SlideShare a Scribd company logo

Fuxnet [EN] .pdf

Overkill Security
Overkill Security

This time, we're diving into the murky waters of the Fuxnet malware, a brainchild of the illustrious Blackjack hacking group. Let's set the scene: Moscow, a city unsuspectingly going about its business, unaware that it's about to be the star of Blackjack's latest production. The method? Oh, nothing too fancy, just the classic "let's potentially disable sensor-gateways" move. In a move of unparalleled transparency, Blackjack decides to broadcast their cyber conquests on ruexfil.com. Because nothing screams "covert operation" like a public display of your hacking prowess, complete with screenshots for the visually inclined. Ah, but here's where the plot thickens: the initial claim of 2,659 sensor-gateways laid to waste? A slight exaggeration, it seems. The actual tally? A little over 500. It's akin to declaring world domination and then barely managing to annex your backyard. For Blackjack, ever the dramatists, hint at a sequel, suggesting the JSON files were merely a teaser of the chaos yet to come. Because what's a cyberattack without a hint of sequel bait, teasing audiences with the promise of more digital destruction? ------- This document presents a comprehensive analysis of the Fuxnet malware, attributed to the Blackjack hacking group, which has reportedly targeted infrastructure. The analysis delves into various aspects of the malware, including its technical specifications, impact on systems, defense mechanisms, propagation methods, targets, and the motivations behind its deployment. By examining these facets, the document aims to provide a detailed overview of Fuxnet's capabilities and its implications for cybersecurity. The document offers a qualitative summary of the Fuxnet malware, based on the information publicly shared by the attackers and analyzed by cybersecurity experts. This analysis is invaluable for security professionals, IT specialists, and stakeholders in various industries, as it not only sheds light on the technical intricacies of a sophisticated cyber threat but also emphasizes the importance of robust cybersecurity measures in safeguarding critical infrastructure against emerging threats. Through this detailed examination, the document contributes to the broader understanding of cyber warfare tactics and enhances the preparedness of organizations to defend against similar attacks in the future.

