ICS VILLAGE - Analyzing VPNFilter

Video thumbnail (Frame 0) Video thumbnail (Frame 1189) Video thumbnail (Frame 2225) Video thumbnail (Frame 3377) Video thumbnail (Frame 5325) Video thumbnail (Frame 6823) Video thumbnail (Frame 9535) Video thumbnail (Frame 13555) Video thumbnail (Frame 15681) Video thumbnail (Frame 19502) Video thumbnail (Frame 21270) Video thumbnail (Frame 24145) Video thumbnail (Frame 27057) Video thumbnail (Frame 28603) Video thumbnail (Frame 29672) Video thumbnail (Frame 30549) Video thumbnail (Frame 31519) Video thumbnail (Frame 32569) Video thumbnail (Frame 33991) Video thumbnail (Frame 35198) Video thumbnail (Frame 36093) Video thumbnail (Frame 37457) Video thumbnail (Frame 38377) Video thumbnail (Frame 39479) Video thumbnail (Frame 48655)
Video in TIB AV-Portal: ICS VILLAGE - Analyzing VPNFilter

Formal Metadata

ICS VILLAGE - Analyzing VPNFilter
A Technical Analysis Of The Packet Sniffer and Modbus VPNFilter Module
Alternative Title
Analyzing VPNFilter's Modbus Module
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Malware Group action Connectivity (graph theory) Multiplication sign Projective plane Set (mathematics) Mathematical analysis Module (mathematics) Förderverein International Co-Operative Studies Term (mathematics)
Presentation of a group Malware Multiplication sign Module (mathematics) Attribute grammar
Weight Multiplication sign 1 (number) Mereology Number Product (business) Architecture Estimator Malware Operating system Endliche Modelltheorie Router (computing) Position operator Computer architecture Operations research Enterprise architecture Multiplication Link (knot theory) Tesselation Cross-platform Gradient Sampling (statistics) Data storage device Flow separation Software System programming Computing platform Wireless LAN
Area Time zone Real number Multiplication sign Connectivity (graph theory) Workstation <Musikinstrument> Motion capture Mathematical analysis Interactive television Virtual machine Computer network Price index Integrated development environment Software Internetworking Bus (computing) Configuration space Diagram Right angle Diagram Position operator Computer worm Spacetime
Game controller Functional (mathematics) Group action State of matter Multiplication sign Login Usability Peripheral Gastropod shell Information security Firmware Position operator Control system Physical system Vulnerability (computing) User interface Touchscreen Validity (statistics) Mathematical analysis Interactive television Usability Volume (thermodynamics) Bit Limit (category theory) Exploit (computer security) Data management Integrated development environment Software Configuration space Information security Volume
Implementation Server (computing) Functional (mathematics) Multiplication sign Connectivity (graph theory) Set (mathematics) Mereology Food energy IP address Permutation Medical imaging Latent heat Malware Programmschleife Independent set (graph theory) Network socket Encryption Gastropod shell Cuboid Software framework Booting Plug-in (computing) Task (computing) Domain name Installation art Mathematical analysis Exploit (computer security) Connected space Process (computing) Network socket Information retrieval Module (mathematics) Library (computing) Asynchronous Transfer Mode
Point (geometry) Slide rule Trail Game controller Tape drive Flash memory 1 (number) Event horizon Medical imaging Network socket Diagram Router (computing) Extension (kinesiology) Information security Booting Perimeter Metropolitan area network Plug-in (computing) Plug-in (computing) Sine Motion capture Price index Exploit (computer security) Digital photography Process (computing) Angle Software Blog Module (mathematics) Daylight saving time
Cybersex Point (geometry) Operations research Dependent and independent variables Multiplication sign Cybersex Exploit (computer security) Computer network Incidence algebra Graph coloring Flow separation Attribute grammar Digital image correlation Software Auditory masking Internetworking Operator (mathematics) Computer network System programming Module (mathematics) Module (mathematics) Musical ensemble Router (computing) Computing platform
Area Link (knot theory) Information Link (knot theory) 1 (number) Login Connected space Data management Malware Module (mathematics) Office suite Module (mathematics) Router (computing)
Architecture Functional (mathematics) Sample (statistics) Read-only memory Code Real number Multiplication sign Projective plane Sampling (statistics) Module (mathematics) Bit Row (database)
Sample (statistics) Case modding Sampling (statistics) Computer network Directory service Parameter (computer programming) Login IP address Condition number 2 (number)
Parsing Loop (music) Parsing Sample (statistics) Metadata Computer network Loop (music)
Game controller Code Equals sign Sampling (statistics) Parameter (computer programming) Login Open set Programmschleife Loop (music) Sample (statistics) Logic Bus (computing) Encryption Condition number Data logger Encryption Communications protocol Communications protocol Loop (music) Address space
Computer file Multiplication sign Source code Login Parameter (computer programming) Repetition Line (geometry) Binary file Uniform resource locator Sample (statistics) Blog Core dump Data logger Arrow of time Reading (process)
Source code Sampling (statistics) IP address Loop (music) Sample (statistics) Term (mathematics) Bus (computing) Authorization Office suite Authorization Musical ensemble Router (computing) Position operator Router (computing)
Sample (statistics) Length String (computer science) Order (biology) Source code Sampling (statistics) IP address Flow separation Neuroinformatik
Loop (music) Sample (statistics) Code Block (periodic table) String (computer science) String (computer science) Password Order (biology) Combinational logic Authorization Right angle Parameter (computer programming)
