- The Microsoft Windows shortcut automatic file execution vulnerability which allowed the worm to spread through removable flash drives;
- A print spooler remote code execution vulnerability; and
- TWO different privilege escalation vulnerabilities.
Monday, September 1, 2014
STUXNET: ANATOMY OF A CYBER WEAPON
This is the first of a focused two part discussion of the threats and challenges involved with cyber security. The exploration of cyber threats and challenges is conducted using the Stuxnet attack as a lens. The following post picks up with an allegorical analysis of the cyber threat posed by nation-state attacks as well as ideas about how information systems can be built so that they are less tempting targets.
Stuxnet is widely described as the first cyber weapon. In fact, Stuxnet was the culmination of an orchestrated campaign that employed an array of cyber weapons to achieve destructive effects against a specific industrial target. This piece explores Stuxnet’s technology, its behavior and how it was used to execute a cyber-campaign against the Iranian uranium enrichment program. This discussion will continue in a subsequent post describing an orthogonal view on the art and practice of security – one that proposes addressing security as a design-time concern with runtime impacts.
Stuxnet, discovered in June 2010, is a computer worm that was designed to attack industrial programmable logic controllers (PLC). PLCs automate electromechanical processes such as those used to control machinery on factory assembly lines, amusement park rides, or, in Stuxnet’s case, centrifuges for separating nuclear material. Stuxnet’s impact was significant; forensic analyses conclude that it may have damaged or destroyed as many as 1,000 centrifuges at the Iranian nuclear enrichment facility located in Natanz. Moreover, Stuxnet was not successfully contained, it has been “in the wild” and has appeared in several other countries, most notably Russia.
There are many aspects of the Stuxnet story, including who developed and deployed it and why. While recent events seem to have definitively solved the attribution puzzle, Stuxnet’s operation and technology remain both clever and fascinating.
A Stuxnet attack begins with a USB flash drive infected with the worm. Why a flash drive? Because the targeted networks are not usually connected to the internet. These networks have an “air gap” physically separating them from the internet for security purposes. That being said, USB drives don’t insert themselves into computers. The essential transmission mechanism for the virus is, therefore, biological; a user.
I’m tempted to use the word “clueless” to describe such a user, but that wouldn’t be fair. Most of us carbon-based, hominid, bipedal Terran life forms are inherently entropic – we’re hard-wired to seek the greatest return for the least amount of effort. In the case of a shiny new flash drive that’s just fallen into one’s lap, the first thing we’re inclined to do is to shove it into the nearest USB port to see what it contains. And if that port just happens to be on your work computer, on an air-gapped network. . .well, you get the picture.
It’s now that Stuxnet goes to work, bypassing both the operating system’s (OS) inherent security measures and any anti-virus software that may be present. Upon interrogation by the OS, it presents itself as a legitimate auto-run file. Legitimacy, in the digital world, is conferred by means of a digital certificate. A digital certificate (or identity certificate) is an electronic cryptographic document used to prove identity or legitimacy. The certificate includes information about a public cryptographic key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person or system examining the certificate trusts the signer, then it is assumed that the public cryptographic key or software signed with that key is safe for use.
Stuxnet proffers a stolen digital certificate to prove its trustworthiness. Now vetted, the worm begins its own interrogation of the host system. : Stuxnet confirms that the OS is a compatible version of Microsoft Windows and, if an anti-virus program is present, whether it is one that Stuxnet’s designers had previously compromised. Upon receiving positive confirmation, Stuxnet downloads itself into the target computer.
It drops two files into the computer’s memory. One of the files requests a download of the main Stuxnet archive file, while the other sets about camouflaging Stuxnet’s presence using a number of techniques, including modifying file creation and modification times to blend in with the surrounding system files and altering the Windows registry to ensure that the required Stuxnet files run on startup. Once the archived file is downloaded, the Stuxnet worm unwraps itself to its full, executable form.
Meanwhile, the original Stuxnet infection is still on the USB flash drive. After successfully infecting three separate computers, it commits “security suicide.” That is, like a secret agent taking cyanide to ensure that she can’t be tortured to reveal her secrets, Stuxnet deletes itself from the flash drive to frustrate the efforts of malware analysts.