Technology
1 of 4
Download to read offline
Read more: Boosty | Sponsr | TG Abstract –This document presents a comprehensive analysis of the Fuxnet malware, attributed to the Blackjack hacking group, which has reportedly targeted infrastructure. The analysis delves into various aspects of the malware, including its technical specifications, impact on systems, defense mechanisms, propagation methods, targets, and the motivations behind its deployment. By examining these facets, the document aims to provide a detailed overview of Fuxnet's capabilities and its implications for cybersecurity. The document offers a qualitative summary of the Fuxnet malware, based on the information publicly shared by the attackers and analyzed by cybersecurity experts. This analysis is invaluable for security professionals, IT specialists, and stakeholders in various industries, as it not only sheds light on the technical intricacies of a sophisticated cyber threat but also emphasizes the importance of robust cybersecurity measures in safeguarding critical infrastructure against emerging threats. Through this detailed examination, the document contributes to the broader understanding of cyber warfare tactics and enhances the preparedness of organizations to defend against similar attacks in the future. I. INTRODUCTION The Blackjack hacking group, purportedly linked to Ukrainian intelligence services, has claimed responsibility for a cyberattack that allegedly compromised emergency detection and response capabilities in Moscow and its surrounding areas. This group has been associated with previous cyberattacks targeting internet providers and military infrastructure. Their most recent claim involves an attack on Moscollector, a company responsible for constructing and monitoring underground water, sewage, and communications infrastructure. The group has disseminated detailed information about this attack on the website ruexfil.com, including the use of Fuxnet malware to disrupt the Moscollector network operations center. They have published screenshots of monitoring systems, servers, and databases they assert have been erased and made inoperative and additionally password dumps. Regarding the infection methods, the Fuxnet malware appears to have been designed to target sensor-gateways and potentially disable them, as well as to fuzz sensors, which could lead to their malfunction or destruction. The destruction of these gateways and the fuzzing of sensors could have serious implications for the monitoring and control of various systems, potentially leading to a loss of operational visibility and control for the affected infrastructure. The key takeaways from the analysis of the Fuxnet malware and including results of Team82 and Claroty, are as follows: • Unverified Claims: Team82 and Claroty have not been able to confirm the claims made by the Blackjack group regarding the impact of their cyberattack on the government's emergency response capabilities or the extent of the damage caused by the Fuxnet malware. • Discrepancy in Reported Impact: The Blackjack group initially claimed to have targeted 2,659 sensor- gateways, with about 1,700 being successfully attacked. However, Team82's analysis of the data leaked by Blackjack suggests that only a little more than 500 sensor gateways were actually impacted by the malware. The claim of having destroyed 87,000 sensors was also clarified by Blackjack, stating that they disabled the sensors by destroying the gateways and using M-Bus fuzzing, rather than physically destroying the sensors. • M-Bus Fuzzing: The Blackjack group utilized a dedicated M-Bus fuzzer within the Fuxnet malware's code to fuzz the sensors. This technique was aimed at disabling the sensors, but the exact number of sensors that were "fried" or permanently damaged as a result of this fuzzing is unknown due to the network being taken down and access to the sensor-gateways being disabled. • Lack of Direct Evidence: Direct evidence to confirm the extent of the damage or the impact on emergency detection and response capabilities is lacking (including targeted Moscollector). • Clarification from Blackjack: Following the publication of Team82's initial analysis, the Blackjack group reached out to provide updates and clarifications, particularly challenging the contention that only around 500 sensor-gateways had been impacted. They emphasized that the JSON files made public were only a sample of the full extent of their activity. II. AFFECTED INDUSTRIES AND POTENTIAL CONSEQUENCES A. Affected Industries: • Utility Services: The primary target of the Fuxnet malware was the utility sector, specifically the sensor gateways that manage water and sewage systems. This could have implications for the delivery and monitoring of these essential services. • Emergency Services: The group claimed to have gained access to 112 emergency service number, which
Read more: Boosty | Sponsr | TG could impact the ability to respond to emergencies effectively. • Transportation: The group also claimed to have bricked sensors and controllers in critical infrastructure, including airports and subways, which could disrupt transportation services and safety. • Energy: Gas pipelines were mentioned as another target, indicating a potential risk to energy distribution and monitoring systems. B. Potential Consequences: • Disruption of Services: The destruction or malfunction of sensor gateways could lead to a disruption of the monitoring and control systems for utilities, potentially causing service outages or failures. • Compromised Safety: In transportation and energy sectors, the loss of sensor functionality could pose safety risks, as these sensors are often critical for detecting hazardous conditions. • Economic Impact: The potential downtime and repair costs associated with replacing or reflashing damaged sensor gateways could have significant economic repercussions for the affected industries. • Emergency Response Delays: If the claims about accessing the 112-emergency service number are accurate, this could lead to delays in emergency response, affecting public safety. • Data Exfiltration: Although not explicitly mentioned in the context of Fuxnet, the malware's ability to compromise network systems could potentially lead to data breaches and the exfiltration of sensitive information. • Loss of Public Confidence: Cyberattacks on critical infrastructure can lead to a loss of public confidence in the affected services and the entities responsible for their security. III. MOSCOLLECTOR ATTACK The attack, which began its initial compromise in June 2023, was methodically orchestrated to undermine the industrial sensors and monitoring infrastructure. Recently, the group made public their activities and the stolen information on the ruexfil website, detailing the extent and impact of their cyber offensive. The compromise of this system could potentially disrupt emergency response capabilities, affecting the safety and security of the populace. A. Bricking of Critical Infrastructure Sensors and Controllers Group alleges to have hacked and bricked sensors and controllers within critical infrastructure sectors, including airports, subways, and gas pipelines. This action, if true, could have disabled essential monitoring and control systems, leading to significant disruptions in public services and safety. B. Network Appliance Disruption The group asserts that they have disabled network appliances such as routers and firewalls. This would have a cascading effect on the network's integrity, potentially isolating various segments and hindering communication across the infrastructure. C. Deletion of Servers and Databases The attackers claim to have deleted servers, workstations, and databases, wiping out approximately 30 TB of data, including backup drives. This kind of data destruction could lead to a loss of historical data, disrupt ongoing operations, and complicate recovery efforts. D. Invalidation of Moscollector Office Building Access All keycards to the office building have reportedly been invalidated. This action could prevent employees from accessing their workplace, further hindering any attempts to assess the damage or initiate recovery protocols. E. Password Dumping The dumping of passwords from multiple internal services has also been claimed. This could allow unauthorized access to various systems and data, exacerbating the breach's impact and potentially leading to further exploitation. IV. ATTACK’S EQUIPMENT The attack's focus was on the communication gateways that serve as critical nodes in the data transmission from the sensors to the global monitoring systems. These sensors are integral to various environmental monitoring systems, including those used in fire alarms, gas monitoring, and lighting controls. The sensors are designed to collect physical data such as temperature and transmit this information through a serial or bus connection, specifically an RS485/Meter-Bus, to a gateway. These gateways act as transmission units, enabling the telemetry data to be sent over the internet to a centralized monitoring system, which provides operators with visibility and control over the systems. The RS485 communication standard, as mentioned in the attack details, is a widely adopted protocol for industrial control systems due to its reliability and capability for long-distance communication. It allows for multiple devices to communicate over a single bus system, which is essential for the centralized monitoring of various sensors and controllers. The Meter-Bus (M-Bus) is another communication protocol used for the collection and transmission of consumption data, typically for utilities like electricity, gas, water, or heat. When combined with RS485, it forms a robust network for industrial sensors to communicate and relay information to central systems. By compromising the gateways, the attackers could potentially disrupt the telemetry and control of the sensors, leading to a loss of operational visibility and potentially causing chaos in the systems that rely on this data. A. Leaked Information The information from the JSON files was corroborated by two YouTube videos released by the attackers, showing the
