Exercise 4

This is the report for the fourth series of exercises for my penetration testing course, taught by Tero Karvinen
http://terokarvinen.com/2018/penetration-testing-course-autumn-2018
The fourth assignment consists of three parts, as follows:

H4

3) Stuxnet. Read an article on Stuxnet, example Symantec or Langer. 1) How did Stuxnet hack to the computers? A general answer (what attack, on what operationg system, in which component) is enough, since the attacks are already old. 2) How did the command and control work (C2)? 3) How did Stuxnet bridge the air gap?

Assignments 1 and 2 can be found in this link (password protected, in finnish)

3)

1. Stuxnet was designed to infect only windows computer, it was compatible only with the following versions:

– Win2K
– WinXP
– Windows 2003
– Vista
– Windows Server 2008
– Windows 7
– Windows Server 2008 R2

It had a digital certificate to make it seem it comes from a reliable company, this way it tries to evade automated-detection systems and not be marked as malware.

It used zero-day vulnerabilities to get access to the target computer or by physical infection, in this case an usb stick. After the successful infection, it would try to elevate it’s privilege rights to administaror, using the same zero-day vulnerabilities it was equiped with. The computers that were targeted, ran the Siemens Step 7 engineering software, which were in contact with the target components, the Siemens Centrifuge Drive System(CDS), or the Cascade Protection System (CPS) depending on the method of harming the centrifuges. The earlier attack routine in Stuxnet was to target the CPS, the aim was to damage the centrifuge by causing centrifuge overpressure. The latter attack method was to cause centrifuge malfunction by altering the centrifuge rotation speed, that the CDS controls. The attack is intended to be gradual in both cases, not affecting all of the centrifuges in the uranium enrichment plant at once. This way it could stay more hidden and cause more damage.

2. Stuxnet was inteded to run autonomously in a network or computer with no outside access and has a limited command and control. If Stuxnet is able to get internet access, it sends some basic info of the compromised computer via http. It seems that Stuxnet could be able to have backdoor fuctionality to the infected computer, so it could download and execute arbitrary code, but no evidence supports that this has been used.

What it can do with the outside connection is update itself, it also uses a peer-to-peer updating mechanism that is able to pass the update to other infected computers that are not able to connect to the internet.

3. Stuxnet was designed to spread in a local network (LAN), or by a direct computer infection, in this case an infected portable engineering system (laptop) or a ubs stick. something that could come into direct contact with the target system or the same network that is was in.

It seems that the possible problem of an air gap between systems had been taken into account in the design, since the intelligence of the target site was well established.

How this was done, was through private contractors working on the site. Specifically contractors working within the same systems that were connected to the Siemens industrial control system . For some reason security had not considered the possibility of a threat of this magnitude from an inside employee.

References:

http://terokarvinen.com/2018/penetration-testing-course-autumn-2018

https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf