genericpatheee258.com
eee258.com 时间:2021-04-09 阅读:(
)
Copyright2018AccentureSecurity.
Allrightsreserved.
INDUSTRIALCONTROLSYSTEMTECHNICALREPORTDEALINGWITHTHETHREATSPOSEDBYTRITON/TRISISDESTRUCTIVEMALWARETHREATANALYSISTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
2TECHNICALREPORTDESCRIPTIONUpondiscoveringthird-partyreportsofanewdestructiveindustrialcontrolsystem(ICS)malware,dubbedTRITON1(alsoknownasTRISIS2orHatMan3),iDefenseresearcherscapturedthefullscopeofrelatedmalwaremodulesandthoroughlyanalyzedtheirsub-components.
BasedoniDefense'sinternalhuntingsystemsandtelemetrydata,iDefenseassesseswithhighconfidencethatentitiesintheKingdomofSaudiArabia(KSA)wereamongthetargetsofthisnewmalware.
ThemalwarehasbeenuploadedsixtimesfromKSAbetweenlateAugust2017andmid-October2017.
ThedestructivemalwarewasdisguisedasTriLogger(aTriconex-brandproduct),whichissoftwaretorecord,playback,andanalyzehigh-speedoperatingdatafromTriconexcontrollers.
Theseareprimarilyusedinsafetyinstrumentedsystems(SIS).
ThedestructivemalwarewascreatedusingadeepknowledgeoftargetedplatformsandinthePythonscriptinglanguage.
iDefenseintelligencefromAccentureSecurityunderlinestheneedtoimplementmorerobustsecuritymeasuresforICSandoperationaltechnology(OT)systems.
Implementingbasiccodeconsistencychecksandusingtraditionalwhitelistingmethodshaveproventobefarlesseffectivewithmodernthreats,liketheoneanalyzedinthisthreatanalysis,thaninthepast.
1NamedbyFireEye2NamedbyDragos.
Inc.
3NamedbyUSDepartmentofHomelandSecurity(DHS)IndustrialControlSystemsCyberEmergencyResponseTeam(ICS-CERT)TheinformationinthisThreatAnalysisisintendedtobeconsumedbyadministrators,securityanalystsandengineersinsecurityoperationcenter(SOC)andincidentresponse(IR)teams.
Thetechnicalanalysisisbeingprovidedforgeneralawarenessandtargetsentitiesdeveloping,using,operating,ormanagingindustrialcontrolsystems(ICS)thatuseTriconexsafetycontrollerssuchastheTriStationplatform.
Giventheinherentnatureofthreatintelligence,itisbasedoninformationgatheredandunderstoodataspecificpointintime.
THREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
3ATTACKTIMELINEAugust4,2017:Malwaredevelopmentdate,basedonlasttimestampofembeddedsub-modulesAugust4to29,2017:TargetedentitiesinKSAinfectedbyTRITONmalwareAugust29,2017:AuserfromKSAuploadedthefirstinstanceoftrilog,exetopublicmalwarerepositoriesSeptember12,2017:AseconduserfromDhahran,KSAuploadedaninstanceoftrilog,exetopublicmalwarerepositoriesOctober19,2017:ThethirdinstanceofaninfectioncamefromDhahran,KSAOctober20,2017:ThefourthinstanceofaninfectioncamefromDhahran,KSAOctober22,2017:ThefifthinstanceofaninfectioncamefromRiyadh,KSADecember14,2017:Third-partyreportsmade,basedonincidentresponseeffortsATTRIBUTIONItisevidentthatthreatactorsbehindthismalwarestudiedthefirmware,itsunderlyingsoftwareandtheTriStationsystemplatform.
Thesethreatactorsdecodedthecodeconsistencychecksandadoptedasimilaralgorithmtoconductso-called"signing"ofmaliciouspayloadstobypassinternalcheckswithincontrollers.
Additionally,thethreatactorsknewthesystemswereusingasimplewhitelistingprocessandthenusedanamethatmimicsaloggingprocesstobypassthissecuritymechanismaswell.
Thethreatactorscreatedmodulesthathandlethecontrollerbothinlow-levelandhigh-level.
Thesethingsindicatethatthethreatactorshaveanexcellentknowledgeofthetargetedplatformandthatitishighlylikelythemulti-modulecodehasbeentestedalreadyinareal-lifeenvironment.
Havingaccesstosuchanexpensiveandexclusiveplatform,adeepknowledgeoftheunderlyingfirmwareandaccesstoundocumentedcapabilitiessuggestthattheactorsbehindthismalwarearenation-stateactorsoranadversarywithsimilarresources.
Atthisstageinitsresearch,iDefensehasnotyetidentifiedadefinitivenation-statewithutmostcertainty.
THREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
4MAINMODULEDISGUISEDASTRICONEXTRILOGGEROnAugust29,2017,auserfromKSAuploadedamalwaresamplewiththefollowingpropertiestopublicrepositories:Filename:trilog.
exeMD5:6c39c3f4a08d3d78f2eb973a94bd7718SHA-1:dc81f383624955e0c0441734f9f1dabfe03f373cSize:21,504bytesTimeanddatestamp:0x49180192(11/10/20081:40:34AM),whichisthedefaulttimestampofPyScriptexecutablesCompiler/Linker:MicrosoftVisualC/C++(2008)[msvcrt]/MicrosoftLinker(9.