Read more: Boosty | Sponsr | TG deployment of the Fuxnet malware. The devices listed in the videos matched the gateways from the JSON file, confirming that the TMSB/MPSB gateways were the primary targets of the Fuxnet malware. The JSON data included device types and names, IP addresses, communication ports, and location data. The types of devices listed in the JSON file were: • MPSB (sensor gateway): 424 Devices • TMSB (sensor gateway+modem): 93 Devices • IBZ (3g router): 93 Devices • Windows 10 (workstation): 9 Devices • Windows 7 (workstation): 1 Device • Windows XP (workstation): 1 Device This list indicates that the attack was focused on the sensor gateways rather than the end sensors themselves. The gateways serve as the communication hubs for potentially numerous sensors connected via a serial bus such as RS485/Meter-Bus. The leaked data from the attackers, including screenshots and JSON exports, revealed two specific types of gateways compromised during the attack: • MPSB Gateway: This gateway is engineered for information exchange with external devices through multiple interfaces. It supports Ethernet and serial communication protocols, including CAN, RS-232, and RS-485. The MPSB gateway is a crucial component for integrating various sensor inputs into a cohesive monitoring system. • TMSB Gateway: Similar in function to the MPSB, the TMSB gateway includes a built-in 3/4G modem, which allows it to transmit data directly over the internet to a remote system without the need for additional routing equipment. The cyberattack targeted a critical part of the sensor ecosystem: the orchestrator/gateway devices, specifically the MPSB and TMSB gateways. These devices are essential for reading and controlling basic input/output sensors and transmitting the data to a global monitoring system for centralized oversight. The attack exploited the communication pathways between the sensors and the global monitoring system. The typical data transmission scenarios targeted were: • For MPSB Gateway: Sensor —--- MBus/RS485 → MPSB + IoT Router —---Internet → Monitoring system. In this scenario, the sensor data is transmitted via MBus/RS485 to the MPSB gateway, which then passes the data through an IoT router to the internet, and finally to the monitoring system. • For TMSB Gateway: Sensor —--- MBus/RS485 → TMSB (3g/4g modem) —---Internet → Monitoring system. Here, the sensor data is sent via MBus/RS485 directly to the TMSB gateway, which uses its built-in modem to transmit the data over the internet to the monitoring system. B. Security Lapses and Attack Methodology The attackers exploited a significant security lapse: the use of default credentials (Username: sbk, Password: temppwd) to access the gateways via SSH. This vulnerability provided an easy entry point for the attackers to compromise the devices. The attackers also leaked diagrams and screenshots from the sensor management UI, showcasing the network topology. In addition to the TMSB module with built-in 3/4G capabilities, the attackers mentioned the use of iRZ RL22w routers. These routers, which use OpenWRT, were likely employed as internet-gateway devices to connect the sensors to the internet via 3G. The attackers reportedly used the SSH service to connect to these IoT devices and tunnel to internal devices, likely after obtaining root passwords. Shodan and Censys searches revealed that thousands of iRZ routers are exposed on the internet, with around 4,100 devices directly exposing their services and about 500 enabling Telnet. C. Sensor Management and Commissioning Software: The software suite is a critical tool used by engineers to manage and configure sensors within an industrial or infrastructure setting. This software connects to devices using a proprietary protocol that runs over TCP port 4321. The interface allows engineers to access and modify the settings of sensors, including their input/output configurations, nodes, and readings. This capability is essential for the proper setup and maintenance of sensor networks, ensuring they operate efficiently and accurately within their designated environments. Features of software: • Device Connection: Utilizes a proprietary protocol over TCP/4321 to establish a secure connection with sensors. • Configuration Capabilities: Enables the configuration of sensor settings, including adjustments to their operational parameters and the management of data they collect. • User Interface: The interface provides a straightforward and intuitive means for engineers to interact with connected sensors, facilitating ease of use and efficiency in sensor management tasks. D. Technical Impact The sensor monitoring system is another significant component of the infrastructure targeted in the. This system is designed to aggregate and display telemetry and status reports from a network of sensors. It plays a vital role in operational oversight by allowing system operators to receive real-time alerts, log data, and manage sensors remotely. According to the claims made by group, they successfully compromised this monitoring system. By doing so, they gained access to a comprehensive list of managed sensors and were able to correlate these sensors geographically on a map. This breach not only exposed sensitive operational data but also potentially
Read more: Boosty | Sponsr | TG allowed the attackers to manipulate sensor outputs and disrupt normal operations. In terms of visualization and control: • Geolocation Features: The monitoring system includes geolocation markings, which help in visualizing the physical locations of sensors across the network. This feature is particularly useful for large-scale operations where sensors are dispersed over extensive areas. • Facility-Specific Monitoring: Screenshots from the system show that it is capable of focusing on specific facilities, such as hospitals, indicating its use in critical infrastructure settings where precise monitoring is necessary for safety and operational integrity. V. ANALYZING THE FUXNET MALWARE The malware was designed to target sensor gateways, which are crucial components in the infrastructure of monitoring and control systems. The logical processes identified in the behavior of the Fuxnet malware include several steps aimed at causing irreversible damage to the targeted devices. • The Fuxnet malware was specifically designed to target and destroy sensor gateways, not the end-sensors. • The malware's actions included locking devices, destroying filesystems, NAND chips, and UBI volumes, and flooding communication channels. • The attack was likely facilitated by exploiting default credentials and vulnerabilities in remote-access protocols. • Despite claims of compromising 87,000 devices, the actual impact appears to be limited to the sensor gateways, with the end-sensors likely remaining intact. A. Deployment Script The attack began with the creation of a deployment script. The attackers compiled a comprehensive list of the IP addresses of the sensor gateways they intended to target, along with detailed descriptions of each sensor's physical location. The malware was then distributed to each target, likely using remote- access protocols such as SSH or the proprietary SBK sensor protocol over TCP port 4321. B. Locking Up Devices and Destroying the Filesystem Upon execution on the target device, the Fuxnet malware initiated a process to lock out the device. It remounted the filesystem with write access and proceeded to delete critical files and directories. It also shut down remote access services, including SSH, HTTP, telnet, and SNMP, effectively preventing any remote restoration efforts. Additionally, the malware deleted the device's routing table, crippling its communication capabilities. C. Destroying NAND Chips The malware's next step was to physically destroy the NAND memory chips within the devices. It performed a bit-flip operation on sections of the SSD NAND chip, repeatedly writing and rewriting memory until the chip was corrupted. NAND memory has a limited number of write cycles, and the malware exploited this limitation to cause the chips to malfunction and become inoperable. D. Destroying UBI Volume To prevent the sensor from rebooting, the malware rewrote the UBI volume. It used the IOCTL interface UBI_IOCVOLUP to mislead the kernel into expecting a certain number of bytes to be written, but then wrote fewer bytes, causing the device to hang indefinitely. The malware then overwrote the UBI volume with junk data, destabilizing the filesystem. E. Denial-Of-Service on Monitoring The final step in the malware's process was to disrupt the communication between the sensor gateways and the sensors themselves. The malware flooded the RS485/Meter-Bus serial channels with random data, overwhelming the bus and the sensors. This action prevented the sensors and gateways from transmitting and receiving data, rendering the data acquisition process useless. F. The M-Bus Fuzzing Strategy This strategy involved the constant sending of M-Bus frames over the serial channel, likely RS485, aiming to overwhelm and potentially damage the sensors connected to this network. The attack involved two main tactics: flooding the M-Bus channel with an excessive number of frames and employing fuzzing techniques to potentially exploit vulnerabilities within the sensors. G. M-Bus Flooding The attackers aimed to disable sensor communication by overwhelming the M-Bus channel with a high volume of frames. This tactic was likely intended to either directly damage the sensors through overload or to create conditions conducive to exploiting vulnerabilities. The fuzzing approach was more nuanced and targeted. The group implemented two fuzzing strategies within their malware: • Random Fuzzing: This method involved generating random bytes and sending them over the M-Bus, appending a simple M-Bus CRC to ensure the frames were not dropped by the sensors. The goal was to cover the entire range of possible M-Bus payloads, valid or not, in hopes of triggering sensor malfunctions or vulnerabilities. • Structured Fuzzing: this approach attempted to generate valid M-Bus frames, only randomizing specific fields within the protocol. By adhering more closely to the M-Bus structure, the malware increased the likelihood of the sensor treating the packet as valid and parsing it fully, thereby increasing the chances of triggering a vulnerability.