Server (computing) Multiplication sign Sampling (statistics) Password Login Repetition Login Binary file IP address Vector potential Latent heat Uniform resource locator Sample (statistics) Blog Loop (music) Sanitary sewer
Filter <Stochastik> Slide rule Group action Code Multiplication sign Source code Drop (liquid) Parameter (computer programming) IP address Field (computer science) Latent heat Mathematics String (computer science) Gastropod shell Bus (computing) Information Förderverein International Co-Operative Studies Endliche Modelltheorie Router (computing) Computer architecture Authentication Area Information Mapping Sampling (statistics) Code Instance (computer science) Type theory Radical (chemistry) Proof theory Latent heat Sample (statistics) Integrated development environment Personal digital assistant Module (mathematics) Configuration space Right angle Wireless LAN Router (computing)
Axiom of choice Demon State of matter Range (statistics) Combinational logic Parameter (computer programming) Open set Semantics (computer science) IP address Data management Network socket Bus (computing) Negative number Cuboid Module (mathematics) God Scripting language Link (knot theory) Binary code Electronic mailing list Sampling (statistics) Connected space Type theory Data management Order (biology) Module (mathematics) Right angle Remote procedure call Quicksort Asynchronous Transfer Mode Game controller Functional (mathematics) Control flow Raw image format Theory Gastropod shell Authorization Metropolitan area network Plug-in (computing) Total S.A. Vector potential Doubling the cube Blog Password Office suite Free module Musical ensemble Game theory Family
this talk is about VPN filter and the malware campaign and because this is the ICS village we're gonna focus about at the talk on ice yes specific component of this which had some Modbus capability and trying to give everybody better understand exactly what that was so this
is I'm Patrick DeSantis this is Carlos
pacho we are two of many researchers at Cisco tell us that spent a long time working on this project many months many hours lots of really smart people doing really cool stuff with this we're two small pieces of a much larger group that probably did a lot cooler stuff than we did but you get to talk to us instead so this is boundries I'm gonna set for the
talk I will talk about VPN filter and its technical capabilities we'll talk about the targets and specifically we'll spend a lot of time talking with the Modbus module I will not talk about attribution the US government took care of that I will not talk about any of our partners err or victims associated with this campaign so no it's a VPN filter as
a multi year state-sponsored very sophisticated malware campaign targeting primarily edge devices in the small office/home office realm it's been going
on since at least 2016 2016 was the oldest sample that we are aware of so it's been going since before that and at the time we went public in May we estimated there were about half a million infected devices globally you know that number can go up and down depending on how active the actor is so this is a nice conservative estimate at least half a million which is still a significant amount and it's interesting because this cross-platform this is malware that runs on multiple operating systems and even multiple architectures so we've got you know samples to run on MIPS very nm is mips lecturer x86 tile more and then within the specific architectures that are the binders that were compiled were specific for the devices that were going
to run on and there were a lot of devices so we're aware of over seventy five distinct device models from several vendors that have capabilities compiled specifically for those devices which is some pretty serious effort on the part of the actor to go through and put that much work into it especially when a lot of these are you know sub 50 soho devices other ones are like the micro tech or a product I'm not sure how the correct pronunciation is those are a rackmount like enterprise grade network appliances most of the rest are Soho devices some are basic like home wireless routers and then you have stuff that we saw was mostly pretty sure was just network attached storage devices so during the time that we were working on this a vast majority of the activity was targeting micro typing QNAP devices but that was just during the time we were looking at it if we had looked six months before there may have been more or less activity and you know for looking six months from now it may vary also so but at the time we looked mostly mikrotik mostly QNAP and lots of devices so we needed to get into a position where we could bait the actor into
delivering some of there you know some of those custom payloads for those other devices to us without tipping off our hand that we were actually working on learning more about it and so we were kind of stuck in a position where we wanted to set up like a honeypot have to start for leverage honey pots but your traditional high pots are often limited in their capabilities we couldn't give any indication that we were in a you know a night bus so virtualized or emulated environment was a no-go so often your honey pod configurations don't capture full network traffic we need a full peak end we couldn't deal or we couldn't handle just metadata about the traffic we needed to be able to look at everything that the device has received and pull files out of them because if the actor bricked the device we lose off the artifacts so we needed all network traffic so we had a stand up our own our own honeypot infrastructure and we did
