SecPro #23: How to Pentest ICS Environments, Cryptojacking
In today’s issue:
- How to Pentest ICS Environments
- What is Cryptojacking?
- Recent Security Issues
- Secret Knowledge: Building Your Security Arsenal
How to Pentest ICS Environments
By Pascal Ackerman
Pentest ICS Environments: Industrial Control Systems (ICS) are easy targets for attackers. By design, an ICS is meant to be open in nature, easily accessible to the people working with them, and leave little in the way of barriers for systems to interconnect. This open nature often introduces common weaknesses in the system such as the following:
- Default or easy-to-guess passwords (if passwords are defined at all)
- Default system configurations that allow us to easily connect to/share/access resources
- User and process privileges that allow too much system access
- Lacking or missing security controls
Additionally, because security was not a design consideration for ICS or its components, security controls such as encryption, authentication, authorization, and accounting (AAA), and logging are topically non-existent out of the box and difficult to impossible to add after the fact.
The typical risk categories found in most ICS environments are:
- Denial of service attacks: By far the biggest risk to the ICS is denial of service (DOS) attacks (uptime and availability are the main focus of an ICS). DOS attacks are based on overloading target resources to the point where legitimate users can no longer interact with the target system.
- Physical security: Physical security remains an often forgotten part of ICS (cyber)security. However, the truth is that if an attacker makes it into the ICS environment, there is no end to the harm they can do.
- Vulnerabilities in outdated OSs, software, PLC/IO/controller firmware, and the applications that run the ICS processes (think HMI/PLC programs).
- Malware: Along the lines of the previous risk category, malware is devastating to the ICS environment. Not only can malware thrive in the ICS’s unpatched network infrastructure, but it will also cause significant damage while running rampant.
- Sniffing: Guessing and cracking of passwords.
- Social engineering.
Pentest ICS Environments: Modeling Pentests around the ICS Kill Chain
ICS environments are ideal targets for attackers with inherent risks associated with the uniqueness of the ICS environment. Because of these unique characteristics and the architecture of ICS environments, serious attackers will follow a unique approach to attack the industrial network (kill chain). Therefore it makes sense to model a pentest around this unique attack approach.
The ICS Cyber Kill Chain
Due to its unique features and deployment, ICS requires considerable knowledge about the target’s industry – the ICS environment – to be able to carry out a successful attack. These unique challenges of an industrial control system require the attacker to avoid interfering with the multitude of sensors and controls and automation devices while performing the attack.
To put these unique challenges into perspective, the SANS Institute published a report that adapts the Cyber Kill Chain to industrial control system environments. This report expands upon the original Intrusion Kill Chain stages. The following diagram shows the first phase of the ICS Kill Chain:Pentest ICS Environments:
When the attacker has successfully compromised the target, phase 1 of the ICS cyber attack is considered complete. The attack will continue with the second phase. In the second phase, the knowledge that was collected during the first phase of the attack is used to prepare the attack on the ICS environment. You can read the complete SANS report here.
How to Perform an ICS-Centric Pentest
Just like a red team assessment, we need to prepare for the engagement. Details such as scope, timelines, allowed attack methods, and logistics such as target asset information, engagement deliverables, and any restrictions on when the pentest activities can be performed should be discussed, detailed, and written down in a contract to avoid any misconceptions.
Setting up the Test Environment
For this exercise, we will be setting up a test environment that covers all the systems and equipment for the entire ICS environment of (example) Company Z. The only time we will not be using this test environment is when we are performing the first step – attacking the enterprise environment of the engagement. Unless explicitly denied, a comprehensive (ICS) penetration test should reveal any vulnerabilities (and their exploitability) that can be discovered on the public IP subnet of the target.
Let’s start the pentest engagement activities by discussing attacking the enterprise environment.
Pentest Engagement Step 1 – Attacking the Enterprise Environment
The first two steps of the ICS penetration testing exercise are synonymous with the first phase of the ICS Cyber Kill Chain: we want to get into the target’s industrial network.
Shodan Public Subnet Assessment
Performing a Shodan assessment that reveals details for your publicly exposed systems is something that should be performed regularly, to verify that you are not accidentally exposing some internal system to the outside world, with all the consequences of doing so. Follow these steps to perform a Shodan assessment for your (company’s) public IP address range:
1. First, we must find our public IP address range. For this, we must simply visit https://ipinfo.io from a client on the company network:
Disclaimer: Do not perform scanning or pentesting on systems or networks which you don’t own or don’t have legal permissions to do so. Such actions are both intrusive and illegal without proper permission.
What is Cryptojacking?
By Austin Miller
- Cryptojacking is sometimes referred to as nuisance malware because it works in the background and has few side effects aside from a slower computer. But this misses the point – an adversary can’t mine for cryptocurrency on your system unless there has already been a security breach.
- Not only does cryptojacking mean that your system and potentially your network has been compromised, but it also means that your devices are probably infected by other forms of malware. This could include a Trojan or RAT, allowing the adversary to control your devices in a botnet.
Although Satoshi Nakamoto wanted cryptocurrencies to change the world, he never could have foreseen the rise of cryptojacking and the criminal uses of crypto in recent years.