0)[EXE32,console]Pythonscriptversion:Pythonbytecode2.
7(62211)Accordingtopublishedmaterials,theTriStationplatformhasamoduleknownasTriLoggerthatisintendedforrecording,playingback,andanalyzinghigh-speedoperatingdatafromTriconexcontrollers.
ThecapturedmalwareappearstohavedisguiseditselfasaTriLoggermodulewiththeintentiontobypasswhitelistingandprocessmonitoringmechanismsthatsimplycheckforrunningprocessnamesandallowapredeterminedlistofsoftwaretorun.
ThemalwarewasdevelopedusingPythonv.
2.
7andwasabletobedecompiledtothesourcecode.
ThemainPythonmodulenameisscript\_test.
py.
Exhibit1showsasnapshotofthedecompiledsourcecode.
Exhibit1:SnapshotofdecompiledsourcecodeTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
5Themalwarereliesonasetofsub-modulesthatarestoredwithinanarchivenamedlibrary.
zip.
Thelibrary.
zipfilehasthefollowingproperties:Filename:library.
zipMD5:0face841f7b2953e7c29c064d6886523SHA-1:1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5cSize:1,708,616bytesArchivecreationtime:August4,2017Filetype:ZipArchivev.
2.
0)[210files]ThearchivecreationtimedepictsthattheanalyzedmalwarewascreatedonAugust4,2017,whichindicatesthattheactorswerecapableofdeployingthemalwaretotargetedsystemsinlessthanamonth,asAugust29,2017wasthefirstinstanceofapossibleanomalydiscovery.
Thetrilog.
exemodulereceivesanIPaddressforitsfirstargument(Exhibit1—line27),whichisapparentlytheIPaddressofatargetedTriconexcontrollersystem.
trilog.
execraftsapayloadusingthefollowingfiles:Filename:inject.
binMD5:0544d425c7555dc4e9d76b571f31f500SHA-1:f403292f6cb315c84f84f6c51490e2e8cd03c686Size:2,104bytesFilename:imain.
binMD5:437f135ba179959a580412e564d3107fSHA-1:b47ad4840089247b058121e95732beb82e6311d0Size:436bytesThetrilog.
exemodulereadsthesetwofilesinlittle-endianandunsignedintegersandconstructsthefinalpayload.
Exhibit2showsthepayloadconstructionandinjectionsourcecode.
Exhibit3showsahex-dumpofthefinalpayload.
Thepayloadconsistsofcontrollerlogicbytecodesandamaliciousfunctiontobypassacontrollercode-checkingmechanism(asimplecrc32check).
THREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
6Exhibit2:CodeIllustratingPayloadConstructionandInjectionSourceCodeExhibit3:Hex-dumpofFinalPayloadTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
7Thetrilog.
exemodulereliesonsub-modulesstoredinlibrary.
zip.
ThefollowingistheMD5hashof.
pycmodulesinsidethelibrary.
zipfile:MD5HashModuleNameMD5HashModuleName5ba8b223a9fbb8f1c1d00e19f06f869b_abcoll.
pyc9feb8d37580a9667ba772174af46712ecp850.
pycc77da522389e4b82af63dad19860a597abc.
pyccb8af7616450697a216eb47a8caed0b8cp852.
pyccaa17cef8d6e755171be18e173e88f17atexit.
pycb7c3a8850623a3ee113dffec6acaa7bdcp855.
pycce4a002b07918d8b56c4165abdbe9577base64.
pyc647c7e9ee88fa5044f6d96340fea2d49cp856.
pyc9686f92fa6d02e8855304372896dbba9bdb.
pyc3562e1a8f1e0e0c17d30c33a5c639f48cp857.
pycedadcee8e640a05cfe0ad7e757843a05bz2.
pycc08a37b59f3abe4c7cf0e5b555d88750cp858.
pyc09610aebd29a86118da97ace59e055c7calendar.
pyce0896b36e2f2e93fc9260bc29e35f21dcp860.
pycc215ccffa5db823a140340d73f231262cmd.
pycbed9017b580595d03e93490f16b996e7cp861.
pyc20f44b3eba51addcd603d9fe87f97ab4codecs.
pycd73858a3e6c0f011f0fb57a708c6cef2cp862.
pyca9f31aa61e4a32ab4605512caf6cf6c4collections.
pyc250e70a25b56de2ff50bcb79f8eb1097cp863.
pycc47c9f8e8b402b9d8f395da17750bc1econtextlib.
pyc1c2c40a8c7a94c4437ba32c9f7fddb5acp864.
pyc4f66469fc204502d7596078ce8ff1ec9copy.
pyc79195f6524501c7585f05b7904d5950acp865.
pyc6a9815df2c6479c327a2956a0101db33copy_reg.
pyca59991452a02104e09d334d71a41ffbecp866.
pyc4e5797312ed52d9eb80ec19848cadc95crc.
pyc0a9ed04c0ba38f845955d26d1bd7a40dcp869.
pyccc489e05b642861a502acd5abd881101difflib.
pyc60cb4d53ec9b35d485a579986793d3b4cp874.
pyc18893512391771c83e5cbeea1b19d06bdis.
pyc8a9d1453c4afaad29e91370dbe914fdbcp875.