that using real devices so there's full interaction honey pots real devices we bought about 40 of them so in the diagram we've got you know you get your internet and then and this area here is where we break off on to our attack or our target network this is a target zone so these are real devices and they are on the internet using commercial or residential IP space instead of you know Cisco IP that would kind of be a dead giveaway or you know like a virtual machine on AWS so we had real devices and they had to be not obvious that it was Cisco and the switch here these places can talk out and everything can talk in so it's like they're on the internet directly but they can't talk to each other unless it goes out and comes back in so they don't see each other and the switch has a rear port spam port it goes to a network tab one-way network tap let's go so our analysis workstation which was very locked down and is set up to not allow any traffic out so we've got three places to block any outbound traffic from our analysis on here it would not be a good thing if the actor associated with this campaign we're able to go from here to our internal corporate network yeah I wouldn't be here talking about it today if we did I may be out there with you and on my resume so we've spent a lot of time and effort on this component right here we had full network traffic so gigabytes of traffic a day associated with activity on these devices was living here and that's where we did our analysis sustaining up this full interaction
honeyBun environment has some issues some challenges there's a reason why people use the limited interaction hi Potts and it's offers a lot more convenience especially when you're span up the ends you can just replicate them you don't have to actually manage the physical devices we 40 devices 40-ish some of them we've got used so you can't trust them so we had to go through each device validate that it wasn't already owned set it up in a intentionally vulnerable configuration because we wanted them to get owned so we had to put our firmware on there with known vulnerabilities and publicly available exploits we sent him up for configurations there was a large volume of traffic and none of it was legitimate because these devices weren't doing anything but oh that didn't show up on your screen flamingo wants you to join their Wi-Fi Larry so all traffic going to these devices was malicious or even if it was benign it was not legitimate so that there's an old phrase looking for a needle in a stack of needles it applies very you know it's very applicable to this because every bit of traffic was not legitimate and we don't really know what we're looking for so we have to find something bad in gigabytes and gigabytes of bad stuff and then there's the security versus usability and Carlos and I I well we probably had each other in a headlock a few times as I'm advocating for security as I said if the actor made it their way into our network bad stuff but every time I lock something down or advocate for something to be locked down more it's its inconvenience and annoyance for the the researchers that need to be able to interact with the devices and do analysis on the traffic but because of the sophistication of the actor we had to err on the side of security much to my team and other people's well I owe them some beer I guess and the device limitations so you see this is just like in control systems these are often embedded systems the illegitimate management interfaces don't provide a lot of functionality for legitimate users so you can't just drop down in the shell and login this route and do whatever you want in Linux you know you might be in a limited environment or maybe the only administrative control you have is through a web interface so just like an ICS an attacker who owns the device has more control over it than the legit user so we found herself in a position of actually exploiting and owning our own devices just to find out if they had been owned by somebody else which is interesting so that was kind of
how we dealt with you know the risk associated with the interacting with a and having live targets intentionally infected by a state actor now the Mel or itself that we were gonna get with there were several groups that did reversing
and analysis of the actual mailer but I do have to clarify one thing before we go into that and there's since we went public in May there's kind of been I don't know how it started but there was an initial misconception about the relationship between VPN filter and black energy mailer so black energy has a flaw in the implementation of the rc4 encryption algorithm where it fails to properly initialize the S boxes during their permutation stage so it's a very very very specific flaw it's not just like loops we use long library a VPN filter has the exact same flaw and the exact same part of the implementation of the S boxes in the permutation stage of the rc4 encryption algorithm so there's overlap there and it's a very specific overlap VPN filter does not contain a full copy of black energy so it's just the overlap that was the only connection that tell us identified and reported so if you see anything else out there it's just this just rc4 it's a multi-stage