Recommended

Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
IJRES Journal
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
nicfs
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
Sergey Gordeychik
 
Smart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security IssuesSmart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security Issues
journalBEEI
 
A Defense-in-depth Cybersecurity for Smart Substations
A Defense-in-depth Cybersecurity for Smart SubstationsA Defense-in-depth Cybersecurity for Smart Substations
A Defense-in-depth Cybersecurity for Smart Substations
IJECEIAES
 
Survey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIPSurvey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIP
IRJET Journal
 
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMSCYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
George Wainblat
 

Recommended

Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
IJRES Journal
 
3778975074 january march 2015 1
3778975074 january march 2015 13778975074 january march 2015 1
3778975074 january march 2015 1
nicfs
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
Sergey Gordeychik
 
Smart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security IssuesSmart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security Issues
journalBEEI
 
A Defense-in-depth Cybersecurity for Smart Substations
A Defense-in-depth Cybersecurity for Smart SubstationsA Defense-in-depth Cybersecurity for Smart Substations
A Defense-in-depth Cybersecurity for Smart Substations
IJECEIAES
 
Survey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIPSurvey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIP
IRJET Journal
 
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMSCYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
George Wainblat
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
IJECEIAES
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
Ivan Carmona
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber security
Thames Global Consultants
 
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
ijasuc
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
Nirmal Thaliyil
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Enrique Martin
 
169
169169
169
vivatechijri
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
James Collinge, CISSP
 
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and VulnerabilitiesMeletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis MPhil/MRes/BSc
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15
IJSRED
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control Systems
IJEACS
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
christophefeltus
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
Luxembourg Institute of Science and Technology
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
David Blanco
 
How Secure Is Your Building Automation System?
How Secure Is Your Building Automation System? How Secure Is Your Building Automation System?
How Secure Is Your Building Automation System?
Forescout Technologies Inc
 
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET Journal
 
Irjet v7 i3475
Irjet v7 i3475Irjet v7 i3475
Irjet v7 i3475
aissmsblogs
 
Afa wea
Afa weaAfa wea
Afa wea
Alaa Eladl
 
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdfSecurity Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Overkill Security
 
Bias in AI. Because Even Robots Can Be Sexist [EN].pdf
Bias in AI. Because Even Robots Can Be Sexist [EN].pdfBias in AI. Because Even Robots Can Be Sexist [EN].pdf
Bias in AI. Because Even Robots Can Be Sexist [EN].pdf
Overkill Security
 

More Related Content

Similar to Fuxnet [EN] .pdf

Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
IJECEIAES
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
Ivan Carmona
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber security
Thames Global Consultants
 
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
ijasuc
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
Nirmal Thaliyil
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Enrique Martin
 
169
169169
169
vivatechijri
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
Muhammad FAHAD
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
James Collinge, CISSP
 
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and VulnerabilitiesMeletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis MPhil/MRes/BSc
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15
IJSRED
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control Systems
IJEACS
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
christophefeltus
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
Luxembourg Institute of Science and Technology
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
David Blanco
 
How Secure Is Your Building Automation System?
How Secure Is Your Building Automation System? How Secure Is Your Building Automation System?
How Secure Is Your Building Automation System?
Forescout Technologies Inc
 
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET Journal
 
Irjet v7 i3475
Irjet v7 i3475Irjet v7 i3475
Irjet v7 i3475
aissmsblogs
 
Afa wea
Afa weaAfa wea
Afa wea
Alaa Eladl
 

Similar to Fuxnet [EN] .pdf (20)

Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber security
 
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
A Top-down Hierarchical Multi-hop Secure Routing Protocol for Wireless Sensor...
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...Critical Infrastructure Protection against targeted attacks on cyber-physical...
Critical Infrastructure Protection against targeted attacks on cyber-physical...
 
169
169169
169
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
 
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and VulnerabilitiesMeletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control Systems
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
 
Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...Financial critical infrastructure a mas trusted architecture for alert detect...
Financial critical infrastructure a mas trusted architecture for alert detect...
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
 
How Secure Is Your Building Automation System?
How Secure Is Your Building Automation System? How Secure Is Your Building Automation System?
How Secure Is Your Building Automation System?
 
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
 
Irjet v7 i3475
Irjet v7 i3475Irjet v7 i3475
Irjet v7 i3475
 
Afa wea
Afa weaAfa wea
Afa wea
 

More from Overkill Security

Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdfSecurity Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Overkill Security
 
Bias in AI. Because Even Robots Can Be Sexist [EN].pdf
Bias in AI. Because Even Robots Can Be Sexist [EN].pdfBias in AI. Because Even Robots Can Be Sexist [EN].pdf
Bias in AI. Because Even Robots Can Be Sexist [EN].pdf
Overkill Security
 
Overkill Security. Digest. 2024-06 .pdf
Overkill Security. Digest. 2024-06 .pdfOverkill Security. Digest. 2024-06 .pdf
Overkill Security. Digest. 2024-06 .pdf
Overkill Security
 
MediHunt [EN] .pdf
MediHunt [EN] .pdfMediHunt [EN] .pdf
MediHunt [EN] .pdf
Overkill Security
 
Detection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdf
Detection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdfDetection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdf
Detection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdf
Overkill Security
 
NSA's panic. SOHO [EN] .pdf
NSA's panic. SOHO [EN] .pdfNSA's panic. SOHO [EN] .pdf
NSA's panic. SOHO [EN] .pdf
Overkill Security
 
NSA's panic. Ubiquiti [EN] .pdf
NSA's panic. Ubiquiti [EN] .pdfNSA's panic. Ubiquiti [EN] .pdf
NSA's panic. Ubiquiti [EN] .pdf
Overkill Security
 
NSA's panic. AdaptTactics [EN] .pdf
NSA's panic. AdaptTactics [EN] .pdfNSA's panic. AdaptTactics [EN] .pdf
NSA's panic. AdaptTactics [EN] .pdf
Overkill Security
 
AntiPhishStack [EN].pdf
AntiPhishStack [EN].pdfAntiPhishStack [EN].pdf
AntiPhishStack [EN].pdf
Overkill Security
 
Overkill Security. Digest. 2024-05. Level#Pro.pdf
Overkill Security. Digest. 2024-05. Level#Pro.pdfOverkill Security. Digest. 2024-05. Level#Pro.pdf
Overkill Security. Digest. 2024-05. Level#Pro.pdf
Overkill Security
 
NSA's panic. JetBrains [EN].pdf
NSA's panic. JetBrains [EN].pdfNSA's panic. JetBrains [EN].pdf
NSA's panic. JetBrains [EN].pdf
Overkill Security
 
