This article is about Buying and Selling SCADA Zero-Days.
Introduction to Buying and Selling SCADA Zero-Days:
How much is zero-day for an industrial control system? Where can they be bought and who are the main buyers of these commodities?
I can tell you that there is no definitive answer to the above questions, but first let’s try to understand the current scenario and why zero-day exploits are considered a rare commodity in the underground.
In August 2015, ICS-CERT published six recommendations to warn organizations about the presence of Zero-Day Flaws in SCADA systems. Security researcher at Elastica, Aditya K. Sood, revealed several vulnerabilities affecting human-machine interface (HMI) SCADA systems during Def Con 2015.
The flaws discovered by Sood are very common in such systems. These include remote and local file injection vulnerabilities, insecure authentication mechanisms, hard-coded credentials, weak encryption, weak password hashing, cross-site request forgery (CSRF). Experts emphasized that most of the flaws it discovered relate to HMI modules developed by various manufacturers, including Moxa, Prisma, KACO, Rockwell Automation, Schneider Electric and Siemens.
ICSCERT immediately issued a vulnerability alert because the affected products are widely adopted in many industries and a cyber attack could cause serious damage.
ICS-CERT also provided recommendations on how to prevent unauthorized access to SCADA systems. For example, he recommended using a VPN to secure remote connections to control systems.
Unfortunately, many SCADA and ICS systems used in various critical infrastructures were designed to operate in isolated networks with no regard for security, but current industrial scenarios require a new approach.
A report recently released by Dell, The Dell Annual Threat Report, revealed a respectable 100% increase in 2014 in the number of attacks on Supervisory Control and Data Acquisition (SCADA) systems.
The report highlighted another worrying aspect related to SCADA security. Most incidents that occur in SCADA systems go unreported. This means that information related to attacks is not shared for the benefit of attackers. Experts confirmed that in most cases the threat actors were politically motivated APT groups.
“Attacks against SCADA systems are on the rise and tend to be political in nature as they target operational capabilities in power plants, factories and refineries,” the researchers explained. “We have seen a worldwide increase in SCADA attacks from 91,676 in January 2012 to 163,228 in January 2013 and 675,186 in January 2014.”
The countries with the most attacks are Finland, the United Kingdom and the United States, where online SCADA systems are widespread.
“In 2014, Dell experienced 202,322 SCADA attacks in Finland, 69,656 in the UK and 51,258 in the US,” the report continues.
Most attacks used buffer overflow vulnerabilities in SCADA systems (25%), missing input validation (9%) and Information Exposure (9%) are among the main causes of attacks.
Security experts speculate that the number of attacks will continue to increase in the coming years.
“This lack of information sharing, combined with the vulnerability of industrial machines due to their advanced age, means that we can likely expect to see more SCADA attacks in the coming months and years.” the report states.
ICS-CERT responded to 245 incidents in fiscal year 2014. More than half of the incidents reported by asset owners and industry partners involved sophisticated APTs. That attackers used a wide variety of methods to attempt to compromise the infrastructure of control systems, including:
- Malicious code designed to compromise air-gapped networks
- Spear phishing attacks
- Attacks on the watering hole
- SQL injection attacks
The main problem for experts who have analyzed attacks against critical infrastructure is the difficulty of attributing them to threat actors. In many cases, these attacks are under the radar during the year due to the high level of sophistication of tactics, techniques and procedures (TTP).
In 38 percent of reported incidents, victims were unable to identify the threat actors or the attack vector exploited by the hackers.
“There are many more incidents going unreported in critical infrastructure,” says the ICS-CERT MONITOR report. “Forensic evidence did not point to the method used for the breach due to the lack of detection and monitoring capabilities in the compromised network.”
The data presented showed that the number of attacks on SCADA and ICS systems is increasing, and the main threat to these systems appears to be groups of nation states.
In short, we have a scenario characterized by an increasing number of cyber-attacks against SCADA systems, which in many cases are vulnerable due to a lack of security by design. The attackers are primarily state-sponsored hackers, which means they are usually well-funded.
These elements lead me to believe that this category of threat actors is very interested in obtaining a zero-day exploit specifically designed to hit SCADA and ICS systems.
Zero day prices
Zero-day knowledge is a critical factor for a cyber attack. Exploiting previously unknown vulnerabilities is the prerogative of well-funded hacking groups such as nation-state actors.
Zero-day exploits are rare commodities in the underground economy. In the growing market for zero-day exploits, intelligence agencies are the main buyers. This market is very fertile. A growing number of companies are selling zero-day exploits to governments. In 2013, it was estimated that this market was able to offer 85 exploits per day, which is an impressive number.