pyc66367231fa8893389c735d0c70b1f96fdummy_thread.
pyc4d15c500245c061a9fc77867e8bb813fcp932.
pyc70c175ffe83c9a65ea4eb0a8a79e50b7fnmatch.
pycd5a4421692e4d9bafc6ea4dbbdc848d3cp949.
pyc26d7c61ce2c5ba861e06d8edfc096487functools.
pyce72c4fdb4df7131e196782cb94442b8fcp950.
pyc6cff78d61965cce144ef46d61099f60f__future__.
pyc1a92fb9b2d2dd20ed0df09300afa8795euc_jis_2004.
pycdbd4d0147912c900be054b27f046c364genericpath.
pyc6a65081d4b37e4bb07b24899ca8ab7f5euc_jisx0213.
pyc47b0db2f5e82271107093b0c0a154213getopt.
pyc0b3c46dc49b24e7b481c4b84cb03c3ffeuc_jp.
pyc7cd36dab91f6211338156632d6f8b052gettext.
pyc401ab6b072d4ee4cad75cd6bbcab1f41euc_kr.
pycf00ec6edac1f7bf8c91a7d4446ab49fd_hashlib.
pycba8c0c8a6570d1272f33098c05f18ceegb18030.
pyc0465a137bc14129690d9c274afb01cdbhashlib.
pycd5f77949cb1d9174c51065d78d3d7144gb2312.
pyc29292b42faac06b36217414980686d08heapq.
pyc404d0cf29626f1c171e8c20d574b88eagbk.
pyce8f5489f888016c3c97282ffb528374einspect.
pycc13ad5fe664ab1c3cb338a461d97b671hex_codec.
pyc1e4c586fcb8ba847cbd8afaf55cfe2faio.
pyc2c69b6b2fb66f70e58e99753690c42bchp_roman8.
pyca6115028e177fc789b0bbee88ebb8770keyword.
pyc46e75b63597915544d3d03a440798581hz.
pyc9f0619bbd19d8488ad6bb890315acabelinecache.
pyc87d4cf8fd21fac3b60bf63dabd98bc9eidna.
pyc936a4513eba0534945736b815120a159locale.
pycd226d892b5cd2252753068b06d373d30__init__.
pycc6b3b16ee036278406d750c7d5161466ntpath.
pycaf6162ebfc1ff061c99b58f6be259301iso2022_jp_1.
pyc20b27a7d8fe43ba2c00f1188166fecefopcode.
pycb9632491d8009d95eb7e997fbaba853fiso2022_jp_2004.
pycf7e45159630147f3bbff1bd242aea38foptparse.
pycf2bec5ca2d00c82415bfd33db314fa3diso2022_jp_2.
pycTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
8MD5HashModuleNameMD5HashModuleNamed886bb76ada0ffa9b6e8d049a6859e99os2emxpath.
pyc2c9f14091da760cad1d9cdc57360f2f4iso2022_jp_3.
pycb2ea8d881c454ec6d2d1af3e5fe09a4eos.
pyc15bd04c4f2358a0d270dc9b71f2e4ae2iso2022_jp_ext.
pyc6e4ca608e8533c8b0ff9b85d57559926pdb.
pycc8f74b48143357c4bb5614f5879f6785iso2022_jp.
pyc5f642560ed3fce09ecf29e9d263d3303pickle.
pycdb320c1dbb2bc889ef520baa756db081iso2022_kr.
pyc75bd28e2e351d16828e6ee6070cd0a39posixpath.
pyc85c4a21a0fb641bdb9b7dbb0ef67df65iso8859_10.
pyc85fcbdd1c65088d6639b7f3b2b53e9fdpprint.
pyc73dc89f0b99e87a9fb3ecb45dba4b9d1iso8859_11.
pyc8ba1fcc5ce7c07a2c7586f7fbb2a8ae5quopri.
pyc46289ec36f222d08ce53d4c7916dd7f8iso8859_13.
pyc331ae4a387bfcca4e8abecb27a5a9300random.
pycc8d8ecf631fef72b8a9b652f04fae2dciso8859_14.
pyce3af42af879cd82fd65b30373f805f6brepr.
pycd5cd88aa5dc5d310c7efc1abfeefa44biso8859_15.
pyc28eb80d28f24cb3f0f92c89ba9679094re.
pyc2d9467b4bced3a21edf575919726e9e3iso8859_16.
pyc8c066df6717f5b41a239ae0d54ca1a80select.
pyc028cf9909643859accbfeeff2bd98bf9iso8859_1.
pyca5a9cba9eb5207a22cd1640d3de49738shlex.
pyce6c18a6a6b535d7e9be636bcce158004iso8859_2.
pyc8b675db417cc8b23f4c43f3de5c83438sh.
pyc7088e08fbbc9fc2cbd7881eeef89166biso8859_3.
pyca91e078d06261565e1f81207d95aa858_socket.
pyc5e87e9328758f10579c7b8e87039e937iso8859_4.
pyc6c89e51ece5d3a29e0f29603165cb361socket.
pyc15b76a4ec2c05dad38c8632efea2e03aiso8859_5.
pycfdc0f1628e926647c045f2590eb72dd9sre_compile.
pycc127548e63603fb61316fcaf52e2500aiso8859_6.
pycf403d306bfdeee9a4d44a64e9e188c29sre_constants.
