This advisory was written by Travis Holland and Eric Dodge of the Kudelski Security Threat Detection & Research Team
Summary
Incontroller/Pipedream is a collection of sophisticated tools thought to be created by group dubbed “Chernovite” by Dragos. Chernovite is assessed to be a a state-sponsored adversary, with the intention for use in future operations. The primary focus for this toolkit is for use in the electric and natural gas verticals; however, it is not limited to solely those. At this time, the CFC has no intelligence that Pipedream has been successfully deployed in the wild at this time. This has provided researchers time to evaluate the tools proactively. This is a suite of utilities designed to allow for access to and manipulation of Schneider Electric and Omron PLCs, as well as Open Platform Communications (OPC) Unified Architecture OPC-UA servers. Dragos, an ICS focused cyber security company, has broken Incontroller/Pipedream into five categories: Evilscholar, Badomen, Mousehole, Dusttunnel and Lazycargo.
- Evilscholar: Provides the capabilities to discover, access and manipulate Schneider Electric PLCs.
- Badomen: Provides the capability to scan, identify and access Omron software and PLCs.
- Mousehole: The tool is designed around interacting and accessing OPC Unified Architecture (UA) servers which allow for enumerating nodeids and brute forcing credentials.
- Dusttunnel: Remote operation implant to establish persistence and command and control.
- Lazycargo: Interface that drops and exploits a known vulnerable ASRock driver to elevate credentials.
When properly used these tools allow for an attacked to scan for devices, brute force passwords, close connections, and even crash the targeted device. PLC implants are utilized to execute untrusted code from the PLCs, these implants could be on an impacted PLC for long durations, requiring firmware forensic analysis to reveal its presence.
The CFC has worked with its ICS-aware Network intrusion Detection System (IDS) partner, Claroty, who has written and published detection signature for PipeDream. All clients of the CFC’s MDR for O.T have had these signatures updated for their Claroty deployments.
Affected Systems
This impacts the following systems typically located in electrical substations and communicating through IEC-104 protocol:
- Systems vulnerable to CVE-2020-15368; ASRock driver exploit
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to):
- TM251, TM241, M258, M238, LMC058, and LMC078
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to):
- NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
- OPC Unified Architecture (OPC UA) Servers
Technical Details
Incontroller/Pipedream is a sophisticated and modular set of tools that an attacker can leverage once they have established access within an environment. The foothold is established by any vector available to the attacker and is followed up with utilization of the ASRock driver exploit (CVE-2020-15368) to further escalate their privileges, and to move through the environment. The ASRock exploit is rather trivial, and only requires administrative access to further escalate privileges and execute arbitrary code with kernel privileges.
The modular architecture and automation of the tool allows for easy addition of more components as needed (such the ASRock exploit) could easily be swapped in favor of another exploit or tool. Depending on the PLC type there are different actions and objectives that the threat actor would look to achieve.
Capabilities of the tooling per impacted vendor
Schneider Electric Devices:
- Rapidly scan and identify all Schneider PLC’s on other network via UDP multicast over port 27127
- Brute force Schneider PLC passwords via CODESYS over port 1740
- Conduct denial-of-service attacks to prevent network communication to the PLC
- Drop connections, forcing re-authentication to the PLC to gather credentials
- Crash the PLC, for a power cycle and configuration recovery
- Pushing custom Modbus commands/packets
- Retrieving file/directory listings
- Deleting files
- Adding a route if the device gateway IP exists on a different interface
- Connecting to specific devices
Omron devices:
- Scanning for Omron via FINS protocol over port 9600
- Parsing out HTTP response from Omron devices
- Retrieving MAC addresses of devices
- Polling for what devices are connected to the PLC
- Backup and restoration of arbitrary files to or from the PLC
- Loading custom agents on the PLCs to allow for additional capabilities
- Wiping the device’s memory and resetting it
- Activating the Telnet daemon
- Connecting to the device via the Telnet daemon and uploading or executing payloads and commands
- Perform a network capture
- Killing processes on the device
- Transferring files to the device
- Connecting and communicating with attached servo drives
OPC UA:
- Identify OPC UA servers
- Connect to OPC UA servers via default or compromised credentials
- Reading/Writing tag values for data on OPC UA servers
- Brute forcing credentials
- Outputting log files
Currently Known Indicators of Compromise (IOCs)
- RwDrv.sys (RWEverything)
- AsrDrv104.sys (AsrPolychromeRGB)
- AsrDrv103.sys (AsrPolychromeRGB)
- ProcessHacker.exe
Solution/Mitigation
There is currently no evidence of Incontroller/PipeDream being deployed for disruptive or destructive effects. It is known to utilize standard ICS protocols and actions to live off the land natively. Proper monitoring of any suspicious use of the ASRock driver can help mitigate a portion of the toolset seen within Incontroller/PipeDream. It is important to note that utilization of the AsRock Driver exploit requires the attacker to already have administrator level privileges on the host, however, future exploits may have different requirements.
The Cyber Fusion Center recommends the following for mitigation, discovery, and recovery:
- Appropriate network segmentation, and strong perimeter controls
- Leverage Secure Remote Access with Multi Factor Authentication and monitored sessions
- Jump Servers monitored with Endpoint Detection and Response (EDR) technologies
- Active endpoint monitoring on HMIs, Engineering Workstations, and Historians
- Strong password policies and management
- Patch management
- Only allow connection to ICS/SCADA infrastructure through certain engineer workstations
- Disable the Schneider NetManage discovery service
- Monitoring for new outbound connections from PLC’s
Additionally dedicated ICS monitoring can aid in quickly identifying things outside the baseline that could be indicative of movement and attacks within the ICS infrastructure. Examination of non-baseline activity, and restricting access to the following destination ports:
- TCP 502; Modbus
- UDP 27127; primarily used for discovery scanning
- UDP 1740-1743, TCP 1105, and TCP 117470; CODESYS
- TCP/UDP 9600; default communication port for Omron
What the Cyber Fusion Center is doing
While there are currently no known active deployments of this tooling, the Cyber Fusion Center’s O.T Intrusion Detection System (IDS) partner, Claroty, has developed and published network signatures designed to detect the potential presence of this tooling. All clients of the CFC’s MDR For O.T service have had these new detection signatures deployed on their behalf.
Kudelski Security Research 