messages• Includes ability to scan network for Triconex SIS

• Impact• Previously undocumented protocol now easily

re-implemented• Defenders benefit from attacker’s investment


TsBase.py – Network Commands

• Series of network commands with similar structure

• ”Exploit” Interaction


TsBase.py – Impact

• Documents subset of available Tristationnetwork commands• Built-in ability to upload/download

programs and functions• ”ExecuteExploit” reveals which function the

BIN files attempt to hook


TsHi.py – SafeAppendProgramMod

• Fairly involved control flow:1. Enumerates Functions and Programs2. Reads last program in SIS’s program table3. If program contains custom TRISIS codesign,

it will overwrite that program with argument4. Otherwise, it will allocate a new program

appending the TRISIS codesign5. Runs program and checks state


TsHi.py – Exploit Interaction


TsHi.py – Summary/Impact

• Summary• Provides semi-automated function/program

upload/download and enumeration• Can query SIS state

• Impact• Template of ordering and use of TS protocol

for SIS modification – Exploit not required!• Exploit Funcs could be used for detection


IMAIN.BIN + INJECT.BIN

• Schneider Electric provided a deep-dive at S4x18 • Summary

• inject.bin leverages 0-day to hook a TristationCommand, likely GetMPStatus, with imain.bin

• imain.bin adds extra functionality to command allowing R/W/E

• Removal from program table does not remove rootkit - reboot required


TRISIS RAT?

• Current reporting suggests IMAIN is a RAT• Given that it hooks an OS command, it

functions more like a memory resident rootkit• RAT connotes more reachability than is

present• No custom C2, only TS protocol• It’s as accessible as the SIS

• Trilog.exe doesn’t support remote C2 either


Open Questions

• Does the rootkit bypass the keyswitchsetting once installed?

• What is the nature of the exploit? • No CVE published

• What crashed the SIS?• We are currently exploring these issues


TRISIS Mysteries

• TRISIS capability implies expert knowledge of the Triconex SIS

• Implications event was a test: ‘script_test.py’• But why test in target environment – if

hardware access required to develop TRISIS?• Why not confirm rootkit presence in TRILOG

checks?


TRISIS Defense

• Unique attack:• Tied to specific Triconex System and

configuration• 3008 PowerPC-based system

• Malware is not SIS scalable• Attack capabilities do not resemble standard

Windows malware


TRISIS Detection - AV

• Standard antivirus inadequate• Heuristics are focused on Windows malware• Behavioral heuristics only applicable at EWS• Signatures are backward-looking

• Typical antivirus is not designed for threats such as TRISIS


TRISIS AV Detection


TRISIS Detection - Anomaly

• Anomaly detection lacks appropriate context• Scope of SIS events may be small• But baseline will be narrow• Any ‘not normal’ activity will trigger

• Anomalous SIS activity is alarming• But single anomaly data point insufficient• Lack of context and evidence impedes

investigationBACKGROUND EVENT MALWARE RESPONSE

TRISIS Current Guidance

• Keep keyswitch in ‘Program’ mode• Deploy SIS on isolated networks• Terminals should never be connected to any

network other than dedicated safety network• Removable media and laptops should be

scanned prior to introducing to safety network


TRISIS Current Guidance

• Unfortunately…• Uncertain if keyswitch can mitigate existing

infection• Network isolation may not be possible• Proper function likely requires some

connectivity• Scanning introduced media will use standard AV

– not effective against new, ICS-specific threats


Threat Behavior Focused Defense

• Adequate defense against TRISIS-like attacks requires a threat-focused approach

• Identify:• Pre-requisites for SIS access and attack• Necessary steps to impact SIS• Critical path nodes between IT, ICS, and

SIS


Focus on General Behaviors

• TRISIS as observed will never happen again• Specific to the target environment• Will not scale or port to future attacks

• TRISIS as a potential method can be re-used• Focus on general behaviors in attack• Defend against variances and permutations


TRISIS Defense in Depth


Initial Intrusion & C2

• Identify suspect items at IT-ICS link

• Minimize IT-ICS communications to known, monitored paths

ICS Intrusion & Lateral Movement

• Identify and monitor critical path links to SIS, other sensitive areas

• Know existing network communication pathways and identify new, suspicious items

SIS Activity

• Limit communication to SIS to subset of hardened, generally isolated devices

• Record and monitor firmware and configuration changes

Monitor Strategic Nodes


Search for Suspicious Artifacts


rule compiledPython{

meta:

description = "Identify compiled Python objects - Should be rare to

non-existent in ICS environments”

author = "Dragos Inc."

strings:

$s1 = "PyImport_" nocase wide ascii

$s2 = "PyErr_" nocase wide ascii

$s3 = ".pyd" nocase wide ascii

$s4 = "py2exe" nocase wide ascii

$a1 = "cyberoam" nocase wide ascii fullword

$a2 = "plctalk" nocase wide ascii fullword

$a3 = "greenbow" nocase wide ascii fullword

$a4 = "mbnet" nocase wide ascii fullword

$a5 = "mbconnect" nocase wide ascii fullword

….

$a** = "trilog" nocase ascii wide fullword

condition:

uint16(0) == 0x5a4d and 2 of ($s*) and 1 of ($a*)}

Developing Knowledge from Data


• Any of the previous items in isolation is an anomaly

• But when correlated with other events and knowledge in the environment, yields a behavior

• Focus on identifying threat behaviors at earliest possible moment

Enrichment to Identify Behavior


• Identifying possible firmware binary = data point

• Proper response requires enrichment:• Source and path for binary in network• Communications path to SIS, SIS

controller• Nature and means of SIS interaction

Architecting SIS Defense


Identify Required Adversary Behaviors

Determine Necessary Visibility to Detect Adversary

Actions

Align Defense and Monitoring to Requirements

Train and Educate Security Personnel

on Threat Environment

Emphasize Root Cause Analysis

when System Fail

Initial Intrusion

Gain Persistence

Survey Network

Identify Objective

Deliver Effect

Complete Effect

Defense has the Advantage

[email protected], @[email protected], @mayahustle

mailto:[email protected]

mailto:[email protected]

TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for...

Documents

Transcript of TRISIS - sans.org to Triconex using IP argument 2. Concatenates inject.bin to imain.bin 3. Tests for...