pyca2e88c8f9a09e6b46e0ad2757dfa8af4iso8859_7.
pyc530b18493fa426d73188d6669d5b2931sre_parse.
pyc6eb5233ba12641e8dff4847a150fb0ceiso8859_8.
pycd4c1487681e53a3bbe5c09517bef8616sre.
pyc6219a43501f8e74cac102fc3943529a3iso8859_9.
pycf7d938f1e01cec5ae7cdd4902868407a_ssl.
pyc752202f911fd31e6482be85cb0dc35bajohab.
pycaf8e49c8e89ac7f678c622e03506cc19ssl.
pyc59e3a3ca45a7de934de87890d1eb1c31koi8_r.
pyc12e6fea93179911dec7bf8e9a276d5ecstat.
pyc81f2897ba2f87319964b4a124bf53297koi8_u.
pyc2124ec613c66f9855473f9a579c96978StringIO.
pycb88b961dbe5505e838a13cf81fb9757clatin_1.
pycb9fac6b312192b9ea097408074238e37stringprep.
pyc2203fd5d2702945af29db26ca0d6857cmac_arabic.
pyc333d10e37dd0c08c70b6b062d485d83cstring.
pycaf01746817836ce962441af8e7f4ec48mac_centeuro.
pyc6050f3079f2fcbb37564708ed10d3a8a_strptime.
pycb262d216aa3c9f2ec090441293b56093mac_croatian.
pyc1f043b6ae9795b3b33b0ffd0b3543baastruct.
pyc8c04be1897d5f28798abfe38ac396b91mac_cyrillic.
pycbcd37b63a118542197f656f0cc884430subprocess.
pyc3f2a383cc987aa9dc373a78859a9b377mac_farsi.
pyc27b972c25939196cac7bd94550c72824tempfile.
pycf41f00e986595b69b4592860a699152cmac_greek.
pycfc60a909738c458075acd17924ed9d4dtextwrap.
pycb2c3036c14bc8b4fdbdcdc185ce69c9emac_iceland.
pycef3020ef3e53f6ee42e6a7b8597eaaba_threading_local.
pyc6fad6adb13f762bec6d31aa29441d664mac_latin2.
pycb8491927f379d135c092bfa59f7ccd11threading.
pyc3d5df7639420aad395fcb413028907afmac_romanian.
pyc6a801285e8ad292d9db3a13e1c593804tokenize.
pyc38423237ddd524472802a72593faf4afmac_roman.
pycfe0f07624d62f5abe26a70055c54945ctoken.
pyc9947dbbcbed67e05a020476bfd6e9735mac_turkish.
pycefa42924ba43d6553004c9076fb839bctraceback.
pyc3abbb4efba7bb26fc018cd1aa048150fmbcs.
pycTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
9MD5HashModuleNameMD5HashModuleName288166952f934146be172f6353e9a1f5TsBase.
pycc67c16d145d69f77ea711ead7c94a2abpalmos.
pyce98f4f3505f05bf90e17554fbc97bba9TS_cnames.
pyc26e464edc6116edb5bdee979801ae634ptcp154.
pyc27c69aa39024d21ea109cc9c9d944a04TsHi.
pyc2dfce629231398a9d7fd845d4baa1736punycode.
pycf6b3a73c8c87506acda430671360ce15TsLow.
pycb23a2e3f72f6b875687b7d72282f4f34quopri_codec.
pyccc0d054fd6093630bc4c2e0f36567405types.
pyc0ea9930399d0178dd96b240d7926f1c9raw_unicode_escape.
pyce2638ff82c2eaa66288b424b5b0b8b28unicodedata.
pyc1a899af7860b9ded26ed0fb42b0264e1rot_13.
pyc4bde76fd45524fad05479018e463341eUserDict.
pycb5f3131e499e83ad7147b24875e741cdshift_jis_2004.
pyc95ecb3354d376dc99518730134822be9warnings.
pyceda93ee20dc2b569bae249056695abbashift_jis.
pyc8a0a0c2fcdc60886a68b93bdd9052c31weakref.
pyc40a092cb10cbf5ce79222601bdf14812shift_jisx0213.
pyc56a1bd019468d2b33a48d95cf0522436_weakrefset.
pyc5b4060cb1a644941120e989df567306bstring_escape.
pyca9310062e0ffa7daeb51eb7778debf61aliases.
pycbcb51f50225125001124e897c429999ftis_620.
pyc2560842e999ade343dff99e08cb9b2e0ascii.
pyc1fa31cbd89ac4a49592f8c1d726c76edundefined.
pyc8c0eebe453536b6821d021009356c8a1base64_codec.
pyc6de4878db33f26026a9ba61ca46d6ba2unicode_escape.
pycd13ac9be3dabcdde8a57cdab8e0277afbig5hkscs.
pycca4863e97b9249a1d2ef187db55654acunicode_internal.
pyc7694fbba5177549d850479b5fe3831f7big5.
pyce5ffcf6c288c6788c9c2a27ad31a7682utf_16_be.
pyc2d9ef3398c2e1fc991d4b9e22568d8e4bz2_codec.
pyc03d8f4a083e9191c238ca20ad7855d5autf_16_le.
pyc6348cd37930abd12c16814863d5a6ba3charmap.
pyc9e14af41c6f4ea008895fc9183eb2863utf_16.
