Hacking

Buying and Selling SCADA Zero-Days

Current scenario

How much is a zero-day for an industrial control system? Where is it possible to buy them and who are the main buyers of these commodities?

I can tell you that there isn't a unique answer to the above questions, but first all let us try to understand the current scenario and the reason why zero-day exploits are considered precious commodities in the underground.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

In August 2015, the ICS-CERT has published six advisories to warn organizations about the presence of Zero-Day Flaws in SCADA Systems. A security researcher at Elastica, Aditya K. Sood, disclosed during Def Con 2015 conference several vulnerabilities affecting human machine interfaces (HMI) of SCADA systems.

The flaws discovered by Sood are very common in such kind of systems. They include remote and local file inclusion vulnerabilities, insecure authentication mechanisms, hardcoded credentials, weak crypto, weak password hashing, cross-site request forgery (CSRF). The experts highlighted that the most of the flaws he discovered affect HMI modules developed by various manufactures, including Moxa, Prisma, KACO, Rockwell Automation, Schneider Electric, and Siemens.

The ICSCERT has promptly issued alerts for the vulnerabilities because the affected products are widely adopted in many industries and a cyber-attack exploiting them could cause serious damages.

The ICS-CERT also provided recommendations to prevent unauthorized access to the SCADA systems. For example, it recommended the use of VPN to secure remote connection to the control systems.

Unfortunately, many SCADA and ICS systems used in various critical infrastructure were designed to work in isolated networks without the security in mind, but the current industrial scenarios urge a new approach.

A report recently published by Dell, The Dell Annual Threat Report, revealed a 100 percent increase respect 2014 in the number of attacks on supervisory control and data acquisition (SCADA) systems.

The report highlighted another disconcerting aspect related to SCADA security. The majority of incidents occurred in SCADA systems is not reported. This means that the information related to attacks is not shared advantaging the attackers. The experts confirmed that in the majority of cases the threat actors were the APT groups politically motivated.

"Attacks against SCADA systems are on the rise, and tend to be political in nature as they target operational capabilities within power plants, factories, and refineries," the researchers explained. "We saw worldwide SCADA attacks increase from 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014."

The countries with the greatest number of attacks are the Finland, the United Kingdom, and the United States, where online SCADA systems are widespread.

"In 2014, Dell saw 202,322 SCADA attacks in Finland, 69,656 in the UK, and 51,258 in the US" continues the report.

Most of the attacks exploited buffer overflow vulnerabilities in SCADA systems (25%), the lack of input validation (9%) and Information Exposure (9%) are among the principal cause for the attacks.

Figure 1 - Key SCADA attack methods (Dell Report 2015)

Security experts speculate that the number of the attacks will continue to increase in the next years.

"This lack of information sharing combined with the vulnerability of industrial machinery due to its advanced age means that we can likely expect more SCADA attacks to occur in the coming months and years." states the report.

The  ICS-CERT responded to 245 incidents in Fiscal Year 2014. More than half of the incidents reported by asset owners and industry partners involved sophisticated APT. That attackers used a vast range of methods for attempting to compromise control systems infrastructure, including:

• Malicious code designed to compromise air-gapped networks
• Spear phishing attacks
• Watering hole attacks
• SQL injection attacks

Figure 2 - Attack methods 2014 attacks (ICS-CERT Report)

The principal problem for the experts that analyzed attacks against critical infrastructure is the difficulty to attribute them to threat actors. In many cases, these attacks go under the radar over the year due to the high level of sophistication of the Tactics, Techniques, and Procedures (TTPs).

For 38 percent of the reported incidents, the victims were not able to identify the threat actors neither the attack vector exploited by hackers.

"Many more incidents occur in critical infrastructure that go unreported," states the ICS-CERT MONITOR report. "forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network."

The data presented demonstrated that the number of attacks against SCADA and ICS systems is increasing and nation-state groups appears to be the main threat to these systems.

Summarizing, we have a scenario characterized by an increasing number of cyber attacks against SCADA systems that in many cases are vulnerable due to the lack of security by design. The attackers are mainly state-sponsored hackers, this means that they are usually well funded.

These elements lead me to believe that this category of threat actors is very interested in the acquisition of zero-day exploit specifically designed to hit SCADA and ICS systems.

Zero-day prices

Zero-day knowledge is a crucial factor for a cyber-attack. The exploitation of previously unknown vulnerabilities is a prerogative of well-funded hacking groups such as nations-state actors.

Zero-day exploits are precious commodities in the underground economy. Intelligence agencies are the primary buyers in the growing zero-day exploit market. This market is very prolific. A growing number .of companies are selling zero-day exploits to governments. In 2013, it has been estimated that this market was able to offer 85 exploits per day, an impressive number.

When dealing with SCADA the problem appears even more dangerous. The risk that threat actors could acquire a zero-day exploit in the black market is concrete.