Internally to the target computer, Stuxnet has been busy. It uses its rootkit to modify, and become part of the OS. Stuxnet is now indistinguishable from Windows; it’s become part of the computer’s DNA. It’s now that Stuxnet becomes a detective, exploring the computer and looking for certain files. Specifically, Stuxnet is looking for industrial control system (ICS) software created by Siemens called Simatic PCS7 or Step 7 running on a Siemens Simatic Field PG notebook (a Windows-based system dedicated for ICS use).
The problem facing Stuxnet at this point is that a computer can contain millions, if not tens of millions, of files and finding the right Step 7 file is a bit like looking for a needle in a haystack. In order to systematize the search, Stuxnet needs to find a way to travel around the file system as it conducts its stealthy reconnaissance. It does this by attaching itself to a very specific kind of process.: One that is trusted at the highest levels by the OS and that looks at every single file on the computer. Something like. . .
. . .the scan process used by anti-virus software. (In the attack on the facility in Natanz, Stuxnet compromised and used the scan processes from leading anti-virus programs. (It’s worth noting that all of the companies whose products were compromised have long since remedied the vulnerabilities that Stuxnet exploited.) Along the way, Stuxnet compromises every comparable process it comes across, pervading the computer’s memory and exploiting every resource available to execute the search.
All the while, Stuxnet is constantly executing housekeeping functions. When two Stuxnet worms meet, they compare version numbers, and the earlier version deletes itself from the system. Stuxnet also continuously evaluates its system permission and access level. If it finds that it does not have sufficient privileges, it uses a previously unknown system vulnerability (such a thing is called a “Zero-Day,” and will be discussed below) to grant itself the highest administrative privileges and rights. If a local area network (LAN) connection is available, Stuxnet will communicate with Stuxnet worms on other computers and exchange updates – ensuring that the entire Stuxnet cohort running within the LAN is the most virulent and capable version. If an Internet connection is found, Stuxnet reaches back to its command and control (C2) servers and uploads information about the infected computers, including their internet protocol (IP) addresses, OS types and whether or not Step 7 software has been found.
As noted earlier, Stuxnet relied on four Zero-Day vulnerabilities to conduct its attacks. Zero-Days are of particular interest to hacker communities.: Since they’re unknown, they are by definition almost impossible to defend against. Stuxnet’s four Zero-Days included:
Once Stuxnet finds Step 7 software, it patiently waits and listens until a connection to a PLC is made. When Stuxnet detects the connection, it penetrates the PLC and begins to wreak all sorts of havoc. The code controlling frequency converters is modified and Stuxnet takes control of the converter drives. What’s of great interest is Stuxnet’s method of camouflaging its control.
Remember the scene in Mission Impossible, Ocean’s 11 and just about every other heist movie where the spies and/or thieves insert a video clip into the surveillance system? They’re busy emptying the vault, but the hapless guard monitoring the video feed only sees undisturbed safe contents. Stuxnet turned this little bit of fiction into reality. Reporting signals indicating abnormal behavior sent by the PLC are intercepted by Stuxnet and in turn signals indicating nominal, normal behavior are sent to the monitoring software on the control computer.
Stuxnet is now in the position to effect a physical attack against the gas centrifuges. To understand the attack it’s important to understand that centrifuges work by spinning at very high speeds and that maintaining these speeds within tolerance is critical to their safe operation. Typically, gas centrifuges used to enrich uranium operate at between 807hz and 1,210hz, with 1,064hz as a generally accepted standard.
Stuxnet used the infected PLCs to cause the centrifuge rotors to spin at 1,410hz for short periods of time over a 27 day period. At the end of the period, Stuxnet would cause the rotor speed to drop to 2hz for fifty minutes at a time. Then the cycle repeated. The result was that over time the centrifuge rotors became unbalanced, the motors wore out and in the worst cases, the centrifuges failed violently.
Stuxnet destroyed as much as twenty percent of the Iranian uranium enrichment capacity. There are two really fascinating lessons that can be learned from the Stuxnet story. The first is that cyber -attacks can and will have effects in the kinetic and/or physical realm. Power grids, water purification facilities and other utilities are prime targets for such attacks. The second is that within the current design and implementation paradigms by which software is created and deployed, if a bad actor with the resources of a nation-state wants to ruin your cyber-day, your day is pretty much going to be ruined.
But that assumes that we maintain the current paradigm of software development and deployment. In my next post I’ll discuss ways to break the current paradigm and the implications for agile, resilient systems that can go into harm’s way, sustain a cyber-hit and continue to perform their missions.