pyc7dfcc6c057ac355227c05cd4470d8177cp037.
pyc5769f5753b34526d1276d7348136a41cutf_32_be.
pyc8a3399c47bf3c1372a5026d190c08ca6cp1006.
pycfafb83bc05611ca8e3c2daab90566e46utf_32_le.
pyc9566443f6d92b1093a104cc4d9367c9fcp1026.
pyc3d250cd971499ef44d76cad47a62c6f4utf_32.
pyc7281488625c31f6a99e8a00961d5189dcp1140.
pyc0d4a11e7ceaac040702e242461e4481dutf_7.
pyc3390191f96bf9b7212cf6a2f8c507b13cp1250.
pyc3287da9e2677b7a794e3610c347d59d5utf_8.
pyc15a8062b75a61e3f3cc3b0c19c410532cp1251.
pyc4e08bab40b090ccb01cae7b838fd0855utf_8_sig.
pyce68e2d9737ad9a1497c15553731eda3fcp1252.
pycea934a79164b9d75e82d52fa933cedb9uu_codec.
pyca0e8be7a8b872ce6b739080014d2579ecp1253.
pyc32d14502cf4491dd0451ab5c4b63310fzlib_codec.
pycc87552b6b5325e933115d363e8286a51cp1254.
pyc52a0001e6f3bdc04dfd38c4cfa0cab27__init__.
pyc2764fdc38e48eac75fcdb9e392131f13cp1255.
pyc6acf266cd29f199e9d3da5aea53cb910case.
pyc82a4f0dd064cfd48d1bd95a18eef4dd0cp1256.
pycb03a0d6622fdfd82708e258e0d90e8ac__init__.
pycfcf05838b9d3251e532c1be436c4dff5cp1257.
pyc9f14f5a6f3414aee91ed24d6cade93c1loader.
pyc823bec20443da5525a302d3575f955d6cp1258.
pycae79bb4f27d2f252fc518b70543e3c09main.
pyc9a58b11b8d24cb1db3086739834c78f3cp424.
pyce180976fd1edfbf4ef089981727b4b1dresult.
pyc3780f63e6734127dc00597a07020a9b6cp437.
pycacc2c6319583a9df76ce06f1f319be6drunner.
pyc1891768fe976c344d23e6d71745ab24bcp500.
pyc67b333a88312fdd24335c96fd2f31833signals.
pyc5c5a4589bc9c84f8d4004b29de511557cp720.
pycd7a49a1a476024b19afa6af4ab070cddsuite.
pycfa7c328ac4bb5c6884f84789bedbb124cp737.
pyc848b4b371ac2af5da7f1b4f64bec62ddutil.
pycTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
10ACLOSERLOOKATSUB-MODULESWITHINLIBRARY.
ZIPThemajorityofthesub-moduleswithinlibrary.
ziparestandardPythonlibraries;however,thefollowingsub-moduleswerecreatedbythethreatactorsbehindthismalwareaspartofthedestructiveTRITONmalware:SUB-MODULE1Filename:TsHi.
pycMD5:27c69aa39024d21ea109cc9c9d944a04Size:10,867bytesAsitsnamedepicts,theTsHisub-moduleisahigh-levelinterfacefortheTriStationplatform.
Exhibit4showsasnapshotofthedecompiledsourcecodeofthismodule.
Thehigh-levelinterfacemodulecontainsfunctionsfordifferentchecksumcalculationsbasedonCRC32.
Additionally,theTsHiclasscontainsthefollowingself-explanatoryfunctions:FunctionsforreadingorwritinganarbitraryprogramtotheTriStationplatform:ReadFunctionOrProgramWriteFunctionOrProgramReadFunctionReadProgramWriteFunctionWriteProgramFunctionsforretrievingandparsingprojectinformation:ParseProjectInfoGetProjectInfoGetProgramTableCounterFunction:CountFunctionsFunctionsforhandlingandcommunicatingwiththeTriconexcontroller:SafeAppendProgramModWaitForStartAppendProgramMinFunctionstoread,write,andexecuteexploitcodes:ExplReadRamExplReadRamExExplExecTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
11ExplWriteRamExplWriteRamExThissub-modulecreatedwithverbosestatuscodesforeachfunctionallowsthreatactorstotracktheworkflowoftheload,theexecution,orpossiblythefailureoftheexploitcodetorun.
SafeAppendProgramModisthemainfunctioncalledbythetrilog.
exemoduleforputtingthecontrollerinidlemode,runningthepayloadpresentedinExhibit4,orcleaningthecontrollermemorybyuploadingadummycode.
Exhibit4:DecompiledSourceCodeofTsHISub-moduleTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
12SUB-MODULE2Filename:TsLow.
pycMD5:f6b3a73c8c87506acda430671360ce15Size:9,728bytesAsitsnamesuggests,theTsLowsub-moduleisalow-levelinterfacefortheTriStationplatform.
Exhibit5showsasnapshotofthedecompiledsourcecodeofthismodule.
Exhibit5:DecompiledSourceCodeofTsLowSub-moduleThelow-levelinterfacemodulecontainsanerrorstatusforthecontrollercommunicationstatusandchecksumfunctions.