Governments consider the use of cyber weapons a coadjutant to conventional weapons. The zero-day exploits are the principal components for the design of hacking tools belonging to their cyber arsenal.

Critical infrastructures are strategic targets in the Information Warfare context. It is normal to expect that intelligence agencies are very interested in the development and purchasing of zero-day exploits specifically designed to target SCADA and ICS systems. It is shared opinion within the hacking community that the knowledge of security flaws in certain industrial control systems (SCADA and ICS) widely used in critical infrastructure (i.e. Nuclear power plants, electric grids) has theoretically no price for a persistent attacker like a government.

Under specific conditions, these exploits could be used to cause a serious damage with severe repercussion of the population.

How much would a government be willing to pay for hacking tools that could be hit a critical infrastructure? Is it possible to search for this specific kind of exploits in the underground?

The journalist Thomas Fox-Brewster from Forbes recently published an interesting article that investigated the argument. Fox-Brewster, with the support of Yuriy Gurkin, CEO of the Russian company Gleg, searched for sellers of SCADA/ICS zero-days.

The Gleg firm has in its product portfolio several "exploit packs" for Canvas, which is an automated exploitation system and a reliable exploit development framework to penetration testers. One of the "exploit packs" offered by the company, the SCADA+, includes all publicly available SCADA vulnerabilities and zero-days of the company.

The Gleg continuously updates the packs; Gurkin explained that every month his company includes one or two exclusive zero-days to the exploit packs. It is clear that packages like SCADA+ could be powerful tools in the attackers' arsenal.

How much is SCADA+?

Unbelievable, the company offers it for $8,100 per year, meanwhile a Canvas license, costs over $3,000 for up to 10 users. The SCADA+ pack includes exploits for industrial control systems from major manufacturers such as Siemens, Panasonic and D-link.

Who are the buyers?

Despite government agencies are the most important actors in the zero-day market, Gurkin explained that his company sells the exploit packs mainly to private companies, obviously for testing purposes.

Gurkin explained that he wants simply to "illustrate" vulnerabilities and their risk. "We do not conduct any research aiming to control SCADA systems, we just write exploits for vulnerabilities for the Canvas framework."

Wait a moment! This last affirmation seems to be in contradiction, anyway is opposite to the thought of many black hat hackers that make the dirty and clandestine business with governments worldwide.

The price for a zero-day depends on a number of factors, including the offensive capability of the cyber weapon that triggers the vulnerability and the nature of the potential target.

Imagine a software that could shoot down a grid, a threat actor can cause billions of dollars of damages to a country or it could paralyze its operations. Do you mean that a government would pay only $8000 dollars for such kind of "weapons"?

"Far bigger companies than Gleg do SCADA exploitation, but in more clandestine fashion. Speaking with various former employees at US government contractors and digital warfare experts, the likes of Snowden's old employer Booz Allen Hamilton, Northrup Grumman, Raytheon, Lockheed Martin and BAE have SCADA exploitation capabilities. Unsurprisingly, they keep schtum about what exactly they can do and whom they provide to." states Forbes.

The cyber security expert Drew Porter, with a deep experience in critical infrastructure protection, confirmed that in the past he used to "work at a place that would develop tools and exploits then sell what was weaponized to selective US government clients.

"We never talked about the tools when we were making them to anyone besides our clients."Porter confirmed that the essential element of a successful sale of zero-day exploit is the clandestinity.

"Many Department of Defense contracting companies do this. Some are just better at it than others," explained Porter.

Selling zero-day packages for testing purposes will allow manufactures rapidly fix the flaws making no more effective the exploits against an updated system,

"But if you are selling an exploit pack to the public, a vendor is going to buy it and patch all their systems after they reversed your zero-day." explained Porter.

"I could be wrong, and maybe they are selling SCADA zero days for $8,000 to the public. Then again it could have been marketing who added that 'zero-days for SCADA' … because they knew it would bring more attention to it."

The fact that a growing number of companies are focusing their efforts in the search for zero-day flaws in industrial systems is growing leads to believe that the request for such kind of service is rapidly increasing, but at the same time these firms don't offer their packages publicly like an off-the shelf product.

Forbes mentions several companies that currently work in the research of zero-days for SCADA systems, including ReVuln, the Exodus Intelligence and Hacking Team.

Despite companies such as Gleg offering low cost of SCADA exploits, this does not mean that this precious commodity is cheap. This strategy to sell zero-day seems to have no sense for the zero-day market, at least for a number of professionals that I have reached for a comment.

Gurkin is aware of this apparent contradiction, he explained that low prices for SCADA is mainly related to the low interest respect bugs in most popular software like Microsoft Internet Explorer or Windows. The attackers have more opportunities to monetize the exploits written for popular software than the SCADA, for example creating a botnet involved in fraudulent hacking campaigns.

