技术分享

浅谈一次针对公网PLC恶意操作行为的简单分析

本文由灯塔实验室原创,转载请注明出处

说到本文的起因是源于我们部署在公网的一个针对西门子PLC S7协议(S7-300/S7-400)的仿真程序上(项目地址),收到了来自互联网的恶意修改,写入,删除,停止等控制PLC关键运行状态的协议控制指令。这使我们意识到,这些安全威胁针对真实的PLC也是切实存在的,暴露在公网的PLC会受到针对性的测试,并且这些攻击均可能是通过tor匿名网络进行的。
如下为部分恶意操作行为片段:

2016-02-10 15:24:49 [209.133.66.214] Block info requested DB 1 --> OK
2016-02-10 15:25:00 [209.133.66.214] Block info requested DB 1 --> OK
2016-02-10 15:25:04 [209.133.66.214] Block info requested DB 1 --> OK
2016-02-10 15:25:06 [209.133.66.214] Block info requested DB 3 --> OK
2016-02-10 15:25:32 [209.133.66.214] Block info requested DB 1 --> OK
2016-02-10 15:25:33 [209.133.66.214] Read request, Area : DB1, Start : 0, Size : 462 --> OK
2016-02-10 15:25:34 [209.133.66.214] Read request, Area : DB1, Start : 462, Size : 50 --> OK
2016-02-10 15:25:44 [209.133.66.214] Block info requested DB 1 --> OK
#向DB1数据区写入数据
2016-02-10 15:25:44 [209.133.66.214] Write request, Area : DB1, Start : 0, Size : 452 --> OK
2016-02-10 15:25:45 [209.133.66.214] Write request, Area : DB1, Start : 452, Size : 60 --> OK
2016-02-10 15:25:50 [209.133.66.214] Read SZL request, ID:0x0000 INDEX:0x0000 --> OK
2016-02-10 15:25:54 [209.133.66.214] Read SZL request, ID:0x0000 INDEX:0x0000 --> OK
2016-02-10 15:26:02 [209.133.66.214] Read SZL request, ID:0x0000 INDEX:0x0000 --> OK
2016-02-10 15:26:05 [209.133.66.214] Read SZL request, ID:0x0f00 INDEX:0x0000 --> OK
2016-02-10 15:26:08 [209.133.66.214] Read SZL request, ID:0x0002 INDEX:0x0000 --> OK
2016-02-10 15:26:17 [209.133.66.214] Read SZL request, ID:0x0011 INDEX:0x0000 --> OK
2016-02-10 15:26:21 [209.133.66.214] Read SZL request, ID:0x0011 INDEX:0x0000 --> OK
#向DB1、2、3数据区写入数据
2016-02-22 06:54:19 [93.115.95.202] Write request, Area : DB1, Start : 0, Size : 16 --> OK
2016-02-22 06:54:19 [93.115.95.202] Write request, Area : DB2, Start : 0, Size : 16 --> OK
2016-02-22 06:54:19 [93.115.95.202] Write request, Area : DB3, Start : 0, Size : 16 --> OK
2016-02-22 06:54:38 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
2016-02-22 06:54:39 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
2016-02-22 06:54:39 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
2016-02-22 06:54:39 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
2016-02-22 06:54:40 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
2016-02-22 06:54:40 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
2016-02-22 06:54:40 [93.115.95.202] Read request, Area : DB1, Start : 0, Size : 2 --> OK
##删除CPU程序块
2016-02-22 06:54:43 [93.115.95.202] CPU Control request : Block Insert or Delete --> OK
2016-02-22 06:54:46 [93.115.95.202] Block upload requested --> OK
2016-02-22 06:54:46 [93.115.95.202] Block upload requested --> OK
2016-02-22 06:54:46 [93.115.95.202] Client disconnected by peer
2016-02-22 06:57:55 [37.48.80.101] Read SZL request, ID:0x0232 INDEX:0x0004 --> OK
2016-02-22 06:57:56 [37.48.80.101] Read SZL request, ID:0x0232 INDEX:0x0004 --> OK
2016-02-22 06:57:58 [37.48.80.101] Read SZL request, ID:0x0232 INDEX:0x0004 --> OK
2016-02-22 06:57:59 [37.48.80.101] Read SZL request, ID:0x0232 INDEX:0x0004 --> OK
2016-02-22 06:58:00 [37.48.80.101] Read SZL request, ID:0x0232 INDEX:0x0004 --> OK
2016-02-22 06:58:01 [37.48.80.101] Read SZL request, ID:0x0232 INDEX:0x0004 --> OK
2016-02-22 06:58:03 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:03 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:05 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:06 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:07 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:08 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
##冷启动PLC CPU
2016-02-22 06:58:09 [37.48.80.101] CPU Control request : Warm START --> OK
2016-02-22 06:58:09 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:11 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:11 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:13 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:14 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:15 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:16 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:18 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:18 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:20 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:20 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
##停止PLC CPU
2016-02-22 06:58:21 [37.48.80.101] CPU Control request : STOP --> OK
2016-02-22 06:58:22 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:23 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:24 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:26 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 06:58:26 [37.48.80.101] Read SZL request, ID:0x0424 INDEX:0x0000 --> OK
2016-02-22 07:02:48 [37.48.80.101] System clock read requested
2016-02-22 07:02:49 [37.48.80.101] System clock read requested
2016-02-22 07:02:50 [37.48.80.101] System clock read requested
2016-02-22 07:02:52 [37.48.80.101] System clock read requested
2016-02-22 07:02:52 [37.48.80.101] System clock read requested
2016-02-22 07:02:52 [37.48.80.101] System clock read requested
2016-02-22 07:02:55 [37.48.80.101] System clock read requested
2016-02-22 07:02:55 [37.48.80.101] System clock read requested
2016-02-22 07:02:57 [37.48.80.101] System clock read requested
2016-02-22 07:03:00 [37.48.80.101] System clock read requested
2016-02-22 07:03:01 [37.48.80.101] System clock read requested
##修改PLC系统时间
2016-02-22 07:03:02 [37.48.80.101] System clock write requested
2016-02-22 07:03:03 [37.48.80.101] System clock write requested
2016-02-22 07:03:03 [37.48.80.101] System clock read requested
2016-02-22 07:03:04 [37.48.80.101] System clock read requested
2016-02-22 07:03:05 [37.48.80.101] System clock read requested
2016-02-22 07:03:06 [37.48.80.101] System clock write requested
2016-02-22 07:03:06 [37.48.80.101] System clock write requested
2016-02-22 07:03:06 [37.48.80.101] System clock write requested
2016-02-22 07:03:06 [37.48.80.101] System clock write requested
2016-02-22 07:03:07 [37.48.80.101] System clock read requested
2016-02-22 07:03:08 [37.48.80.101] System clock read requested
2016-02-22 07:03:08 [37.48.80.101] System clock read requested
2016-02-22 07:03:09 [37.48.80.101] System clock read requested