mailer very sophisticated I'm going to probably say that 20 times but you start with initial exploitation and the malware drops persistent loader that's specific for the target device that it drops on the loader and stage one is the only part of the malware that has persistence that can survive a reboot and that depends on the device aside from being persistent stage one's only job is to find the stage two server retrieve and install stage two it has some really interesting ways of finding the stage-two server first is it'll look out and grab some images off Photobucket within the exif data and the images specifically in the latitude and longitude you run it through a decoding routine which we were one of our guys reversed and you can pull out IP addresses out of latitude and longitude it'll then reach out to the IP address and try to get stage 2 if it doesn't work it tries to cut more images if it doesn't work it eventually goes to a hard-coded domain if that doesn't work it does what I think is probably the most interesting part of this stage it opens up a Roth socket and listens for all traffic on all ports and if it receives a TCP syn with a very you know with specific bytes a specific value it'll grab another set of bytes and that's the IP address for the stage-two server so it's basically it looks out tries to get stage to can't get it it looks out another way can't get it falls back into this passive listening mode where the actor can intentionally task it with this but just by using one tcp syn to give it the IP address of the current stage 2 server when it gets stage 2 stage 2 is your your framework it's the workhorse closest equivalent I can give you it's like it's the meterpreter component and that it has some baked in functionality and that also is extensible and you can add other modules so you can execute shell commands it's got some collection capability it's got some exfil capability some of the older stage 2 as we looked at I had a built-in kill capability where it would actually brick the devices talk about that in a second - and then it's extendable through these stage 3 modules and plugins which because it's extensible through modules the functionality is essentially unlimited it's only limited by what the the actor actually develops for it so Carlos is going to talk about one of
those tapes three modules this is a diagram of what I described the process of going from exploitation to stage one to stage 2 to stage 3 I could spend an hour up here talking just about this slide can't do that now I could do that I don't want to do that but everybody that worked on this will be we said through several hours trying to understand this from many angles there's images on the telus blog the initial blog post that described when we went public with VPN filter it's very interesting obviously very sophisticated when the takedown happened there was essentially angle rocket so a person had twice was in fact that if you rebooted it they would try to go to photo bucket this stuff wasn't there anymore it would try to go to do all to know all it couldn't so it's it with the raw socket it so it was still vulnerable but the actor is gonna have to reach out and touch it manually at that point so some
of the stage Street plugins that we've seen these are the modules that come after stage 2 these are the extensions there's a packet sniffer this is the one that Carlos is going to talk about there's one that we refer to as Esler which is interesting because this module allows for modification of traffic as it passes through the compromised device so you've got your perimeter device your your edge router all traffic on port 80 or going to port 80 is getting man in the middle and JavaScript can be injected into the traffic that returns to the devices on the inside of the network so this module allows the actor to compromise devices on the inside the security perimeter without actively scanning and exploiting them it happens invisibly at the router there's a tor module which gives stage two the ability to communicate with command control over tor and then the kill brick from that I mentioned was in stage 2 it event the older stage to us we found had baked in kill the newer ones it was missing and we had a suspicion that okay there's probably a stage 3 that does then later on and we confirmed so this is destroyed we'll go through and clear artifacts like indicators of compromise to try and erase any tracks from its presence and then it will brick the device usually the brick is by overwriting the first I think 5000 was the most points on five thousand bytes of flash so it's essentially wiping out the bootloader and the device is done unless you can reprogram that flash memory which you're not doing on any of these devices and nine point is on the population couldn't even do it if the capability was there so brick device bad said I said very specific very sophisticated so why would
somebody go through trouble of actually building something like this spending several years doing it deploying it globally obviously it probably costs millions of dollars over time and this is a global intelligence infrastructure what we used to refer to as computer network operations are now referred to as cyber operations this gives a massive distributed global network to conduct those cyber operations from and mask attribution so the any attacks or traffic that comes through this network is going to look like it comes from a SOHO device you know somewhere and wherever they choose to make it look like I'm so it makes it difficult to track people or attract the tribute attacks it's also a data collection platform passively what colors have been talked about it's been mentioned some passive collection and active these devices have been used to scan for other things and then sometimes scan for other vulnerable things and then exploit them and add them to the VPN filter network the destructive attack is the thing that we were the most worried about when we had to decide whether or not we were gonna go public or when we would eventually go public but this is trying to drove us to go public when we did the actor had the ability to effectively knock about half a million networks off the internet all at once so now I have a million devices by knocking these routers off you're knocking everything behind the routers off the internet - so take a half a million networks off the internet all at once it's pretty serious stuff and we were pretty worried about that thankfully it never happened also we've got the ability to exploit inside the network if the actor was on the internal network and had been kicked out though they have a point of presence on the edge router and unless the incident response team actually went validated that they were booted off those edge routers they can come right back in and then everything that the botnet can do this can do - so it has a lot of value [Music] so that's kind of the big picture