Cybercriminals who once relied on ransomware to extort victims are adopting cryptojacking as their modus operandi. Difficult to detect and a cybersecurity nightmare, cryptojacking is carving out a niche in the threat landscape; now, a victim’s data isn’t the only thing worth stealing.
But why have they changed their tactics? First, we need to know what cryptojacking is and how it works.
How Does Cryptojacking Work?
Cryptojacking works by injecting cryptojacking scripts such as PowerShell/CoinMiner onto an unsuspecting victim’s computer to siphon off the computing power and mine cryptocurrency remotely.
These scripts then take up spare resources to mine for cryptocurrency. This leads to high levels of CPU usage and performance issues, two indicators that there is crypto mining malware on your system.
How Does Cryptojacking Make Money?
Think of it like the Salami Embezzlement Technique urban legend – hackers access systems and skim off a percentage of computing power, which potentially goes unnoticed by the victim.
But how do these scripts gain access to a system? There are three common ways, each very different in its approach and potential for cryptomining.
Three Ways To Illegally Mine Cryptocurrency
File-based cryptojacking is when crypto jacking malware is downloaded to the computer, generally via a link in an email or as a file that starts an executable.
Email is the most common transmission method; phishing campaigns just need one click to successfully infiltrate a network, so a hacker could spam a malicious link to a selection of employees in a spear-phishing campaign to gain access.
As the web browser is the attack vector, this type of malicious code to mine cryptocurrencies is especially difficult to find.
Cloud-based cryptojacking is the most difficult type of attack to mitigate. By accessing a company’s cloud through APIs, adversaries launch a cryptojacking attack that spins up computing resources to allow large-scale cryptomining operations while the malware goes unnoticed.
Because cryptomining needs a lot of computer processing power, cloud resources are quickly expended. This creates a huge bill for the infected company which possibly hasn’t noticed the elusive scripts as they secretly mine in the background.
Why are Cybercriminals Turning to Cryptojacking?
While ransomware was the big money spinner for cybercriminals (including throughout 2021 – a 93% increase over 2020), malicious cryptomining code is becoming more common. Packaging mining malware with other more disruptive threat factors such as ransomware or a worm is also becoming the cybercriminal industry standard.
Although ransomware has proven very successful in extorting money from enterprise-level businesses, illicit cryptomining helps threat actors monetize even the smallest infection.
Unlike intrusive infections such as ransomware or adware, crypto hacking software can go unnoticed by even the most talented security professionals. When systems are compromised, it can be weeks or months until the infamously elusive Bitcoin or Monero mining scripts are found. This is what leads to so many successful cryptomining attacks.
Want to Know More?
Check out further reading resources:
- Defending against cryptojacking with Microsoft Defender for Endpoint and Intel TDT
- A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth
- Why Cryptomining Malware Is a Harbinger of Future Attacks
Recent Security Issues
- Russia-based hacking group REvil (Ransomware Evil; also known as Sodinokibi) got hacked by the Feds and a multi-country operation and was forced to go offline as according to three US-based cyber security experts. In a cybercrime forum, a gang member “0_ne day” mentioned that, “REvil’s servers had been hacked by an unnamed party” and said to have restored them from their backup. The tables have finally turned on the ransomware group!
- YouTube content creators have been targeted by threat actors seeking financial rewards through phishing malware. Google’s Threat Analysis Group (TAG) had found out that this was executed by hack-for-hire actors. It seemed like they used social engineering techniques by creating a fake landing page and redirecting the users to malicious sites to steal user-specific information based on their preferences. And there were about 1101 domains associated with this kind of attack and 15,000 threat actor accounts were created exclusively to deliver phishing emails.
- Acer has been in a back-to-back attack two times in a row within a week. The so-called threat actors “Desorden” have previously emailed the journalists stating that they have captured the infrastructure of Acer and took hold of 60GB of consumer information. But lately, Acer has confirmed that it was an “isolated attack” that affected only after-sales service units across India. And right after Acer’s statement, the Desorden group again reached out to the media with the corrupted personal information of employees belonging to Acer’s Taiwan Services!
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.
- ImpulsiveDLLHijack: It’s a C# based tool that is designed to automate the process of discovering and exploiting DLL Hijacks in target binaries.
- red-team-scripts: This is an exclusive repo collection of Red Team-focused tools, scripts, and notes.
- RedTeam-OffensiveSecurity: Productive set of tools & Interesting hacks for Red Team Ops.
- RedELK: Otherwise called as Red Team’s SIEM – a tool that is designed for Red Teams to track and create alarms on Blue Team activities and comes with better performance and usability.
- Nikto2 – web server scanner which performs comprehensive tests against web servers for multiple items.
- BillCipher – information gathering tool for a website or IP address.
- LeakLooker – find open databases – powered by Binaryedge.io.
- routersploit – exploitation framework for embedded devices.
- Lockdoor-Framework – This is a Penetration Testing framework with cybersecurity resources.
- Python-Honeypot – OWASP Honeypot, automated deception framework.
- XSScope – XSScope is one of the most powerful and advanced GUI frameworks for modern browser exploitations via XSS.
- kubernetes-external-secrets – It helps in integrating external secret management systems with Kubernetes.
- awslabs/git-secrets – It helps in preventing you from committing secrets and credentials into git repositories.
- bitnami-labs/sealed-secrets – This is a Kubernetes controller and tool for one-way encrypted secrets.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.