当前位置:首页 > 报告详情

诺姆·摩西_从漏洞到取证证据解开Unitronics攻击.pdf

上传人: 张** 编号:175455 2024-09-13 89页 6.70MB

1、Team82From Exploits to Forensic Evidence:Unraveling the Unitronics AttackNoam Moshe Claroty Research,Claroty Team82$whoamiNoam MosheVulnerability researcher-mostly breaking IoT clouds.Master of Pwn Pwn2Own ICS 2023.*Special thanks to Claroty Team82 researchers:Sharon Brizinov,Vera Mens,Tomer Goldsch

2、midtSo whats the sitch?So whats the sitch?Nov 23:APT targets Unitronics PLCs CyberAv3ngers Used in water facilities worldwideSo whats the sitch?Nov 23:APT targets Unitronics PLCs CyberAv3ngers Used in water facilities worldwide Why?Fear and PanicModern Defacing ICS Style Defacing HMI screens How?Dow

3、nloading new project Override current logic Was the defacement the only thing the attackers did?Not The First Time Feb 22-Same attack on Israeli devices:1.5 years prior Same PLC lineup Attackers were not identified Probably same APT:shared assets2022 Attack on IsraeliParcel ServicesUnitronics Vision

4、 101 PLC+HMI Vendor is an Israeli PLC makers Old PLCS-Samba and Vision Series PCOM protocol(serial or TCP/20256)Almost no security mechanisms No encryption“Weak”authentication10“Weak”Authentication?From CISA advisory,they recommend:Change default password Add PCOM password11HoweverMore Like No Authe

5、ntication!Prior to v9.9.00-no PCOM authentication To attack you need:EWS:Visilogic IP4/25/23There are no internet-facing PLCs right?Right?Hundreds of Exposed Devices Using shodan.io:900 devices PCOM exported Unpatched devices have no authentication!Real Video of the APT Attack!AttackersInternet-faci

6、ng PLCsWe Were Noted of This Attack We began investigatingThere is no forensic tools for such device!Develop new forensic tools Extract evidence from affected PLCs18We Were Noted of This Attack We began investigatingThere is no forensic tools for such device!Develop new forensic tools Extract eviden

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要介绍了对一种工业控制系统的PLC(可编程逻辑控制器)进行数字取证的研究。作者团队开发了一种工具,能够通过串行或TCP/IP连接读取PLC的内存数据。他们发现了一种可以通过伪造密码来读取受保护内存区域的方法,并利用该方法获取了攻击者的项目文件。此外,他们还发现了一种包含项目操作记录的签名日志,为取证分析提供了重要信息。关键点包括:1)PLC的内存数据可以通过特定协议读取;2)通过伪造密码可以绕过内存保护;3)项目文件和签名日志含有重要取证信息;4)工具能够读取和解析这些数据,为调查提供帮助。
"如何破解PLC的上传密码?" "PLC项目中隐藏的证据有哪些?" "如何利用签名日志获取攻击者的信息?"
客服
商务合作
小程序
服务号
折叠