Additionally,theTsLowclasscontainsthefollowingnetworkcommunicationsfunctions:GeneralFunctions:__init__-initializescommunicationbysettingdefaultvaluesclose-closesallthenetworkconnections,includingTCMandUDPconnectionsTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
13detect_ip-detectsIPaddressbysendingaprecraftedpingmessageto255.
255.
255.
255:1502connect-connectstotheIPaddressofthecontrollerprint_last_error-printsstatusregardingtheexecutionofUDP,TCM,TS,andparsecommandsUDPProtocolFunctions:udp_close-closesUDPconnectionsudp_send-sendsUDPpacketstokeepconnectionliveudp_flush-flushesUDPpacketsudp_recv-receivesadummyUDPpacketudp_exec-executesUDPcommunicationudp_result-returnsthestatusofrunningUDPprotocolfunctionsTCMProtocolFunctions:tcm_ping-sendspingoverTCMtcm_connect-connectsoverTCMtcm_disconnect-disconnectsTCMconnectiontcm_reconnect-reestablishesTCMconnectiontcm_exec-executesTCMcommunicationtcm_result:-returnstheresultofrunningTCMprotocolfunctionsTriStationControllerFunctions:ts_update_cnt-countsthenumberofexecutedcommandsts_result-returnsthestatusofrunningTScommandsts_exec-executesaTScommandTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
14SUB-MODULE3Filename:TS_cnames.
pycMD5:e98f4f3505f05bf90e17554fbc97bba9Size:8,693bytesTheTS_cnamessub-modulecontainsdefaultdefinitionsforTS_cst,TS_keystate,TS_progstate,andTS_namesvariables.
Exhibit6showsasnapshotofthedecompiledsourcecodeofthismodule.
Exhibit6:DecompiledSourceCodeofTS_cnames.
pycModuleTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
15SUB-MODULE4Filename:TsBase.
pycMD5:288166952f934146be172f6353e9a1f5Size:5,059bytesTheTsBasesub-modulecontainsfunctionstotransformandtranslateattackcommandsintoTriStationcontrollercommands.
Exhibit7showsasnapshotofthedecompiledsourcecodeofthismodule.
Exhibit7:DecompiledSourceCodeofTsBase.
pycModuleThetransformmodulecontainstwosimplefunctionsforreturningdatawithandwithouterrorcodes.
Additionally,theTsBaseclasscontainsthefollowingself-explanatoryfunctions:GetCpStatus-returnsCPstatusresponsethroughtheexecutionofts_execcommand19GetModuleVersions-retuensmoduleversionsresponsethroughtheexecutionofts_execcommand54UploadProgram-uploadsaprogramthroughtheexecutionofts_execcommand65UploadFunction-uploadsafunctionthroughtheexecutionofts_execcommand66AllocateProgram-allocatesmemoryincontrollerforaprogramthroughtheexecutionofts_execcommand55AllocateFunction-allocatesmemoryincontrollerforafunctionthroughtheexecutionofts_execcommand56RunProgram-executesaprograminthecontrollerthroughtheexecutionofts_execcommand20THREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
16HaltProgram-terminatesaprograminthecontrollerthroughtheexecutionofts_execcommand21StartDownloadChange-formatandpadthedataforthecontrollerthroughtheexecutionofts_execcommand1StartDownloadAll-startsTS2programdownloadthroughtheexecutionofts_execcommand59CancelDownload-cancelsdownloadofTS2programthroughtheexecutionofts_execcommand12EndDownloadChange-terminateschangeindownloadofTS2programthroughexecutionofts_execcommand11`EndDownloadAll:terminatesalldownloadsoftheTS2programthroughtheexecutionofts_execcommand10ExecuteExploit-formatsandpadsdatafortheexecutionofanexploitcodethroughtheexecutionofts_execcommand29TheTsBasemoduleusestheverbosecommandanderrordefinitionsintheTS_cnamesmoduletoproperlytrackcommandexecutionandthemalware'sworkflow.
THREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
17SUB-MODULE5Filename:sh.
pycMD5:8b675db417cc8b23f4c43f3de5c83438Size:1,429bytesThesh.
pycsub-modulecontainstwofunctions:functiondump,whichiscalledbytrilogger.
exeandTslow,whichisusedfordumpingaportionofcontrollermemoryandsavingthedataintoafile;andfunctionchend,whichiscalledbytrilogger.
exetochangetheendianformatofinject.
binandimain.
binfromlittle-endianintobig-endian.
Exhibit8showsasnapshotofthedecompiledsourcecodeofthismodule.
Exhibit8:SnapshotoftheDecompiledSourceCodeofsh.
pycModuleTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
18SUB-MODULE6Filename:crc.
pycMD5:4e5797312ed52d9eb80ec19848cadc95Size:2,111bytesThecrc.
pycsub-modulecontainsfourfunctionstocalculateCRC32,CRC16,andCRC64checksums.
Exhibit9showsasnapshotofthedecompiledsourcecodeofthismodule.
Exhibit9:SnapshotofDecompiledSourceCodeofcrc.
pycModuleTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
19MITIGATIONBasedontheattackframework,asimilarattackcouldconceptuallybedesignedagainstothersafetyinstrumentedsystems.
Assuch,therecommendationsarerelevanttomanySISbrandsandtheirusers.
TakepracticalstepstodaytoprotectyourorganizationfromTRITON/TRISISandsimilardestructivemalwareattacks.
