DEF CON 30 - Sharon Brizinov - Evil PLC Attacks - Weaponizing PLCs
ฝัง
- เผยแพร่เมื่อ 12 ต.ค. 2024
- These days, Programmable Logic Controllers (PLC) in an industrial network are a critical attack target, with more exploits being identified every day. But what if the PLC wasn’t the prey, but the predator? This presentation demonstrates a novel TTP called the "Evil PLC Attack", where a PLC is weaponized in a way that when an engineer is trying to configure or troubleshoot it, the engineer’s machine gets compromised.
We will describe how engineers diagnose PLC issues, write code, and transfer bytecode to PLCs for execution with industrial processes in any number of critical sectors, including electric, water and wastewater, heavy industry, and automotive manufacturing. Then we will describe how we conceptualized, developed, and implemented different techniques to weaponize a PLC in order to achieve code execution on an engineer’s machine.
The research resulted in working PoCs against ICS market leaders which fixed all the reported vulnerabilities and remediated the attack vector. Such vendors include Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO and more. - วิทยาศาสตร์และเทคโนโลยี
Much, much respect. There is a LOT of work in that 10 seconds he spent on telling us about the protocol reversing. Incredible.
very impressive , big applause , respect , can't find words to congratulate you bro. nice feeling after all . our adrenaline ,our joy.
Sad to see the two biggest PLC Vendors main product lines missing.
Rockwell with Studio5000 and Control Logix or Compact Logix
Siemens with TIA Portal and S7 1200 or 1500.
They have a Cheap modern Micrologix with CCW, which no one uses. I think the only thing CCW is used for by most engineers is to configure Power Flex Drives if not using drive tools.
Really intrested in siemens exploitation
Well those are very very expensive and you kind of need a service contract to fully use
Good that you totally missed Siemens, now I can sleep better
I was looking for it too 🤣
They technically missed Allen-Bradley as well as they only covered Micro800s with Connected Components Workbench, which is free licensing.
Most IDEs don't load the source code to the PLC unless the programmer downloads it or enables the feature in the programming environment.
Great talk from unit 8200 !)
A more advanced explanation of how PLC's work. Love it!!
Really cool! I assume you could put a flag in that would allow authorized personnel (through MAC, IP, etc) to upload.
That was awesome!
Bro is the RTFM gigaCHAD
What about Siemens?
I wonder how many people bricked PLCs due to the confusing ass nomenclature
Just a replay of Stuxnet, and from well, I'll just leave it at that..
It's err.. nothing like Stuxnet. What are you on about? It involves PLCs, sure, but the method and outcome is totally different.
@@DeShark88 it's an insertion attack. Stuxnet modified the Step7/WinCC DLL(s). The payloads and focus was on DLL(s).
@@johnkost2514 the attack vector was totally different. One was an OS 0-day (Windows Shortcuts) exploited via USB stick, and the other is via a honeypot. Also the target was different. In Stuxnet the target was the PLCs, in this attack the target is those trying to hack PLCs. Sure, the PLC programmer's DLLs were edited in both cases, but I wouldn't call this a simple replay, since it's being done the opposite way around to target the complete opposite target.
@@DeShark88 there were multiple Stuxnet campaigns (versions) and the probability that all were delivered via a USB is suspect. Again, DLL(s) were the focus of the exploit. Anyone who really knows the deeper constructs of ICS security and vulnerability would acknowledge the similarities. Relax your ego. I made an observation, I stated the similarity. Cyber researchers generally have more open minds than you do.
Wow :p
fuck yeah, thats dope as
Dude, people hacking an exposed PLC found on Shodan with possibly propriety IDE/Developement Software that they had most likely need to pay for, are not script kiddies.
You think they paid for it?...xD
@@mlu5653 depends on the IDE and their implementation of software/dongle licensing.
yeah he think them r paying kkk
I was excited when I read the title but let down by the execution of this presentation..
What were you let down by? The content of the presentation was excellent in my opinion.