Lessons from a Simulated Breach on Critical Infrastructure: Part TwoBy: David Lorti
Justin Turner contributed to this article.
Have you missed something? Be sure to read Part One for the critical background to this story!
At 7:30 a.m., the Red Team came out of the gate. This is where the story became really interesting.
The Red Team immediately scanned the external network. From the Red Team's perspective, the Blue team knew the first thing the Red Team would do is perform a scan.
The Red Team's scan identified several web servers, one of which was running an unpatched Apache version. Exploiting known vulnerabilities, the Red Team gained administrative access to the server and extracted a table of password hashes. Using cracking tools that are widely available, Red Team members cracked the passwords quickly. With these passwords in hand, several attempts were made to "test" these credentials on other servers that were found. Success! One of the passwords allowed the Red Team to login using SSH to a server within the DMZ. "At this point, we were an authentic user logged into the corporate network," Justin said. "What a great way to have a look around and not fire off too many alarms."
The Red Team used a combination of NMAP, Nessus and web fuzzing techniques to enumerate the target external networks. Nessus can do a full port scan to identify platform characteristics and what vulnerabilities exist for this scanned platform.
At this point, the Red Team was acting as an authenticated user in the corporate network and started performing additional reconnaissance to map out the internal infrastructure. During this stage, the Red Team found a couple of anomalies. First, they found a server with two NICs - one connected to the corporate network and another connected to an unknown network. "This piqued our interest at the time" Justin said. "We marked it as important, but didn't immediately work on reconnaissance there. We were actively working on persistence and further exploitation in other areas at the time and left this to idle for a while."
Using your own security against you
One of the "other" areas the team was working to exploit was an IP-based security camera surveillance system. Early in their mapping efforts, the Red Team located a webcam that was part of the physical security network. They identified several others across a number of facility rooms. By chance, the Red Team believed they had found a camera located in the control network room.
Thanks to the very nice brand placement by the camera system manufacturer -- which included the model and style of camera being used -- the Red Team simply looked up the default username and password for the camera as configured by the manufacturer and logged in. "The camera was a gold mine" Justin said. "We literally had visibility of the network operator working on the control system, along with his page of notes and network diagram sitting right next to him on the desk. And thanks to high definition, we were able to zoom the camera and clearly read usernames and passwords.
"It took a little bit of studying once we had zeroed in on the network map to discover the real golden nugget, Justin added. "To our surprise, the server we had discovered earlier with the dual NIC configuration was connected to a Programmable Logic Controller (PLC). Needless to say, our attention quickly shifted back to that machine and exploiting the PLC."
Exploiting critical information to attack critical infrastructure
With the information captured, Justin and the Red Team went back to the server with the dual-NIC configuration. Team members tried to see what they could use here. Coincidentally, the Red Team had one member who worked for a major control systems manufacturer. The member had a strong hunch about the type of PLC controller that the NIC was talking to, and he suggested they test a handful of prebuilt exploits.
The team located the exploits and pointed them at the IP address they had.
Thirty seconds later, the Red Team had control of the PLC, which connects to devices that open and close valves on the targeted equipment. "We were politely asked by our host/trainers to not 'Brick' the controller, but allowed to fiddle with it or disrupt it however we wanted," Justin said.
One of the exploits on hand allowed the Red Team to freeze the processor in a stop condition. As a result, the PLC would not respond to any commands and was stuck in its current state. The Red Team effectively killed a critical process controller and crippled the simulated plant process.
A back and forth exchange
At this stage, the Blue Team was monitoring the network and trying to detect any trace of the Red Team. They clearly saw the PLC die and scurried to fix it. They were able to recover it and restart the PLC after about 90 minutes. However, what ensued was a back-and-forth offensive/defensive match.
The Red Team immediately knocked the system offline again. Every time the Blue Team got the system online, the Red Team attacked. This was repeated five-to-six times before the Blue Team realized how the Red Team had exploited the controller. The Blue Team was finally able to get the firewall updated to block them entirely.
The Blue Team soon noticed the security cameras moving and rotating and realized the Red Team must have gotten control. They succeeded in stopping the Red Team's access. However, the Red Team had gotten all the information they needed, including screen shots for future reference.
Now it was approximately 3 p.m. Two hours later, the Blue Team had finally discovered the SSH logins, changed passwords, applied new firewall rules and managed to eliminate the Red Team from the network entirely.
As part of the exercise, the Red Team was given several objectives. One of the tasks/scenarios was to find one of the facilities' "executive laptops," and do with it what they will.
The Red Team wasted no effort and was able to take full advantage of the "lost" laptop to further gain access into the network. Even though the machine utilized full disk encryption, the account configured on the machine used a very weak password that was a combination of the users last and first name with a few special characters. Once on the machine they discovered that it was configured to use OpenVPN and could still access the corporate network.
"At that point, launching more attacks was fairly trivial because we had yet again found a way to sit on the internal network and move around as an authenticated user," Justin explained. "Another foothold was great, but the day was quickly slipping away and we decided it was time to search and destroy anything we could find."
The winner is?
The Red Team. The Red Team achieved what it set out to do: gain access to the Control System Network and manipulate critical infrastructure machinery. In addition, The Red Team gained extra points for its exploit of the executive laptop, breaking into the wireless access point, solving the steganography challenge and smearing the simulated chemical company by leaking sensitive inside documents to the public.