ThefollowingkeysecuritycontrolscouldhelpmitigatetheTRITONthreatmodel:Physicalcontrols—SIScontrollers,likeallothercriticalhardwarecomponents,shouldbekeptinlockedspaces,monitoredandaccessibletoonlyauthorizedpersonnel.
ThephysicalmodeswitchonTriconexcontrollersshouldbekeptin"Run"positionduringnormaloperations,tolimitthewindowofopportunityforaconfigurationchangeandenforcerequirementofphysicalpresence.
4Logicalaccesscontrol—AnyformofconnectivitytotheSISsystems,whethervianetworkinterface,USBstick,programminglaptopordirectlybyauseratagraphicalinterface,shouldrequireenforcedauthorization.
OnlyauthorizedandproperlycontrolledUSBsticks,writablemedia,andprogramminglaptops,shouldbeusedforsystemaccess.
PortablemediashouldbeverifiedeachtimebeforebeingallowedtoconnecttoSIS.
Networksegmentation—SIScomponentsshouldresideinanisolatednetwork.
Configurationandchangemanagement—IndustrialControlSystem(ICS)5governanceroles,processes,andtoolsshouldbeinplacetofacilitatethecorrectandauthorizeddeployment,maintenanceandverificationofSISequipmentanditsconfiguration.
Theabilitytodetectunauthorizedconfigurationchangescanreducetheriskofanattack.
Securitymonitoringandscanning—Itisessentialtodeploynetworksecuritymonitoringtechnology,alongwithICSvendorcertifiedscanningtechnology,wherepossible.
TheproperimplementationofsecuritymonitoringinICSenvironmentsshouldaddressthefollowingquestions:IsICSnetworktrafficbeingmonitoredforunexpectedcommunicationflowsandotheranomalousactivityCannewdevicesconnectingtothenetworkbedetectedandtriggeranotificationAreallmethodsofmobiledataexchangewiththesafetynetwork,suchasCDsandUSBdrives,scannedbeforeuseinSISoperatorstationsoranynodeconnectedtothenetworkHaveothersecurefiletransfermethodsbeenconsidered4Leavingthecontroller'smodeswitchin"Program"or"Remote"allowsreprogrammingactivity,potentiallycircumventinganoperator'schangemanagementprocess.
5ASISisonetypeofICS.
THREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
20Inadditiontothesecuritycontrolslistedabove,iDefenserecommends:Applyinganenhancedwhitelistingpolicybyimplementingsecondarychecksforrunningprocessesinadditiontoasimplenamecheck.
Forexample,acustomhashingalgorithmfordetectingauthorizedprocessescouldbeimplementedasakernelmoduleforsystemswithdirectaccesstocontrollers.
Investingandimplementingparallelmonitoringsystems.
Suchsystemsshouldbeindependentofmainmonitoringsystemsandusedforalertingpurposesonly.
Conductingroutinechecksforcomputersystemswithdirectaccesstocontrollers.
Itisofparamountimportancethatsuchsystemsareonlyusedfordatamonitoringandcontrollerhandling.
iDefenserecommendsrefrainingfromusingthesesystemsforothertaskssuchasdocumentcompilation,accounting,orsimilarofficetasks.
Ifavendorreleasesafirmwareorsoftwareupgrade,applysuchupgradesassoonaspossible.
SchneiderElectricreleasedanImportantSecurityNotificationwithspecificmitigationstepsregardingitsTriconexsafetycontrollers.
SchneiderElectricrecommendsregularchecksforupdatestothesecuritynotificationincludinganyspecifictechnicalconfigurationrequirements.
6Giventhispossibility,ABBalsoreleasedaCyberSecurityNotificationonDecember22nd,2017withsimilarmitigationstepsforitssafetycontrollers.
7iDefensewillreachouttotheaffectedvendorwithspecificrecommendedcountermeasuresregardingtheaffectedcontroller.
iDefensewillalsoupdatethistechnicalanalysisafterithascapturedsimilarmalwaresamples.
TECHNICALREFERENCESCyberAdvisory:INDUSTRIALCONTROLSYSTEMATTACKSUMMARY—DEALINGWITHTHETHREATSPOSEDBYTRITON/TRISISDESTRUCTIVEMALWARE,Accenture,2018.
ImportantSecurityNotification:MalwareDiscoveredAffectingTriconexSafetyControllersV1.
1,SchneiderElectric,2017.
CyberSecurityNotification—TRITON/TRISISmalware,ABB,2017.
6https://www.
schneider-electric.
com/en/download/document/SEVD-2017-347-01/7http://search-ext.
abb.
com/library/Download.
aspxDocumentID=9AKK107045A7931&LanguageCode=en&DocumentPartId=&Action=LaunchTHREATANALYSISCopyright2018AccentureSecurity.
Allrightsreserved.
21CONTACTUSForadditionalmitigationstepsandmoredetailedinformation,pleasereachouttoyourAccenturecontact.
Wheresupportisneeded,AccentureSecuritycanprovideresourcesdesignedtomitigaterisksandremediategapsinICSsecurityprograms.
LuisLuqueluis.
luque@accenture.
comJimGuinnjames.
s.
guinn.
ii@accenture.
comJoshRayjoshua.
a.
ray@accenture.
comABOUTACCENTUREAccentureisaleadingglobalprofessionalservicescompany,providingabroadrangeofservicesandsolutionsinstrategy,consulting,digital,technologyandoperations.
