SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/importantes/como-un-hacker-puede-hackear-en-las-redes-aisladas-de-reactores-nucleares/
TAGS: Ghost malware, Nuclear reactor hack, USB malware
** This article is for educational purposes **
Critical infrastructure like oil rigs and nuclear reactors have sophisticated level of security to protect against cyber attacks. But hackers are thinking one step ahead of security professionals to hack to critical infrastructure. Critical infrastructure networks are isolated so it is very difficult to get through the outer world. Therefore, hackers have developed malware like Stuxnet and Flame, which spread via USB devices on those networks as much information exchanged through USB memory devices.
USB drives are reusable storage devices that connect memory to the USB port of a computer and is commonly known as flash drives or memory cards. USB drives you can delete any number of times and can use them for different purposes.
USB drives are so common these days that hackers have begun writing the malware specifically for USB memory. With use of these malware hackers they are able to hack isolated networks and nuclear power plants . In this article we will discuss the related malware USB with the help of experts in security solutions .
USB DISK DESIGN
A USB flash drive is a data storage device that includes flash memory with an integrated Universal Serial Bus Interface (USB). A flash drive consists of a small printed circuit board with the circuit elements and a USB connector, insulated electrically and protected inside a plastic, metal, or rubber case. Most flash drives use a standard connection type A USB that allows the connection to a port on a computer, but there are other interfaces units. USB flash drives draw power from the computer through the USB connection.
[caption id="attachment_5080" align="alignnone" width="459"]
USB-DESIGN[/caption]
The parts of a flash drive mentioned:
- Standard-A USB connector - provides a physical interface to the host computer.
- USB mass storage controller - a small microcontroller with a small amount of on-chip ROM and RAM.
- Chip (s) NAND flash memory - stores data (NAND flash is typically also used in digital cameras).
- Crystal oscillator - produces clock signal 12 MHz main device and controls the device's data output through a phase-locked loop.
- Cover - typically made of plastic or metal to protect the electronics against mechanical stress and even short circuits.
- Jumpers and test pins - for testing during manufacture or firmware load the flash drive into the microcontroller.
- LEDs - indicate data transfers.
- Write-protect switches - Enable or disable writing of data into memory.
- Uninhabited space - provides space to include a second memory chip. Having this second space allows the manufacturer to use a single printed circuit board for more than one device storage size.
- Some drives offer expandable storage through a memory card slot inside, like a memory card reader.
Most flash drives come preformatted in FAT32 or file systems exFAT . Sectors are 512 bytes long, for compatibility with hard drives, and the first sector can contain master boot record and partition table.
USB malware
There are two types of malware is the first USB firmware malware USB drive and second is the normal computer malware that only runs on USB drives and is called Ghost malware . We'll cover more details of each of these malwares and how hackers are using them to hack into isolated critical infrastructure networks as you plant electric power reactors nuclear etc.
1. Malware based on USB microcontroller firmware
Hackers make this malware with controller firmware reprogramming mass storage USB drives. As the malware in the firmware, which is injected into the microcontroller and not in the flash memory (where we keep our files).
Mike Stevens, an expert in computer security training explains that once the malware in the firmware of the USB drive is injected can do the following
- The malware microcontroller firmware can emulate a keyboard and issue commands on behalf of the user who is logged, for example, giving root access to the hacker and infect other devices on the network.
- The USB drive can act as network card and change the computer's DNS to redirect traffic.
The trust given by operating systems like Windows, Mac and Linux Human Interface Devices (HID) such as keyboards, network cards is the reason behind this attack. As the activities of malware appear as if a user is logged on to those activities. The USB firmware malware is detected as an operating system for HID, and script malware running to give a hacker control root. Antivirus can not detect this type of threat as anti-virus thought to a user She is logged and gave access to another trusted person.
There are 3 different types of attacks based on firmware of USB mass storage controller.
1.1 BADUSB
As he explained above expert computer security training that the attacker will have a normal USB disk that contains a small microcontroller, inject malware into the firmware and takes control of root computer with the help of this malware. This type of USB is called BADUSB .
Type attacks BADUSB
- Pretend like USB 4GB however, has a 32 GB space where the rest of the space will be used to copy the data and then upload to the remote server. Thus, when the disk is formatted only erases 4 GB of space.