overview the the for our discussion about what VP BPM filter is distill down into 15 minutes this is the ICS village we want to talk about stuff that ICS people care about Carlos is going to talk about the technical aspects of the VPN filter Modbus module thanks Patrick all right so I'm gonna talk about the VPN filter packet sniffer module the packets per module was
responsible for inspecting packets and logging certain connections specifically the packets per module would log connection information about HTTP and certain Modbus connections the packets per module was targeting the are 600 VPN router which is a 5 port sohe router when we did a quick search on showed and we found around 5,000 these devices online but I think it's safe to assume that there's a lot more than 5,000 devices these online biggest rodent was just showing us ones that were that had the movant enabled and ripple on the area so this is the picture of advice
the teeth link are 600 you can router the malware was specifically targeting this device so the packet sniffer is
compiled for Lex row has anybody here heard of Lex real cool to people all right this project is the first time I've ever worked with or even heard of Lex row it's really similar to MIPS but it's missing some instructions initially when I started working on this I thought the device and sample were MIPS and this was problematic because Patrick I were attempting to get compiled MIPS code running under 600 but we kept getting seg faults eventually one of her co-workers found out his extra and helps out with that and so it was good so
first off I want to give a huge shout-out to the Karl heard he works on her team at Cisco Telus and he was the first one to reverse the packets for module the sample was first uploaded to virustotal in 2016 so this modules been around for quite some time I wonder how long the modules actually been around because 2016 is just the first time it was uploaded to virustotal the module is a Linux elf it's stripped and Static compiled the fact it was stripped in statically compiled they'd reversing a little bit more difficult we had no function names even flipsie functions they were unnamed which was pretty annoying so the sample will
inspect every packet it'll literally do some checks so it'll first check see if the packet is greater than 150 bytes if the packets ipv4 and if the packets TCP if all those conditions are met then the sample will look for Modbus n HTTP so in order for
the packet sniffer mod to run two arguments need to be provided the first argument is the login directory this is where the logs will be stored and the second is an IP address if these two arguments are not provided the sample will just exit but if the two arguments are provided immediately enter the
packets parsing loop so in the park in the packet parsing loop in the beginning we have some IP checks checking for ipv4 TCP and a packet size and if those checks pass then we will start looking for marvelous and if the bloop does not detect Modbus then it will check for HTTP so all network traffic passes
through this loop and the loop is specifically for Modbus HTTP and it will discard anything else so if something doesn't meet the criteria for Modbus R HTTP the pack will be discarded and the loop will be restarted with the next packet
so for each packet loops can check seed packets greater than hundred fifty bytes then loops gonna make sure the packets ipv4 and TCP and finally we start the Modbus and HTTP checks so first off for
those who may not know my bus is a ICS protocol it's commonly used by PLC's runs on port 502 and the protocol is open so you can grab it from my poster berg and it doesn't support encryption
so once the loop has done the initial IP checks the loops gonna check for Modbus it does this by checking to see the packets destination port and seeing if it equals 502 if it does then the next check is if the packets destination address is the same IP as yep you provided by the second argument provided to the binary if both those checks return true then the sample considers this packet a modest packet and login code gets called so the log file is
stored in the location provided by the first argument blog file will be named read lender score percent you that bin what percent you is the time to log files written the only thing that gets logged for the Modbus portion is the source IP source port destination IP and the destination port so this is an
example of what the log file might be named and what it might contain so rep underscore and a time value dump in it would be the name of the file and then what's highlighted in orange is what would actually be inside the file so we have Astrix Modbus Astrix a new line source IP : source port with a little arrow to destination IP gestation port
so I wonder why a sample specifically designed for so a router is looking for my bus I don't know if this router will ever be in a position to look at ICS trafficker Modbus traffic and additionally I wonder what value the the Modbus log provides dealing this in log is a source IP source port destination of the in destination port and the destination IP address and the destination port have to be provided to the binary so the only that you get really is the the source IP address in the source port [Music]
so as loop continues if the loop the terms of the packet is not Modbus then it'll start looking for HTTP authorization so just a quick recap in
