Friday, September 15, 2017

Dragonfly 2.0: Testing the Watering Hole risk


Three years after Dragonfly 1.0, now we are facing Dragonfly 2.0. In both campaigns, Watering Hole is one of the attack vectors described in reports, so protecting the website accessed by ICS engineers to get important resources from their daily work should be very important. It seems like ICS vendors and asset owners should have learned from that, and since I am very keen of testing things, I have decide to check that.
I designed a simple test to check the security posture from 13 big ICS vendors on communication security protection to their support web sites. (There is where the firmware upgrades used to be nowadays).

Mayor ICS Vendors I tested were:

  • Siemens
  • Schneider Electric
  • Honeywell
  • Rockwell Automation
  • Yokogawa
  • Moxa
  • OSIsoft
  • Phoenix Contact
  • Advantech
  • SEL
  • ABB
  • CODESYS
  • MatrikonOPC

To make this checks, I used a simple but powerful tool called testssl.sh (that BTW, I recommend to you). This tool is able of testing, between other things, the following SSL vulnerabilities:

  • Heartbleed (CVE-2014-0160)
  • CCS (CVE-2014-0224)
  • Secure Renegotiation (CVE-2009-3555)
  • Secure Client-Initiated Renegotiation
  • CRIME, TLS (CVE-2012-4929)
  • BREACH (CVE-2013-3587)
  • POODLE, SSL (CVE-2014-3566) 
  • TLS_FALLBACK_SCSV (RFC 7507),
  • FREAK (CVE-2015-0204)
  • DROWN (2016-0800, CVE-2016-0703)
  • LOGJAM (CVE-2015-4000)
  • BEAST (CVE-2011-3389) 
  • RC4 (CVE-2013-2566, CVE-2015-2808)

When using the tool against and SSL protected website, you can get "Vulnerable", "Probably" or "Not Vulnerable" results, that I associate with 2,1 and 0 values. That way, the most vulnerabilities the tool found for each SSL support web page, the higher risk I associate with the vendor.

These are the results for vulnerabilities:


First finding is that Advantech dosen't even have an SSL protected support Web page, So I associate the maximum risk value to it.

Second finding is that big ICS vendors were very similar in vulnerabilities, apart from ABB that scores much better with only one probably fixed vulnerability. Honeywell, on the other hand, shows the most potential problems to fix.

With these values on mind, I established another criteria to build a Heat Map (I love Heat Maps).
Seems logical thinking that this kind of risk is directly proportional with the use of the support site, so I searched for the Alexa Rank of those ICS support pages, and these are the values I found that day:


The lowest rank, the most accesses ...

Normalizing values from 1 to 5, I got the following Heat Map :



Seems like someone has some homework to do ....

Keep tune till the next revision.