DEF CON 30 - Sharon Brizinov - Evil PLC Attacks - Weaponizing PLCs

Подписаться 294 тыс.

Просмотров 23 тыс.

50% 1

These days, Programmable Logic Controllers (PLC) in an industrial network are a critical attack target, with more exploits being identified every day. But what if the PLC wasn’t the prey, but the predator? This presentation demonstrates a novel TTP called the "Evil PLC Attack", where a PLC is weaponized in a way that when an engineer is trying to configure or troubleshoot it, the engineer’s machine gets compromised.
We will describe how engineers diagnose PLC issues, write code, and transfer bytecode to PLCs for execution with industrial processes in any number of critical sectors, including electric, water and wastewater, heavy industry, and automotive manufacturing. Then we will describe how we conceptualized, developed, and implemented different techniques to weaponize a PLC in order to achieve code execution on an engineer’s machine.
The research resulted in working PoCs against ICS market leaders which fixed all the reported vulnerabilities and remediated the attack vector. Such vendors include Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO and more.

Опубликовано:

7 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 28

@willemvdk4886 Год назад

Much, much respect. There is a LOT of work in that 10 seconds he spent on telling us about the protocol reversing. Incredible.

@halo37253 Год назад

Sad to see the two biggest PLC Vendors main product lines missing. Rockwell with Studio5000 and Control Logix or Compact Logix Siemens with TIA Portal and S7 1200 or 1500. They have a Cheap modern Micrologix with CCW, which no one uses. I think the only thing CCW is used for by most engineers is to configure Power Flex Drives if not using drive tools.

@CrIMeFiBeR Год назад

Really intrested in siemens exploitation

@ivanv754 Год назад

Well those are very very expensive and you kind of need a service contract to fully use

@peterevenhuis2663 Год назад

Good that you totally missed Siemens, now I can sleep better

@chebhou Год назад

I was looking for it too 🤣

@Mekkor Год назад

They technically missed Allen-Bradley as well as they only covered Micro800s with Connected Components Workbench, which is free licensing.

@SALTINBANK Год назад

Great talk from unit 8200 !)

@johnmhedges Год назад

Most IDEs don't load the source code to the PLC unless the programmer downloads it or enables the feature in the programming environment.

@tommyhuffman7499 Год назад

A more advanced explanation of how PLC's work. Love it!!

@NickMoore Год назад

That was awesome!

@Jeeperanthony Год назад

Really cool! I assume you could put a flag in that would allow authorized personnel (through MAC, IP, etc) to upload.

@ChristoffelTensors Год назад

Bro is the RTFM gigaCHAD

@lassorb4752 Год назад

What about Siemens?

@cesar.automacao Год назад

Wow :p

@TheEndermanOfEvil Год назад

fuck yeah, thats dope as

@jeremydaniels1973 Год назад

I was excited when I read the title but let down by the execution of this presentation..

@DeShark88 Год назад

What were you let down by? The content of the presentation was excellent in my opinion.

@MrGillb Год назад

I wonder how many people bricked PLCs due to the confusing ass nomenclature

@johnkost2514 Год назад

Just a replay of Stuxnet, and from well, I'll just leave it at that..

@DeShark88 Год назад

It's err.. nothing like Stuxnet. What are you on about? It involves PLCs, sure, but the method and outcome is totally different.

@johnkost2514 Год назад

@@DeShark88 it's an insertion attack. Stuxnet modified the Step7/WinCC DLL(s). The payloads and focus was on DLL(s).

@DeShark88 Год назад

@@johnkost2514 the attack vector was totally different. One was an OS 0-day (Windows Shortcuts) exploited via USB stick, and the other is via a honeypot. Also the target was different. In Stuxnet the target was the PLCs, in this attack the target is those trying to hack PLCs. Sure, the PLC programmer's DLLs were edited in both cases, but I wouldn't call this a simple replay, since it's being done the opposite way around to target the complete opposite target.

@johnkost2514 Год назад

@@DeShark88 there were multiple Stuxnet campaigns (versions) and the probability that all were delivered via a USB is suspect. Again, DLL(s) were the focus of the exploit. Anyone who really knows the deeper constructs of ICS security and vulnerability would acknowledge the similarities. Relax your ego. I made an observation, I stated the similarity. Cyber researchers generally have more open minds than you do.

@bahadirm Год назад

Dude, people hacking an exposed PLC found on Shodan with possibly propriety IDE/Developement Software that they had most likely need to pay for, are not script kiddies.