关于这些IP的一些开放式历史威胁情报:
https://exchange.xforce.ibmcloud.com/ip/37.48.80.101
https://exchange.xforce.ibmcloud.com/ip/209.133.66.214
https://exchange.xforce.ibmcloud.com/ip/93.115.95.202

关于影响PLC运行与攻击PLC的手段

即使在如今大多数厂商PLC在远程访问控制、用户认证这类功能上仍还有欠缺。这也便导致了只要可以访问到设备便可以直接操作设备的功能,我曾经在之前的博文中提到过通过对特定协议功能的重放构造(如停机指令,修改数据等功能),而再根据目前的一些设备搜索引擎如Shodan等,通过工程化就不难实现一套自动批量攻击程序。

整网的安全态势?

那么暴露在公网中的PLC是否也存在过类似被恶意操作的情况呢,为此我们在日前通过icsresearch2.plcscan.org的节点对全球TCP/102端口的S7服务进行了深度探测,在发现的800多套S7-300(所有货号为:6ES7-3**-*****-****)/S7-400(所有货号为:6ES7-4**-*****-****)PLC CPU中提取了PLC内部的所有的诊断缓冲区。通过对PLC内部的诊断缓冲区“事件”的分析发现其中有高达80多套PLC中存在“被远程设置CPU到STOP模式的记录”,而该事件出现的原因,一是来自于用户的正常调试,二则极有可能是攻击者的恶意操作所致。

s7cpubuffer

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Fujifilm FCR Capsula X/Carbon X

This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s. . . read more Tue, 23 Apr 2019 12:05:43 EDT

Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 contro. . . read more Tue, 23 Apr 2019 12:00:33 EDT

Delta Industrial Automation CNCSoft

This advisory includes mitigations for heap-based buffer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities reported in Del. . . read more Tue, 16 Apr 2019 10:10:11 EDT

WAGO Series 750-88x and 750-87x

This advisory includes mitigations for a use of hard-coded credentials vulnerability reported in WAGO's 750-88x and 750-87x programmable logic co. . . read more Tue, 16 Apr 2019 10:05:55 EDT

PLC Cycle Time Influences

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in ABB, Phoenix Contact, Schneider Electric, Siemen. . . read more Tue, 16 Apr 2019 10:00:24 EDT

Siemens SIMOCODE pro V EIP

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Siemens' SIMOCODE pro V EIP low-voltage mot. . . read more Tue, 09 Apr 2019 10:25:33 EDT

Siemens Spectrum Power 4.7

This advisory includes mitigations for a command injection vulnerability reported in Siemens' Spectrum Power 4.7 system.. . . read more Tue, 09 Apr 2019 10:20:24 EDT

Siemens Industrial Products with OPC UA

This advisory includes mitigations for an uncaught exception vulnerability in Siemens' Industrial Products using OPS UA communications protocol.. . . read more Tue, 09 Apr 2019 10:15:11 EDT

Siemens SINEMA Remote Connect

This advisory includes mitigations for incorrect calculation of buffer size, out-of-bounds read, stack-based buffer overflow, and improper handling of. . . read more Tue, 09 Apr 2019 10:10:11 EDT

Siemens RUGGEDCOM ROX II

This advisory includes mitigations for double free, out-of-bounds read, and uncontrolled resource consumption vulnerabilities reported in Siemens'. . . read more Tue, 09 Apr 2019 10:05:16 EDT

Siemens CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM

This advisory includes mitigations for an out-of-bounds read vulnerability reported in Siemens' CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM p. . . read more Tue, 09 Apr 2019 10:00:56 EDT

Omron CX-Programmer

This advisory includes mitigations for a use after free vulnerability reported in Omron's CX-Programmer PLC software.. . . read more Thu, 04 Apr 2019 10:15:11 EDT

Rockwell Automation Stratix 5400/5410/5700 and ArmorStratix 5700

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automation's Stratix and ArmorStra. . . read more Thu, 04 Apr 2019 10:10:11 EDT

Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700

This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automation's. . . read more Thu, 04 Apr 2019 10:05:19 EDT

Rockwell Automation Stratix 5950

This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automation's Stratix 5950 security applian. . . read more Thu, 04 Apr 2019 10:00:23 EDT

Advantech WebAccess/SCADA

This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advante. . . read more Tue, 02 Apr 2019 10:00:11 EDT

Rockwell Automation PowerFlex 525 AC Drives

This advisory includes mitigations for a resource exhaustion vulnerability reported in Rockwell Automation's PowerFlex 525 AC drive.. . . read more Thu, 28 Mar 2019 10:00:11 EDT

Siemens SCALANCE X

This advisory includes mitigations for an expected behavior violation vulnerability reported in the Siemens SCALANCE X products.. . . read more Tue, 26 Mar 2019 10:15:18 EDT

PHOENIX CONTACT RAD-80211-XD

This advisory includes mitigations for a command injection vulnerability reported in Phoenix Contact's RAD-80211-XD WLAN wireless transceiver.. . . read more Tue, 26 Mar 2019 10:10:11 EDT

ENTTEC Lighting Controllers

This advisory includes mitigations for a missing authentication for critical function vulnerability reported in ENTTEC’s lighting controllers.. . . read more Tue, 26 Mar 2019 10:00:23 EDT