order for the HTTP checks to start the packet needs to be tcp/ip v4 greater than a hundred fifty bytes and not Modbus then we have done the HP checks start so the HTTP checks consists of
checking the destination IP address source port length the data and several strings checks the destination IP must be the same as the IP address that was provided to the sample when the sample was initially started so it's looking for a very specific computer s the source port must be greater than 1024 but it can't be eighty eighty or eighty eighty eight the length of the data must also be greater than twenty bytes and then we move on to these strings check
so in order for the packet to be logged the packet must not contain any of the strings in that code block
and additionally the packet must contain the string authorization basic or a username and password combination but it can contain both if it contains both the PAC will be discarded and the loop will restart with the next packet so it's code block on the left I have user names or user parameters and on the right passed parameters so you have to have one from each side in order for the packet to be logged if the HTTP
logon criteria has been met the entire packet is logged to rep underscore percent you that bin we represent you is the time of logging and the log will be stored in the location provided to the the sample when you initially ran it so
it looks like the HTTP checks are looking for potentials to specific website it's highly targeted as the destination IP address is already known and needed for the packets of per sample additionally the sample does not send logs off to remote server but maybe another sample does this I don't know so
in conclusion the sample is targeting specifically the are 600 you can router which is a servo router the sample is looking for a specific IP address and is grabbing Wireless and HTTP information the sample cannot modify traffic without a significant code rewrite but we as patrick said we've observed other samples that are able to modify traffic
so thanks for coming to talk hope you guys enjoyed it what a reinforced the it's very very targeted just that model of device you have to give it the destination IP address it's logging just the source IP in source port of Modbus traffic nothing else and it's got a bunch of filters in place that discard a lot of the HTTP out stuff and it's storing the whole packet but the filters in place will ensure that only a few the back is the contain nation to the authentication stuff actually gets saved so the question is in what environment are you gonna find this router and what ICS device would be on the recent like the target of this where somebody would be on one side of this router there be nice yes to buy some the other and bold Modbus traffic and HTTP traffic are passing to the same device because the IP address is given as a argument when the module is run so that is the the question of the day you know where is this device being used and what ICS device receives Modbus traffic and its authentication over HTTP we'll take questions possible that the attackers had a very specific configuration in mind they were going before somewhere so in this case like this is obviously intended to target either a specific individual or a specific group that does things a certain way this specific module isn't going to work on any of the other like it it won't work as a plug into stage two on a different device it only works on the tp-link our 600 VPN and it only like you have to give it that destination IP before to log anything so when the actor drop this it's obvious that they were looking for certain stuff and only certain stuff because it filters out everything else even things that would be valuable like other HTTP credentials they might be might yeah and whether or not this device should be an ICS department no but whether or not it is what type of I would like to and this you know for you guys if if you can think of any field devices that may be what the actor was looking to receive the information about wanted let me know otherwise doing not to my knowledge it's just that yeah as far as I know and it's that weird like palace instead Electra architecture so as we were writing our own proof of concept code and executed it on the device it was very insightful it's all day long and turns out we needed a custom tool change compiled code for this device so it's not like it's the code may be portable this I've got it compiled specifically for this I don't know of anything and there's strings in the code and the firemen say our 600 BPM you know so even if there was something else that using right arrey arrey it looks at every packet that travels through it and then it goes through the checks that Carlos explained to filter out the stuff that it doesn't want and if it meets all the checks for my bus it just logs stuff that I already knew like it knows the destination IP because it's an argument that was passed to it when that module was executed it doesn't log any of the Modbus data they just the IP address that the traffic came from and the port that it came from and the IP address that was going to which we know and for 502 which we know so the only thing the actor learns the - is source port and source IP and then any HTTP traffic that meets all those filters going to the same ip address as the Modbus is going to it'll log that entire packet yes so in this instance they would imagine they either did it manually especially since it's so targeted or there may have been capability at the sea to note it would connect and hold right no they staged to had the ability to execute shell commands so it'd be just like you're logged in to the terminal you know as Linux true geographic fringe you see in certain countries or in certain areas nothing to spit out at the time but we have the map in slides we can put it up on there and
