Feeds

SCADA honeypots attract swarm of international hackers

'Industrial control systems' faced attacks from US, China...and, er, Laos

Internet Security Threat Report 2014

Vulnerable internet-facing industrial systems controlling crucial equipment used by power plants, airports, factories and other critical systems are subjected to sustained attacks within hours of appearing online, according to new honeypot-based research by Trend Micro.

The security weaknesses of SCADA (supervisory control and data acquisition) industrial control systems have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy attacks.

Trend Micro threat researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up a internet-facing honeypot and record attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.

The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots.

All three were internet-facing and used three different static IP addresses in different subnets scattered across the US. One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system. The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory.

All three honeypots included traditional vulnerabilities found across the same or similar systems. Steps were taken to make sure the honeypots were easily discovered. The sites were optimised for searches and published on Google.

The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out - can be run without any detailed knowledge or skill.

The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorised access to secure areas of sites, attempted modifications of controllers, or any attack against a protocol specific to SCADA devices, such as Modbus/TCP.

They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and analysis of server log files were used to monitor and record the attacks the honeypots attracted.

Less than 24 hours later...

The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? (PDF).

It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netback.

The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment. Other hacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information.

Four samples were collected over the four-week testing period, two of which have not been seen in the wild. Trend Micro is currently analysing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.

A third of attacks against the industrial control system honeypot (35 per cent) originated in China but one in five (19 per cent) originated in the US. Security researchers also found that a surprisingly high 12 per cent of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.