- Pretending as a keyboard or mouse.
- Pretending as a network card.
- Pretending as a phone or tablet.
- Pretending as a webcam.
- Pretending as an authentication token bank.
- Pretending as printers and scanners.
- Pretend like connector type-C light and data for the new MacBook, Chromebook Pixel. Despite its versatility, Type-C is still based on the USB standard, making it vulnerable to an attack by firmware. Therefore it would be an attack through light cable.
CREATING BADUSB
STEP 1. Check the details of the microcontroller
The first check the details of the controller and associated firmware. We need software like ChipGenius, CheckUDisk, UsbIDCheck, USBDeview to determine that. These are open source programs are readily available. They will provide Vendor Chip, Part-Number, Product Sales Manager, Product model, VID, PID .
[caption id="attachment_5085" align="alignnone" width="740"]
Chip-Genius[/caption]
STEP 2. Restore the original firmware and check the firmware (Optional Step)
You can use this step to repair your USB also if for some reason the USB drive is dead. You can visit the website as flashboot.ru and check the program to restore.
[caption id="attachment_5086" align="alignnone" width="740"]
FlashBoot[/caption]
[caption id="attachment_5087" align="alignnone" width="740"]
FlashBoot-software-details[/caption]
[caption id="attachment_5088" align="alignnone" width="740"]
FlashBoot-flashing[/caption]
You can use VID and PID found in the previous step to find the program to restore the firmware. You can download the MP tool (mass production) as a tool UT16 USBest according to their PID, VID and then update the driver. This will restore your USB USB as completely as new experts in security solutions.
[caption id="attachment_5089" align="alignnone" width="740"]
MPTool[/caption]
STEP 3. Preparing for injection firmware with malware
We will cover the stage of the Toshiba USB memories that have Phison controller. The necessary tools are available on GitHub.
- You need to install Windows with .NET 4.0 installed and Visual Studio 2012
- SDCC (Small Device C Compiler) Suite in C: \ Program Files \ SDCC (for the construction of firmware and patches) and restart the computer after you install these.
- Double-click DriveCom.sln, it runs in Visual Studio. Run the project and compile. Then the DriveCom.exe is in the Tools folder.
- Do the same with EmbedPayload.sln and injector.
- Drivecom runs as below for information about the unit:
DriveCom.exe / drive = E / action = GetInfo
where E is the drive letter. This should tell you the type of driver you have (as PS2251-03 (2303)) and the unique ID of your flash chip.
[caption id="attachment_5091" align="alignnone" width="740"]
Phison-Firmware[/caption]
STEP 4. Before performing the operation of flashing firmware
For flashing you need images burner . These images of burners are usually named using the following convention:
BNxxVyyyz.BIN
where xx is the version of the driver (for example, 03 by PS2251-03 (2303)), yyy is the version number (irrelevant), and z indicates the size of the page.
z may be:
2km - indicates that this is 2K for NAND chips.
4km - indicates that this is for NAND chips 4K.
M - indicates is for NAND chips 8K.
Burner You can download images from Internet websites like usbdev.ru.
[caption id="attachment_5093" align="alignnone" width="740"]
usbdev[/caption]
To build the custom firmware, open the terminal command in the "firmware" folder and run build.bat. You can try FW03FF01V10353M.BIN as 01/03/53.
The resulting file will be a firmware \ bin \ FW.BIN, which can then be on your USB flash drive.
Also produce a firmware file \ bin \ bn.bin, which is the equivalent code image burner.
STEP 5. Download the firmware
Once you have the image, enter the mode of running start:
DriveCom.exe / drive = E / action = SetBootMode
where E is the drive letter. You can transfer image burner and run through:
DriveCom.exe / drive = E / action = SendExecutable / burner = [burner]
where E is the drive letter and [burner] is the name of the image file burner.
You can load the firmware by running:
DriveCom.exe / drive = E / action = DumpFirmware / firmware = [firmware]
where E is the drive letter and [firmware] is the name of the destination file.
Step 6. Inject the malware in the firmware
Here you will need the exploit payload as professor of ethical hacking training of IICS you can learn to create an exploit payload and inject code during the formation of ethical hacking. However you can also get a script from GitHub page Rubber Ducky and with the help of Duckencoder inject.bin you can create a file in your script.
