技术分享

浅谈一次针对公网PLC恶意操作行为的简单分析

本文由灯塔实验室原创,转载请注明出处

说到本文的起因是源于我们部署在公网的一个针对西门子PLC S7协议(S7-300/S7-400)的仿真程序上(项目地址),收到了来自互联网的恶意修改,写入,删除,停止等控制PLC关键运行状态的协议控制指令。这使我们意识到,这些安全威胁针对真实的PLC也是切实存在的,暴露在公网的PLC会受到针对性的测试,并且这些攻击均可能是通过tor匿名网络进行的。
如下为部分恶意操作行为片段:

关于这些IP的一些开放式历史威胁情报:
https://exchange.xforce.ibmcloud.com/ip/37.48.80.101
https://exchange.xforce.ibmcloud.com/ip/209.133.66.214
https://exchange.xforce.ibmcloud.com/ip/93.115.95.202

关于影响PLC运行与攻击PLC的手段

即使在如今大多数厂商PLC在远程访问控制、用户认证这类功能上仍还有欠缺。这也便导致了只要可以访问到设备便可以直接操作设备的功能,我曾经在之前的博文中提到过通过对特定协议功能的重放构造(如停机指令,修改数据等功能),而再根据目前的一些设备搜索引擎如Shodan等,通过工程化就不难实现一套自动批量攻击程序。

整网的安全态势?

那么暴露在公网中的PLC是否也存在过类似被恶意操作的情况呢,为此我们在日前通过icsresearch2.plcscan.org的节点对全球TCP/102端口的S7服务进行了深度探测,在发现的800多套S7-300(所有货号为:6ES7-3**-*****-****)/S7-400(所有货号为:6ES7-4**-*****-****)PLC CPU中提取了PLC内部的所有的诊断缓冲区。通过对PLC内部的诊断缓冲区“事件”的分析发现其中有高达80多套PLC中存在“被远程设置CPU到STOP模式的记录”,而该事件出现的原因,一是来自于用户的正常调试,二则极有可能是攻击者的恶意操作所致。

s7cpubuffer

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Philips iSite and IntelliSpace PACS

This medical device advisory includes mitigations for a weak password Requirements vulnerability in the Philips iSite and IntelliSpace PACS.. . . read more Thu, 08 Nov 2018 09:31:46 EST

Roche Diagnostics Point of Care Handheld Medical Devices (Update A)

This updated medical device advisory is a follow-up to the original advisory titled ICSMA-18-310-01 Roche Point of Care Handheld Medical Devices that. . . read more Tue, 06 Nov 2018 11:08:42 EST

AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)

This advisory includes mitigations for stack-based buffer overflow and empty password in configuration file vulnerabilities in AVEVA’s InduSoft Web. . . read more Thu, 01 Nov 2018 10:15:37 EDT

Schneider Electric Software Update (SESU) (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-18-305-02 Schneider Electric Software Update that was published November 1,. . . read more Thu, 01 Nov 2018 10:10:16 EDT

Circontrol CirCarLife

This advisory includes mitigations for authentication bypass using an alternate path or channel and insufficiently protected credentials vulnerabiliti. . . read more Thu, 01 Nov 2018 10:05:21 EDT

Fr. Sauter AG CASE Suite

This advisory includes mitigations for an improper restriction of XML External Entity Reference vulnerability in Fr. Sauter AG's CASE Suite softw. . . read more Thu, 01 Nov 2018 10:00:11 EDT

PEPPERL+FUCHS CT50-Ex

This advisory includes mitigations for an improper privilege management vulnerability in the PEPPERL+FUCHS CT50-Ex ecom mobile computer.. . . read more Tue, 30 Oct 2018 12:23:28 EDT

GEOVAP Reliance 4 SCADA/HMI

This advisory includes mitigations for a cross-site scripting vulnerability in GEOVAP's Reliance 4 SCADA/HMI system.. . . read more Thu, 25 Oct 2018 10:05:11 EDT

Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, and improper access control vulnerabilities in Advantech's WebAccess.. . . read more Thu, 25 Oct 2018 10:00:11 EDT

Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, external control of file name or path, improper privilege management, and path tra. . . read more Tue, 23 Oct 2018 10:10:09 EDT

GAIN Electronic Co. Ltd SAGA1-L Series

This advisory includes mitigations for authentication bypass by capture-relay, improper access control, and improper authentication vulnerabilities in. . . read more Tue, 23 Oct 2018 10:05:48 EDT

Telecrane F25 Series

This advisory includes mitigations for an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series software.. . . read more Tue, 23 Oct 2018 10:00:54 EDT

Omron CX-Supervisor

This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, an. . . read more Wed, 17 Oct 2018 08:55:45 EDT

LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

This advisory includes mitigations for untrusted pointer dereference, out-of-bounds read, integer overflow to buffer overflow, path traversal, out-of-. . . read more Tue, 16 Oct 2018 14:44:39 EDT

NUUO NVRmini2 and NVRsolo

This advisory includes mitigations for stack-based buffer overflow and leftover debug code vulnerabilities in NUUO's NVRmini2 and NVRsolo network. . . read more Thu, 11 Oct 2018 10:10:11 EDT

NUUO CMS

This advisory includes mitigations for use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical res. . . read more Thu, 11 Oct 2018 10:05:11 EDT

Delta Industrial Automation TPEditor

This advisory includes mitigations for out-of-bounds write and stack-based buffer overflow vulnerabilities in the Delta Industrial Automation TPEditor. . . read more Thu, 11 Oct 2018 10:00:20 EDT

GE iFix

This advisory includes mitigations for an unsafe ActiveX control marked safe for scripting vulnerability in a Gigasoft component affecting GE’s iFix. . . read more Tue, 09 Oct 2018 10:30:34 EDT

Siemens SCALANCE W1750D

This advisory includes mitigations for a cryptographic issues vulnerability in Siemens' SCALANCE W1750D direct access point hardware.. . . read more Tue, 09 Oct 2018 10:25:37 EDT

Siemens ROX II

This advisory includes mitigations for improper privilege management vulnerabilities in the Siemens ROX II products.. . . read more Tue, 09 Oct 2018 10:20:19 EDT