Living Off the Land (LOTL) intrusions [EN].pdf
Living Off the Land (LOTL) intrusions [EN].pdfLiving Off the Land (LOTL) intrusions [EN].pdf
Living Off the Land (LOTL) intrusions [EN].pdf
Overkill Security
 
Ivanti Secure Access VPN (Pulse Secure VPN) [EN].pdf
Ivanti Secure Access VPN (Pulse Secure VPN) [EN].pdfIvanti Secure Access VPN (Pulse Secure VPN) [EN].pdf
Ivanti Secure Access VPN (Pulse Secure VPN) [EN].pdf
Overkill Security
 
Atlassian Confluence CVE-2023-22518 [EN].pdf
Atlassian Confluence CVE-2023-22518 [EN].pdfAtlassian Confluence CVE-2023-22518 [EN].pdf
Atlassian Confluence CVE-2023-22518 [EN].pdf
Overkill Security
 
The BianLian Android Ransomware [EN].pdf
The BianLian Android Ransomware [EN].pdfThe BianLian Android Ransomware [EN].pdf
The BianLian Android Ransomware [EN].pdf
Overkill Security
 
the hacktivist group Anonymous Sudan [en].pdf
the hacktivist group Anonymous Sudan [en].pdfthe hacktivist group Anonymous Sudan [en].pdf
the hacktivist group Anonymous Sudan [en].pdf
Overkill Security
 
ALPHV site taken down [EN].pdf
ALPHV site taken down [EN].pdfALPHV site taken down [EN].pdf
ALPHV site taken down [EN].pdf
Overkill Security
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
Overkill Security
 
Cyber Toufan Al-Aqsa Signature-IT Attack [EN].pdf
Cyber Toufan Al-Aqsa Signature-IT Attack [EN].pdfCyber Toufan Al-Aqsa Signature-IT Attack [EN].pdf
Cyber Toufan Al-Aqsa Signature-IT Attack [EN].pdf
Overkill Security
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
Overkill Security
 

More from Overkill Security (20)

Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdfSecurity Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
Security Maturity Model. Even Cybersecurity Needs to Grow Up [EN].pdf
 
Bias in AI. Because Even Robots Can Be Sexist [EN].pdf
Bias in AI. Because Even Robots Can Be Sexist [EN].pdfBias in AI. Because Even Robots Can Be Sexist [EN].pdf
Bias in AI. Because Even Robots Can Be Sexist [EN].pdf
 
Overkill Security. Digest. 2024-06 .pdf
Overkill Security. Digest. 2024-06 .pdfOverkill Security. Digest. 2024-06 .pdf
Overkill Security. Digest. 2024-06 .pdf
 
MediHunt [EN] .pdf
MediHunt [EN] .pdfMediHunt [EN] .pdf
MediHunt [EN] .pdf
 
Detection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdf
Detection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdfDetection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdf
Detection of Energy Consumption Cyber Attacks on Smart Devices [EN].pdf
 
NSA's panic. SOHO [EN] .pdf
NSA's panic. SOHO [EN] .pdfNSA's panic. SOHO [EN] .pdf
NSA's panic. SOHO [EN] .pdf
 
NSA's panic. Ubiquiti [EN] .pdf
NSA's panic. Ubiquiti [EN] .pdfNSA's panic. Ubiquiti [EN] .pdf
NSA's panic. Ubiquiti [EN] .pdf
 
NSA's panic. AdaptTactics [EN] .pdf
NSA's panic. AdaptTactics [EN] .pdfNSA's panic. AdaptTactics [EN] .pdf
NSA's panic. AdaptTactics [EN] .pdf
 
AntiPhishStack [EN].pdf
AntiPhishStack [EN].pdfAntiPhishStack [EN].pdf
AntiPhishStack [EN].pdf
 
Overkill Security. Digest. 2024-05. Level#Pro.pdf
Overkill Security. Digest. 2024-05. Level#Pro.pdfOverkill Security. Digest. 2024-05. Level#Pro.pdf
Overkill Security. Digest. 2024-05. Level#Pro.pdf
 
NSA's panic. JetBrains [EN].pdf
NSA's panic. JetBrains [EN].pdfNSA's panic. JetBrains [EN].pdf
NSA's panic. JetBrains [EN].pdf
 
Living Off the Land (LOTL) intrusions [EN].pdf
Living Off the Land (LOTL) intrusions [EN].pdfLiving Off the Land (LOTL) intrusions [EN].pdf
Living Off the Land (LOTL) intrusions [EN].pdf
 
Ivanti Secure Access VPN (Pulse Secure VPN) [EN].pdf
Ivanti Secure Access VPN (Pulse Secure VPN) [EN].pdfIvanti Secure Access VPN (Pulse Secure VPN) [EN].pdf
Ivanti Secure Access VPN (Pulse Secure VPN) [EN].pdf
 
Atlassian Confluence CVE-2023-22518 [EN].pdf
Atlassian Confluence CVE-2023-22518 [EN].pdfAtlassian Confluence CVE-2023-22518 [EN].pdf
Atlassian Confluence CVE-2023-22518 [EN].pdf
 
The BianLian Android Ransomware [EN].pdf
The BianLian Android Ransomware [EN].pdfThe BianLian Android Ransomware [EN].pdf
The BianLian Android Ransomware [EN].pdf
 
the hacktivist group Anonymous Sudan [en].pdf
the hacktivist group Anonymous Sudan [en].pdfthe hacktivist group Anonymous Sudan [en].pdf
the hacktivist group Anonymous Sudan [en].pdf
 
ALPHV site taken down [EN].pdf
ALPHV site taken down [EN].pdfALPHV site taken down [EN].pdf
ALPHV site taken down [EN].pdf
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
 
Cyber Toufan Al-Aqsa Signature-IT Attack [EN].pdf
Cyber Toufan Al-Aqsa Signature-IT Attack [EN].pdfCyber Toufan Al-Aqsa Signature-IT Attack [EN].pdf
Cyber Toufan Al-Aqsa Signature-IT Attack [EN].pdf
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 

Recently uploaded

Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0
Neeraj Kumar Singh
 
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
jiaulalam7655
 
Lessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien RiouxLessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien Rioux
crioux1
 