Combiningunmatchedexperienceandspecializedskillsacrossmorethan40industriesandallbusinessfunctions—underpinnedbytheworld'slargestdeliverynetwork—Accentureworksattheintersectionofbusinessandtechnologytohelpclientsimprovetheirperformanceandcreatesustainablevaluefortheirstakeholders.
Withapproximately425,000peopleservingclientsinmorethan120countries,Accenturedrivesinnovationtoimprovethewaytheworldworksandlives.
Visitusatwww.
accenture.
comABOUTACCENTURESECURITYAccentureSecurityhelpsorganizationsbuildresiliencefromtheinsideout,sotheycanconfidentlyfocusoninnovationandgrowth.
Leveragingitsglobalnetworkofcybersecuritylabs,deepindustryunderstandingacrossclientvaluechainsandservicesthatspanthesecuritylifecycle,Accentureprotectsorganization'svaluableassets,end-to-end.
Withservicesthatincludestrategyandriskmanagement,cyberdefense,digitalidentity,applicationsecurityandmanagedsecurity,Accentureenablesbusinessesaroundtheworldtodefendagainstknownsophisticatedthreats,andtheunknown.
Followus@AccentureSecureonTwitterorvisittheAccentureSecurityblog.
LEGALNOTICE&DISCLAIMER:2018Accenture.
Allrightsreserved.
Accenture,theAccenturelogo,iDefenseandothertrademarks,servicemarks,anddesignsareregisteredorunregisteredtrademarksofAccentureanditssubsidiariesintheUnitedStatesandinforeigncountries.
Alltrademarksarepropertiesoftheirrespectiveowners.
Allmaterialsareintendedfortheoriginalrecipientonly.
ThereproductionanddistributionofthismaterialisforbiddenwithoutexpresswrittenpermissionfromiDefense.
Theopinions,statements,andassessmentsinthisreportaresolelythoseoftheindividualauthor(s)anddonotconstitutelegaladvice,nordotheynecessarilyreflecttheviewsofAccenture,itssubsidiaries,oraffiliates.
Giventheinherentnatureofthreatintelligence,thecontentcontainedinthisalertisbasedoninformationgatheredandunderstoodatthetimeofitscreation.
Itissubjecttochange.
ACCENTUREPROVIDESTHEINFORMATIONONAN"AS-IS"BASISWITHOUTREPRESENTATIONORWARRANTYANDACCEPTSNOLIABILITYFORANYACTIONORFAILURETOACTTAKENINRESPONSETOTHEINFORMATIONCONTAINEDORREFERENCEDINTHISREPORT.
美国特价云服务器 2核4G 19.9元杭州王小玉网络科技有限公司成立于2020是拥有IDC ISP资质的正规公司,这次推荐的美国云服务器也是商家主打产品,有点在于稳定 速度 数据安全。企业级数据安全保障,支持异地灾备,数据安全系数达到了100%安全级别,是国内唯一一家美国云服务器拥有这个安全级别的商家。E5 2696v2x2 2核 4G内存 20G系统盘 10G数据盘 20M带宽 100G流量 1...
古德云(goodkvm)怎么样?古德云是一家成立于2020年的商家,原名(锤子云),古德云主要出售VPS服务器、独立服务器。古德云主打产品是香港cn2弹性云及美西cn2云服务器,采用的是kvm虚拟化构架,硬盘Raid10。目前,古德云香港沙田cn2机房及美国五星级机房云服务器,2核2G,40G系统盘+50G数据盘,仅35元/月起,性价比较高,可以入手!点击进入:古德云goodkvm官方网站地址古德...
PIGYun发布了九月份及中秋节特惠活动,提供8折优惠码,本月商家主推中国香港和韩国机房,优惠后最低韩国每月14元/中国香港每月19元起。这是一家成立于2019年的国人商家,提供中国香港、韩国和美国等地区机房VPS主机,基于KVM架构,采用SSD硬盘,CN2+BGP线路(美国为CUVIP-AS9929、GIA等)。下面列出两款主机配置信息。机房:中国香港CPU:1core内存:1GB硬盘:10GB...
eee258.com为你推荐
留学生认证留学生前阶段双认证认证什么内容?psbc.com邮政储蓄卡如何激活百度关键词工具如何通过百度官方工具提升关键词排名www.kanav001.com跪求下载[GJOS-024] 由愛可奈 [Kana Yume] 現役女子高生グラビア种子的网址谁有百度指数词什么是百度指数www.se222se.com原来的www站到底222eee怎么了莫非不是不能222eee在收视com了,/?求解partnersonline国内有哪些知名的ACCA培训机构www.idanmu.com新开奇迹SF|再创发布网|奇迹SF|奇迹mu|网通奇迹|电信奇迹|www.zhiboba.com上什么网看哪个电视台直播NBAwww.ijinshan.com桌面上多了一个IE图标,打开后就链接到009dh.com这个网站,这个图标怎么删掉啊?
广州主机租用 北京域名空间 中国域名交易中心 warez 流媒体服务器 360抢票助手 php探针 html空间 dux admit的用法 刀片式服务器 国外ip加速器 宏讯 中国电信测速网站 免费个人主页 国外网页代理 cdn服务 网络速度 hdroad SmartAXMT800 更多