[caption id="attachment_5094" align="alignnone" width="740"]
Rubber-ducky-scripts[/caption]
You can inject the payload in the firmware by running:
EmbedPayload.exe inject.bin FW.BIN
Where is your script inject.bin Rubber Ducky FW.BIN is compiled and custom firmware image.
STEP 7. Flashing the controller firmware USB drive.
Once you have the image of the burner and firmware, run:
DriveCom.exe / drive = [letter] / action = SendFirmware / burner = [burner] / firmware = [firmware]
where [letter] is the letter of the drive, [burner] is the name of the burner image, [firmware] is the name of the firmware image.
The above steps will method for creating BADUSB and this USB can be used for ethical hacking and penetration testing. You can also create BADSD SD cards that can be used in phones and tablets to hack them. The following video shows researchers security solutions that show how to modify the firmware of the SD card and inject malware on the card.
[embed]https://www.youtube.com/embed/r3GDPwIuRKI[/embed]
1.2 USB Rubber Ducky - UKI (USB Key Injector)
Instead of creating your own USB firmware also you can buy USB sold in markets or UKI Rubber Ducky USB (USB Key Injector). You can learn more about USB Key Injector and USB Rubber Ducky in computer security training International Institute of Cyber Security.
[caption id="attachment_5097" align="alignnone" width="740"]
USB-key-injector[/caption]
Plate 1.3 teensy Microcontroller
Using a microcontroller Teensy plate with various software in order to mimic the HID devices is the more traditional method. You can learn more about teensy in the formation of ethical hacking.
[caption id="attachment_5098" align="alignnone" width="740"]
Teensy-USB[/caption]
2. GHOST USB Malware
This is like a normal malware, but runs only on USB devices as it is inside a computer makes no activity. Criminals use these methods to engage the isolated networks that are not accessible through the Internet. The malware of this type which was discovered recently was FLAME . In the case of the Flame, the malware creates a folder that could not be seen by a Windows PC, hiding malware and stolen user documents, experts say security solutions. This opened up the possibility that people unknowingly carry Flame from PC to PC. Malware Ghost USB drives are effective in isolated networks where a lot of confidential information, as portable storage units are typically used to transfer data between computers in isolated networks.
Flame can spread to other systems via a local network (LAN) or through a USB drive. You can record audio, screen, keyboard activity and network traffic . The program also records Skype conversations can turn infected computers and transmitters of Bluetooth, attempting to download information from nearby Bluetooth-enabled devices. These data, along with documents stored locally is sent to one of several command and control servers from hackers and malware can then take new instructions from these servers.
[caption id="attachment_5100" align="alignnone" width="740"]
flame-USB-malware[/caption]
Prevention measures
How to protect BADUSB, USB device type Rubber Ducky
According to expert security solutions of nuclear plants Taylor Reed iicybsecurity you can take the following steps.
- Connect only USB devices from vendors that you know and trust USB devices . To critical infrastructure such as power plants and oil platforms, using devices that have firmware signed and secured by the seller in case someone tries to break the firmware, the device will not function.
- Keep your program updated antimalware . It will not scan the firmware but should detect if the BadUSB try to install or run malware.
- Implement security solutions in advance that would monitor the use of the devices connected to your computer and any additional USB keyboard will be locked .
How to protect the USB Malware GHOST
- Keep your program updated antimalware.
- Use Honeypot Ghost USB . Ghost honeypot is a honeypot to detect malware that spreads through USB devices.
- Currently the honeypot is compatible with Windows XP and Windows 7. The way it works is that first Ghost tries to emulate a USB flash drive. If the malware identifies as a USB flash drive, will deceive the malware to infect it. Ghost then looks for writing applications based on the unit, which is an indication of a malware. You can learn more about honeypot USB Ghost in the formation of ethical hacking .
[caption id="attachment_5101" align="alignnone" width="740"]
Ghost-honeypot[/caption]
USB malware are very dangerous and should be implemented immediate measures to ensure the infrastructure with the help of computer security experts.
Fuente:
https://webimprints.wordpress.com/2015/07/29/how-can-hacker-hack-into-nuclear-reactors-isolated-networks/ ¿Cómo un hacker puede hackear en las redes aisladas de reactores nucleares?Noticias de seguridad informática