Guidelines for Effective Data Visualization
Guidelines for Effective Data VisualizationGuidelines for Effective Data Visualization
Guidelines for Effective Data Visualization
UmmeSalmaM1
 
Metadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - DatastratoMetadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - Datastrato
Zilliz
 
Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0
Neeraj Kumar Singh
 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
ThousandEyes
 
this resume for sadika shaikh bca student
this resume for sadika shaikh bca studentthis resume for sadika shaikh bca student
this resume for sadika shaikh bca student
SadikaShaikh7
 
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise IntegrationAn Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
Safe Software
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
Neeraj Kumar Singh
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
Dr. Jimmy Schwarzkopf
 
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc
 
The "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community DayThe "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community Day
Paige Cruz
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
gaydlc2513
 
Brightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentationBrightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentation
ILC- UK
 
APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
ThousandEyes
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
ThousandEyes
 
Building a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data PlatformBuilding a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data Platform
Enterprise Knowledge
 
Chapter 2 - Testing Throughout SDLC V4.0
Chapter 2 - Testing Throughout SDLC V4.0Chapter 2 - Testing Throughout SDLC V4.0
Chapter 2 - Testing Throughout SDLC V4.0
Neeraj Kumar Singh
 
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with MilvusMultimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Zilliz
 

Recently uploaded (20)

Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0
 
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
 
Lessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien RiouxLessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien Rioux
 
Guidelines for Effective Data Visualization
Guidelines for Effective Data VisualizationGuidelines for Effective Data Visualization
Guidelines for Effective Data Visualization
 
Metadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - DatastratoMetadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - Datastrato
 
Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0Chapter 3 - Static Testing (Review) V4.0
Chapter 3 - Static Testing (Review) V4.0
 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
 
this resume for sadika shaikh bca student
this resume for sadika shaikh bca studentthis resume for sadika shaikh bca student
this resume for sadika shaikh bca student
 
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise IntegrationAn Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
 
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...
 
The "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community DayThe "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community Day
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
 
Brightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentationBrightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentation
 
APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
 
Building a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data PlatformBuilding a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data Platform
 
Chapter 2 - Testing Throughout SDLC V4.0
Chapter 2 - Testing Throughout SDLC V4.0Chapter 2 - Testing Throughout SDLC V4.0
Chapter 2 - Testing Throughout SDLC V4.0
 
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with MilvusMultimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with Milvus
 

