Feeds

SCADA honeypots attract swarm of international hackers

'Industrial control systems' faced attacks from US, China...and, er, Laos

The Essential Guide to IT Transformation

Vulnerable internet-facing industrial systems controlling crucial equipment used by power plants, airports, factories and other critical systems are subjected to sustained attacks within hours of appearing online, according to new honeypot-based research by Trend Micro.

The security weaknesses of SCADA (supervisory control and data acquisition) industrial control systems have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy attacks.

Trend Micro threat researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up a internet-facing honeypot and record attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.

The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots.

All three were internet-facing and used three different static IP addresses in different subnets scattered across the US. One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system. The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory.

All three honeypots included traditional vulnerabilities found across the same or similar systems. Steps were taken to make sure the honeypots were easily discovered. The sites were optimised for searches and published on Google.

The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out - can be run without any detailed knowledge or skill.

The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorised access to secure areas of sites, attempted modifications of controllers, or any attack against a protocol specific to SCADA devices, such as Modbus/TCP.

They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and analysis of server log files were used to monitor and record the attacks the honeypots attracted.

Less than 24 hours later...

The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? (PDF).

It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netback.

The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment. Other hacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information.

Four samples were collected over the four-week testing period, two of which have not been seen in the wild. Trend Micro is currently analysing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.

A third of attacks against the industrial control system honeypot (35 per cent) originated in China but one in five (19 per cent) originated in the US. Security researchers also found that a surprisingly high 12 per cent of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.