In the following table, the popular hacker Raoul Chiesa reported the prices for known vulnerabilities and zero-days based on the nature of the buyers and the affected systems.

According to the expert, an exploit for a zero-day flaw affecting a SCADA system could be sold to military groups in an Information Warfare context for a price ranging from 400K up to 1M. It is interesting to note the significant difference in price between zero-days and known vulnerabilities offered by military entities.

Another consideration that the table raises is different price tags for zero-day exploits sold to criminal rings and military entities, the prices in these cases can be tenfold the ones paid by the crooks in the underground forums.

Figure 3 - HACKING, CYBERCRIME ED UNDERGROUND ECONOMY (Raoul Chiesa 2014)

The prices offered by Gurkin are very cheaper respect the above data, the experts justified this difference explaining that find SCADA flaws is too easy due to the lack of security by design of such systems.

"Finding SCADA vulnerabilities is a joke as many of these products were built without any software security in mind – that is why we do not do that."

I decided to contact an expert that spends almost his time in discovering bugs in any kind of system, including SCADA. I have requested him a comment on the topics "SCADA zero-day" and prices for these exploits.

The experts provided me his opinion, but requested to remain anonymous due his activities.

Me: What do you think about SCADA zero day exploits?

The Expert: It is very difficult to approach the argument because industrial systems are complex system and present a high level of customization in term of hardware, software, configurations and network connectivity.

It is true that there are some small companies or individuals who have PLC systems accessible via the Internet, but this does not mean that they are "critical infrastructure" and most important, it is very hard to estimate the how much damage can be caused by a cyber-attack on these systems. These systems are often controlled also through manual controls, and in most cases, an attacker is not able to make arbitrary changes to configuration settings beyond specific limits.

To evaluate the cost of a zero-day we need to have a clear idea of the specific target of the attack. Evaluations and discussions can be made only about specific targets, not in general about SCADA systems.

Me: What do you think about the post published on Forbes?

The Expert: Perhaps in the Tom's article they have discussed only attacks in the pile, instead targeted attacks through specifically designed zero-day exploits.

The article describes attacks where threat actors use Shodan as a reconnaissance tool and once discovered a range of specific IPs belonging to potential SCADA targets try to exploit them with various techniques, including commercially available packages.

Me: Which are the main problems for the security of SCADA systems?

The Expert: I think that the major problems are related to the system administration, especially the patch management, and to the design of industrial products. The lack of security by design is a serious problem; it is quite easy to discover hard-coded accounts, debugging functions still active in software and hardware components that could be exploited by hackers to compromise systems in production.

Me: What about prices of exploit packs offered by the Gleg Company?

The Expert: Gleg is free to sell its solution for any price. The final price is a company's choice. Regarding their zero-day exploit, I cannot judge them, there are dozens of industrial SCADA software and not everyone has the same value of course. Exactly as for non- SCADA target, an exploit could have different values depending on the specific software it affects.

Conclusions

When approaching the price for a zero-day exploits we have to take in mind the type of the target and the nature of the buyers. We must distinguish zero-day attack on generic SCADA systems from targeted zero-day attacks.

Unfortunately, attacks in bulk are very easy to conduct, the attackers just need to locate a target with tools like the Shodan search engine for internet-connected devices and run the exploit. Shodan runs an ICS Radar that scan the Internet for "protocols that provide raw, direct access to industrial control systems".

This kind of attacks is becoming even more frequent for this reason it is important to carefully consider the security of any industrial system exposed … and never generalize the discussion about hacking them!

Figure 4 - SHODAN ICS Radar

SCADA security is a pillar for the protection of critical infrastructure systems. It is important to change the approach to cyber security for so critical components to avoid catastrophic incidents.

Let's close, once again, with the suggestions provided by Dell experts to protect SCADA systems from attacks:

• Make sure all software and systems are up to date. Too often with industrial companies, systems that are not used every day remain installed and untouched as long as they are not actively causing problems. However, should an employee one day connect that system to the Internet, it could become a threat vector for SCADA attacks.
• Make sure your network only allows connections with approved IPs.
• Follow operational best practices for limiting exposure, such as restricting USB ports if they aren't necessary and ensuring Bluetooth is disabled.
• In addition, reporting and sharing information about SCADA attacks can help ensure the industrial community as a whole is appropriately aware of emerging threats.

References

http://www.forbes.com/sites/thomasbrewster/2015/10/21/scada-zero-day-exploit-sales/

http://securityaffairs.co/wordpress/39402/hacking/0-day-scada-systems.html

https://software.dell.com/whitepaper/dell-network-security-threat-report-2014874708

http://securityaffairs.co/wordpress/34936/cyber-crime/ics-cert-monitor-report-apt.html

/zero-day-exploits-in-the-dark/

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

http://www.theinnovationgroup.it/wp-content/uploads/2014/05/20-Maggio-2014-Raoul-Chiesa-PUBLIC-1.pdf