Fuxnet [EN] .pdf

  • 1. Read more: Boosty | Sponsr | TG Abstract –This document presents a comprehensive analysis of the Fuxnet malware, attributed to the Blackjack hacking group, which has reportedly targeted infrastructure. The analysis delves into various aspects of the malware, including its technical specifications, impact on systems, defense mechanisms, propagation methods, targets, and the motivations behind its deployment. By examining these facets, the document aims to provide a detailed overview of Fuxnet's capabilities and its implications for cybersecurity. The document offers a qualitative summary of the Fuxnet malware, based on the information publicly shared by the attackers and analyzed by cybersecurity experts. This analysis is invaluable for security professionals, IT specialists, and stakeholders in various industries, as it not only sheds light on the technical intricacies of a sophisticated cyber threat but also emphasizes the importance of robust cybersecurity measures in safeguarding critical infrastructure against emerging threats. Through this detailed examination, the document contributes to the broader understanding of cyber warfare tactics and enhances the preparedness of organizations to defend against similar attacks in the future. I. INTRODUCTION The Blackjack hacking group, purportedly linked to Ukrainian intelligence services, has claimed responsibility for a cyberattack that allegedly compromised emergency detection and response capabilities in Moscow and its surrounding areas. This group has been associated with previous cyberattacks targeting internet providers and military infrastructure. Their most recent claim involves an attack on Moscollector, a company responsible for constructing and monitoring underground water, sewage, and communications infrastructure. The group has disseminated detailed information about this attack on the website ruexfil.com, including the use of Fuxnet malware to disrupt the Moscollector network operations center. They have published screenshots of monitoring systems, servers, and databases they assert have been erased and made inoperative and additionally password dumps. Regarding the infection methods, the Fuxnet malware appears to have been designed to target sensor-gateways and potentially disable them, as well as to fuzz sensors, which could lead to their malfunction or destruction. The destruction of these gateways and the fuzzing of sensors could have serious implications for the monitoring and control of various systems, potentially leading to a loss of operational visibility and control for the affected infrastructure. The key takeaways from the analysis of the Fuxnet malware and including results of Team82 and Claroty, are as follows: • Unverified Claims: Team82 and Claroty have not been able to confirm the claims made by the Blackjack group regarding the impact of their cyberattack on the government's emergency response capabilities or the extent of the damage caused by the Fuxnet malware. • Discrepancy in Reported Impact: The Blackjack group initially claimed to have targeted 2,659 sensor- gateways, with about 1,700 being successfully attacked. However, Team82's analysis of the data leaked by Blackjack suggests that only a little more than 500 sensor gateways were actually impacted by the malware. The claim of having destroyed 87,000 sensors was also clarified by Blackjack, stating that they disabled the sensors by destroying the gateways and using M-Bus fuzzing, rather than physically destroying the sensors. • M-Bus Fuzzing: The Blackjack group utilized a dedicated M-Bus fuzzer within the Fuxnet malware's code to fuzz the sensors. This technique was aimed at disabling the sensors, but the exact number of sensors that were "fried" or permanently damaged as a result of this fuzzing is unknown due to the network being taken down and access to the sensor-gateways being disabled. • Lack of Direct Evidence: Direct evidence to confirm the extent of the damage or the impact on emergency detection and response capabilities is lacking (including targeted Moscollector). • Clarification from Blackjack: Following the publication of Team82's initial analysis, the Blackjack group reached out to provide updates and clarifications, particularly challenging the contention that only around 500 sensor-gateways had been impacted. They emphasized that the JSON files made public were only a sample of the full extent of their activity. II. AFFECTED INDUSTRIES AND POTENTIAL CONSEQUENCES A. Affected Industries: • Utility Services: The primary target of the Fuxnet malware was the utility sector, specifically the sensor gateways that manage water and sewage systems. This could have implications for the delivery and monitoring of these essential services. • Emergency Services: The group claimed to have gained access to 112 emergency service number, which
  • 2. Read more: Boosty | Sponsr | TG could impact the ability to respond to emergencies effectively. • Transportation: The group also claimed to have bricked sensors and controllers in critical infrastructure, including airports and subways, which could disrupt transportation services and safety. • Energy: Gas pipelines were mentioned as another target, indicating a potential risk to energy distribution and monitoring systems. B. Potential Consequences: • Disruption of Services: The destruction or malfunction of sensor gateways could lead to a disruption of the monitoring and control systems for utilities, potentially causing service outages or failures. • Compromised Safety: In transportation and energy sectors, the loss of sensor functionality could pose safety risks, as these sensors are often critical for detecting hazardous conditions. • Economic Impact: The potential downtime and repair costs associated with replacing or reflashing damaged sensor gateways could have significant economic repercussions for the affected industries. • Emergency Response Delays: If the claims about accessing the 112-emergency service number are accurate, this could lead to delays in emergency response, affecting public safety. • Data Exfiltration: Although not explicitly mentioned in the context of Fuxnet, the malware's ability to compromise network systems could potentially lead to data breaches and the exfiltration of sensitive information. • Loss of Public Confidence: Cyberattacks on critical infrastructure can lead to a loss of public confidence in the affected services and the entities responsible for their security. III. MOSCOLLECTOR ATTACK The attack, which began its initial compromise in June 2023, was methodically orchestrated to undermine the industrial sensors and monitoring infrastructure. Recently, the group made public their activities and the stolen information on the ruexfil website, detailing the extent and impact of their cyber offensive. The compromise of this system could potentially disrupt emergency response capabilities, affecting the safety and security of the populace. A. Bricking of Critical Infrastructure Sensors and Controllers Group alleges to have hacked and bricked sensors and controllers within critical infrastructure sectors, including airports, subways, and gas pipelines. This action, if true, could have disabled essential monitoring and control systems, leading to significant disruptions in public services and safety. B. Network Appliance Disruption The group asserts that they have disabled network appliances such as routers and firewalls. This would have a cascading effect on the network's integrity, potentially isolating various segments and hindering communication across the infrastructure. C. Deletion of Servers and Databases The attackers claim to have deleted servers, workstations, and databases, wiping out approximately 30 TB of data, including backup drives. This kind of data destruction could lead to a loss of historical data, disrupt ongoing operations, and complicate recovery efforts. D. Invalidation of Moscollector Office Building Access All keycards to the office building have reportedly been invalidated. This action could prevent employees from accessing their workplace, further hindering any attempts to assess the damage or initiate recovery protocols. E. Password Dumping The dumping of passwords from multiple internal services has also been claimed. This could allow unauthorized access to various systems and data, exacerbating the breach's impact and potentially leading to further exploitation. IV. ATTACK’S EQUIPMENT The attack's focus was on the communication gateways that serve as critical nodes in the data transmission from the sensors to the global monitoring systems. These sensors are integral to various environmental monitoring systems, including those used in fire alarms, gas monitoring, and lighting controls. The sensors are designed to collect physical data such as temperature and transmit this information through a serial or bus connection, specifically an RS485/Meter-Bus, to a gateway. These gateways act as transmission units, enabling the telemetry data to be sent over the internet to a centralized monitoring system, which provides operators with visibility and control over the systems. The RS485 communication standard, as mentioned in the attack details, is a widely adopted protocol for industrial control systems due to its reliability and capability for long-distance communication. It allows for multiple devices to communicate over a single bus system, which is essential for the centralized monitoring of various sensors and controllers. The Meter-Bus (M-Bus) is another communication protocol used for the collection and transmission of consumption data, typically for utilities like electricity, gas, water, or heat. When combined with RS485, it forms a robust network for industrial sensors to communicate and relay information to central systems. By compromising the gateways, the attackers could potentially disrupt the telemetry and control of the sensors, leading to a loss of operational visibility and potentially causing chaos in the systems that rely on this data. A. Leaked Information The information from the JSON files was corroborated by two YouTube videos released by the attackers, showing the