if you can zoom into it yeah most of the u.s. so almost 900 the u.s. 600 russia brazil this is just specifically the tp-link our 600 een with remote management enable gasps oil gas yes sir a piece into the brick bumps to go follow the breadcrumbs you apiece yes sir they usually take over the whole box yeah so anybody that knows what that does if negatives can own any device that is in that passive raw socket mode so you just have to send a syn that has the right magic bytes and then it's going to pull out an IP address and it's going to reach out and you're going to deliver stage two to it but if you know so yeah you could for this module because it's set up to just log data about what goes through it would be it would need to be seriously modified to intersect so instead of just looking at the packet and allowing them to go through I just have to stop it change it pass it through this module doesn't have any capability to do that but that other module does so they definitely have the ability to modify traffic this module does not but is still possible has there been any sort of effort to go out like have you seen this proudly to like potential investor visas or is it kind of passive collection like maybe I'm here asking you guys it's it's intriguing because it's only targeted but because of the the wide range of vendors and devices that were also known to be used this type of activity could be used on any of those other choices that you said to a pilot for the device and push it out it depends on which stage it's in and what twice it is and yeah there's a whole bunch of weird ways to figure it out if B if it's in that raw socket mode there if you can detect it never expose few weeks ago and stuff like it hub where it'll send the syn packet and it'll reach out to an IP that the script is also I think some of reckoning Quran semantics you know the tool that would let you know that I think it'd be a stay tuned I said I love family did you define that disconnection I think it's just the module did my damnedest it's a kid to get live devices they had live devices established and actually the command control they just never had that modular stuff so one of the interesting things about the stage free modules they you know the device has to be tested to pull them down there's no like list of modules in states to that it knows you had to know the daemon of module the device has to be told reach out and get this module and then it will reach out to command control to request the module retrieve it and execute it so yeah I'd like to do oh say oh my god I got I just requested all the modules from man control I got all but without knowing the names of them they could have had and just we never saw it they were selective about what they deployed and where they afforded it's not another game we got a Firestone 2016 this module that yes this specific binary is elf executable so Linux executable and they uploaded that right I would love to know I would have loaded even there said so in order to get off of the device you've got it on the device some of the older tp-link our 610 actually a backdoor what shell it was known so somebody could use that and saw that they were infected pulled it off and I furthered it the actor may have uploaded it if some people would trade craft it's a little you know everybody's been known to make mistakes so maybe today other than that it would have had either been pulled out of never traffic and upload and pull off the device and upload it or upload it by the actor [Music] now I would love to hear like ideas and scenarios for and this is just one of countless modules so we know how many we've seen but theoretically it's something the actor they just write it into file and push it out their plugins so there's one thing I don't know if you've mentioned it or not but yours yeah so there is it it's in their own possible that the actor put that in there to kind of distracting thank you well the woman for my bucks you know it's right were they really looking at my bus or they want us to think about if you guys know the sample so well I mean if you're if you have a paid account where's total um access to all that stuff so anybody in this room good so tell us is working with several partners external to tell us and it's one of those things that I'm fighting back again so but the tell us the blog post that initially disclosed this will tell you as much as we're comfortable releases but we worked with people outside of tell us so if you have any coke they're generally the VP and function of that I don't remember not pretty sure was just use nobody again yeah it was busybox night open SSL Open VPN or the pretty sure I can double check but but if anybody's any other questions or follow-ups you just hit me or Carlos up here or afterwards the motorist basically ready so if you specify you can specify any IP addresses the destination IP address and then at the traffic passes through it'll log the actual credentials going to that item and then it's that what you're saying you found we think there's a couple yeah so like it can take three parameters or arguments but it only takes two so what's the 30-day off by one what was the other so if it will accept it along the traffic it said if it has HTTP basic authorization or either a name and password combination but if both are present it ignores it so I mean there were a few things where my theory was that they were eliminating as much noise as possible because if you start log and everything that matches they should be basic off and everything that matches Modbus device is going to fill up and you're gonna have a break so they wanted to filter out everything except what they were specifically looking at that's just my theory yeah and yeah I think there's a couple coding mistakes all right thank you [Applause]