诺姆·摩西_从漏洞到取证证据解开Unitronics攻击.pdf

1、Team82From Exploits to Forensic Evidence:Unraveling the Unitronics AttackNoam Moshe Claroty Research,Claroty Team82$whoamiNoam MosheVulnerability researcher-mostly breaking IoT clouds.Master of Pwn Pwn2Own ICS 2023.*Special thanks to Claroty Team82 researchers:Sharon Brizinov,Vera Mens,Tomer Goldsch

2、midtSo whats the sitch?So whats the sitch?Nov 23:APT targets Unitronics PLCs CyberAv3ngers Used in water facilities worldwideSo whats the sitch?Nov 23:APT targets Unitronics PLCs CyberAv3ngers Used in water facilities worldwide Why?Fear and PanicModern Defacing ICS Style Defacing HMI screens How?Dow

3、nloading new project Override current logic Was the defacement the only thing the attackers did?Not The First Time Feb 22-Same attack on Israeli devices:1.5 years prior Same PLC lineup Attackers were not identified Probably same APT:shared assets2022 Attack on IsraeliParcel ServicesUnitronics Vision

4、 101 PLC+HMI Vendor is an Israeli PLC makers Old PLCS-Samba and Vision Series PCOM protocol(serial or TCP/20256)Almost no security mechanisms No encryption“Weak”authentication10“Weak”Authentication?From CISA advisory,they recommend:Change default password Add PCOM password11HoweverMore Like No Authe

5、ntication!Prior to v9.9.00-no PCOM authentication To attack you need:EWS:Visilogic IP4/25/23There are no internet-facing PLCs right?Right?Hundreds of Exposed Devices Using shodan.io:900 devices PCOM exported Unpatched devices have no authentication!Real Video of the APT Attack!AttackersInternet-faci

6、ng PLCsWe Were Noted of This Attack We began investigatingThere is no forensic tools for such device!Develop new forensic tools Extract evidence from affected PLCs18We Were Noted of This Attack We began investigatingThere is no forensic tools for such device!Develop new forensic tools Extract eviden