  • 3. Read more: Boosty | Sponsr | TG deployment of the Fuxnet malware. The devices listed in the videos matched the gateways from the JSON file, confirming that the TMSB/MPSB gateways were the primary targets of the Fuxnet malware. The JSON data included device types and names, IP addresses, communication ports, and location data. The types of devices listed in the JSON file were: • MPSB (sensor gateway): 424 Devices • TMSB (sensor gateway+modem): 93 Devices • IBZ (3g router): 93 Devices • Windows 10 (workstation): 9 Devices • Windows 7 (workstation): 1 Device • Windows XP (workstation): 1 Device This list indicates that the attack was focused on the sensor gateways rather than the end sensors themselves. The gateways serve as the communication hubs for potentially numerous sensors connected via a serial bus such as RS485/Meter-Bus. The leaked data from the attackers, including screenshots and JSON exports, revealed two specific types of gateways compromised during the attack: • MPSB Gateway: This gateway is engineered for information exchange with external devices through multiple interfaces. It supports Ethernet and serial communication protocols, including CAN, RS-232, and RS-485. The MPSB gateway is a crucial component for integrating various sensor inputs into a cohesive monitoring system. • TMSB Gateway: Similar in function to the MPSB, the TMSB gateway includes a built-in 3/4G modem, which allows it to transmit data directly over the internet to a remote system without the need for additional routing equipment. The cyberattack targeted a critical part of the sensor ecosystem: the orchestrator/gateway devices, specifically the MPSB and TMSB gateways. These devices are essential for reading and controlling basic input/output sensors and transmitting the data to a global monitoring system for centralized oversight. The attack exploited the communication pathways between the sensors and the global monitoring system. The typical data transmission scenarios targeted were: • For MPSB Gateway: Sensor —--- MBus/RS485 → MPSB + IoT Router —---Internet → Monitoring system. In this scenario, the sensor data is transmitted via MBus/RS485 to the MPSB gateway, which then passes the data through an IoT router to the internet, and finally to the monitoring system. • For TMSB Gateway: Sensor —--- MBus/RS485 → TMSB (3g/4g modem) —---Internet → Monitoring system. Here, the sensor data is sent via MBus/RS485 directly to the TMSB gateway, which uses its built-in modem to transmit the data over the internet to the monitoring system. B. Security Lapses and Attack Methodology The attackers exploited a significant security lapse: the use of default credentials (Username: sbk, Password: temppwd) to access the gateways via SSH. This vulnerability provided an easy entry point for the attackers to compromise the devices. The attackers also leaked diagrams and screenshots from the sensor management UI, showcasing the network topology. In addition to the TMSB module with built-in 3/4G capabilities, the attackers mentioned the use of iRZ RL22w routers. These routers, which use OpenWRT, were likely employed as internet-gateway devices to connect the sensors to the internet via 3G. The attackers reportedly used the SSH service to connect to these IoT devices and tunnel to internal devices, likely after obtaining root passwords. Shodan and Censys searches revealed that thousands of iRZ routers are exposed on the internet, with around 4,100 devices directly exposing their services and about 500 enabling Telnet. C. Sensor Management and Commissioning Software: The software suite is a critical tool used by engineers to manage and configure sensors within an industrial or infrastructure setting. This software connects to devices using a proprietary protocol that runs over TCP port 4321. The interface allows engineers to access and modify the settings of sensors, including their input/output configurations, nodes, and readings. This capability is essential for the proper setup and maintenance of sensor networks, ensuring they operate efficiently and accurately within their designated environments. Features of software: • Device Connection: Utilizes a proprietary protocol over TCP/4321 to establish a secure connection with sensors. • Configuration Capabilities: Enables the configuration of sensor settings, including adjustments to their operational parameters and the management of data they collect. • User Interface: The interface provides a straightforward and intuitive means for engineers to interact with connected sensors, facilitating ease of use and efficiency in sensor management tasks. D. Technical Impact The sensor monitoring system is another significant component of the infrastructure targeted in the. This system is designed to aggregate and display telemetry and status reports from a network of sensors. It plays a vital role in operational oversight by allowing system operators to receive real-time alerts, log data, and manage sensors remotely. According to the claims made by group, they successfully compromised this monitoring system. By doing so, they gained access to a comprehensive list of managed sensors and were able to correlate these sensors geographically on a map. This breach not only exposed sensitive operational data but also potentially
  • 4. Read more: Boosty | Sponsr | TG allowed the attackers to manipulate sensor outputs and disrupt normal operations. In terms of visualization and control: • Geolocation Features: The monitoring system includes geolocation markings, which help in visualizing the physical locations of sensors across the network. This feature is particularly useful for large-scale operations where sensors are dispersed over extensive areas. • Facility-Specific Monitoring: Screenshots from the system show that it is capable of focusing on specific facilities, such as hospitals, indicating its use in critical infrastructure settings where precise monitoring is necessary for safety and operational integrity. V. ANALYZING THE FUXNET MALWARE The malware was designed to target sensor gateways, which are crucial components in the infrastructure of monitoring and control systems. The logical processes identified in the behavior of the Fuxnet malware include several steps aimed at causing irreversible damage to the targeted devices. • The Fuxnet malware was specifically designed to target and destroy sensor gateways, not the end-sensors. • The malware's actions included locking devices, destroying filesystems, NAND chips, and UBI volumes, and flooding communication channels. • The attack was likely facilitated by exploiting default credentials and vulnerabilities in remote-access protocols. • Despite claims of compromising 87,000 devices, the actual impact appears to be limited to the sensor gateways, with the end-sensors likely remaining intact. A. Deployment Script The attack began with the creation of a deployment script. The attackers compiled a comprehensive list of the IP addresses of the sensor gateways they intended to target, along with detailed descriptions of each sensor's physical location. The malware was then distributed to each target, likely using remote- access protocols such as SSH or the proprietary SBK sensor protocol over TCP port 4321. B. Locking Up Devices and Destroying the Filesystem Upon execution on the target device, the Fuxnet malware initiated a process to lock out the device. It remounted the filesystem with write access and proceeded to delete critical files and directories. It also shut down remote access services, including SSH, HTTP, telnet, and SNMP, effectively preventing any remote restoration efforts. Additionally, the malware deleted the device's routing table, crippling its communication capabilities. C. Destroying NAND Chips The malware's next step was to physically destroy the NAND memory chips within the devices. It performed a bit-flip operation on sections of the SSD NAND chip, repeatedly writing and rewriting memory until the chip was corrupted. NAND memory has a limited number of write cycles, and the malware exploited this limitation to cause the chips to malfunction and become inoperable. D. Destroying UBI Volume To prevent the sensor from rebooting, the malware rewrote the UBI volume. It used the IOCTL interface UBI_IOCVOLUP to mislead the kernel into expecting a certain number of bytes to be written, but then wrote fewer bytes, causing the device to hang indefinitely. The malware then overwrote the UBI volume with junk data, destabilizing the filesystem. E. Denial-Of-Service on Monitoring The final step in the malware's process was to disrupt the communication between the sensor gateways and the sensors themselves. The malware flooded the RS485/Meter-Bus serial channels with random data, overwhelming the bus and the sensors. This action prevented the sensors and gateways from transmitting and receiving data, rendering the data acquisition process useless. F. The M-Bus Fuzzing Strategy This strategy involved the constant sending of M-Bus frames over the serial channel, likely RS485, aiming to overwhelm and potentially damage the sensors connected to this network. The attack involved two main tactics: flooding the M-Bus channel with an excessive number of frames and employing fuzzing techniques to potentially exploit vulnerabilities within the sensors. G. M-Bus Flooding The attackers aimed to disable sensor communication by overwhelming the M-Bus channel with a high volume of frames. This tactic was likely intended to either directly damage the sensors through overload or to create conditions conducive to exploiting vulnerabilities. The fuzzing approach was more nuanced and targeted. The group implemented two fuzzing strategies within their malware: • Random Fuzzing: This method involved generating random bytes and sending them over the M-Bus, appending a simple M-Bus CRC to ensure the frames were not dropped by the sensors. The goal was to cover the entire range of possible M-Bus payloads, valid or not, in hopes of triggering sensor malfunctions or vulnerabilities. • Structured Fuzzing: this approach attempted to generate valid M-Bus frames, only randomizing specific fields within the protocol. By adhering more closely to the M-Bus structure, the malware increased the likelihood of the sensor treating the packet as valid and parsing it fully, thereby increasing the chances of triggering a vulnerability.