Full Transcript

Chapter 2 – Part 2 APT –  Stuxnet, Duqo, and Flame are the three most famous cyber attacks that nations inflicted on other nations Nation-  We will focus on the some of the most interesting States capabilities and implications for these worms  Stuxnet is a w...

Chapter 2 – Part 2 APT –  Stuxnet, Duqo, and Flame are the three most famous cyber attacks that nations inflicted on other nations Nation-  We will focus on the some of the most interesting States capabilities and implications for these worms  Stuxnet is a win32 worm that targeted industrial control systems – specifically Siemens systems that are used in nuclear power plants. Stuxnet and  It was the first malware to be discovered in what was believed to be a series of nation-state sponsored Operation cyber-attacks, and one of the few pieces of software that have had a very tangible impact Olympic  It caused the destruction of physical hardware in the Games form of uranium-enriching centrifuges.  Stuxnet was originally discovered around June 2010, however, evidence of infections actually dates back to at least one year earlier in June 2009  Some of the Stuxnet malware components are shown in Figure 2-3 page 38 of the book  Stuxnet was and is very technically advanced and unique  It was fairly large at 500kb (half megabyte), with Stuxnet different attacks Specificatio  Stuxnet used four Windows Zero-Day vulnerabilities  The fact that non of the exploits took advantage of ns memory corruption vulnerabilities, which means the exploits were 100 percent reliable and 100 percent effective against vulnerable systems  The creator of Stuxnet never had to worry about a target machine crashing or freezing which made the attacks extremely stealthy and reliable.  Zero-Day Exploit 1: Vulnerability in the processing of LNK (shortcut) files that would allow an arbitrary dynamic link library (DLL) to be executed. This DLL would be executed in the security context of the current user and was loaded from an infected USB  Zero-Day Exploit 2: A privilege escalation vulnerability The Four in the task scheduler that only affected Windows Windows Vista. This could allow code to execute as Local System Vulnerabiliti  Zero-Day Exploit: A privilege escalation vulnerability es Exploited in keyboard layout files that only Windows XP. This could allow code to execute as Local System  Zero-Day Exploit 4: A remote exploit that used the print spooler subsystem to send the Stuxnet virus to peers on the network  The author of the Stuxnet have a huge stockpile of Zero-Day exploits to choose from and selected the ones that met their exact requirements  Stuxnet also included rootkits to conceal its existence, which were digitally signed by legitimate Facts certificates.  The device drivers were signed using legitimate certificates that were stolen from JMicron and Realtek. Both of these companies are located at the Hsinchu Science Park in Taiwan.  The Stuxnet virus originally reported to two command and control servers in Malaysia and Denmark.  The servers would allow the virus to send data back to the authors as well receive updates and Operational instructions. These global points of interest include: Facts  Malware authors in United States and Israel  Nantaz plant in Iran  Command and Control Servers in Denmark and Malaysia  Stolen Certificates from Taiwan  The Stuxnet virus targeted specific Siemens SCADA ( Supervisory Control and Data Acquisition) are computer systems that control and monitor industrial equipment such as power management and utility systems. See figure 2-1 page 40 in the book  When Stuxnet infected a system that was using the Step 7 software, it would essentially backdoor this software which allows the computer to infect the physical PLC hardware with a Operational rootkit.  The PLC (Programmable Logic Controller) is the hardware that Facts actually controls the industrial systems, and in this case, controlling the centrifuges.  The PLC then reports data about the operation of the hardware back to the Step 7 software  When the PLC is infected it, what the centrifuges are doing is essentially “lie” to the Step 7 monitoring software  It might tell you are driving at 35 MPH when in fact you are driving at 100 MPH ---- very dangerous  Reports have shown that Stuxnet might have been responsible for as much as a 30% decrease in operational capacity at Nantaz along, as well as physical destruction of up to 1000 centrifuges.  New York Times reported all the details in 2012 Conclusion  Started under Bush and continued and achieved the target during Obama  According to NY Times article, the creators were US and Israel.

Use Quizgecko on...
Browser
Browser