When working with SCADA, the problem appears even more dangerous. The risk that threat actors could obtain a zero-day exploit on the black market is concrete.
Governments consider the use of cyber weapons to be a coadjutant to conventional weapons. zero-day exploits are the main components for the design of hacking tools that belong to their cyber arsenal.
Critical infrastructures are strategic targets in the context of information warfare. It is normal to expect that intelligence agencies are very interested in developing and purchasing zero-day exploits specifically designed to target SCADA and ICS systems. The hacker community shares the view that knowledge of security flaws in certain industrial control systems (SCADA and ICS) widely used in critical infrastructure (ie nuclear power plants, power grids) is theoretically of no value to a persistent attacker such as a government.
Under specific conditions, these exploits could be used to cause serious damage with serious effects on the population.
How much would the government be willing to pay for hacking tools that could hit critical infrastructure? Is it possible to find this specific kind of exploits underground?
Journalist Thomas Fox-Brewster of Forbes recently published an interesting article that explored this argument. Fox-Brewster, with the support of Yuri Gurkin, CEO of the Russian company Gleg, was looking for a SCADA/ICS zero-days vendor.
Gleg has several “exploit packs” in its product portfolio for Canvas, an automated exploitation system and reliable exploit development framework for penetration testers. One of the “exploit packs” offered by the company, SCADA+, includes all of the company’s publicly available SCADA vulnerabilities and zero-days.
Gleg is constantly updating packages; Gurkin explained that each month his company includes one or two exclusive zero days in exploit packs. Clearly, packages like SCADA+ could be powerful tools in an attacker’s arsenal.
How much does SCADA+ cost?
Incredibly, the company offers it for $8,100 per year, with a Canvas license costing over $3,000 for up to 10 users. The SCADA+ package includes applications for industrial control systems from major manufacturers such as Siemens, Panasonic and D-link.
Who are the buyers?
Although government agencies are the most important players in the zero-day market, Gurkin explained that his company sells exploit packs mainly to private companies, obviously for testing purposes.
Gurkin explained that he simply wanted to “illustrate” the vulnerabilities and their risks. “We don’t do any research to control SCADA systems, we just write vulnerability exploits for the Canvas framework.”
Wait a minute! This last statement seems to be a contradiction, however, it is contrary to the idea of many black hat hackers who do dirty and secret business with governments around the world.
The cost of a zero-day depends on a number of factors, including the offensive capability of the cyber weapon that triggers the vulnerability and the nature of the potential target.
Imagine software that could take down a power grid, a threat actor could cause billions of dollars in damage to a country, or could paralyze its operations. Do you mean the government would only pay $8000 for that kind of “weapon”?
“Much larger companies than Gleg use SCADA, but in a more stealthy way. Speaking to various former employees at US government contractors and digital warfare experts, the likes of Snowden’s old employer Booz Allen Hamilton, Northrup Grumman, Raytheon, Lockheed Martin and BAE have SCADA capabilities. Unsurprisingly, they have an overview of exactly what they can do and to whom they provide.” Forbes reports.
Cybersecurity expert Drew Porter, with deep experience in critical infrastructure protection, confirmed that in the past he “worked at a place that developed tools and exploits and then sold that weaponized to selective US government clients.
“We never talked about the tools when we were making them with anyone but our clients.” Porter confirmed that an essential element of successfully selling a zero-day exploit is secrecy.
“A lot of DoD contractors do that. Some are just better at it than others,” Porter explained.
The sale of zero-day packages for testing purposes will allow manufacturers to quickly fix flaws, so that the disadvantage of an updated system will not be more effective,
“But if you sell an exploit pack to the public, the vendor will buy it and patch all their systems after reversing your zero-day.” Porter explained.
“I could be wrong and maybe they are selling SCADA zero days to the public for $8,000. Then again, it could have been marketing who added ‘zero days for SCADA’… because they knew it would attract more attention.”
The fact that a growing number of companies are focusing their efforts on finding zero-day flaws in industrial systems leads to the assumption that the demand for this kind of service is growing rapidly, but at the same time these companies are not supposed to offer their packages publicly as a commercially available product.
Forbes mentions several companies currently working on zero-day research for SCADA systems, including ReVuln, Exodus Intelligence and Hacking Team.
Despite companies like Gleg offering low cost SCADA exploits, that doesn’t mean this rare commodity is cheap. This zero-day selling strategy doesn’t seem to make sense for the zero-day market, at least for a number of professionals I reached out to for comment.
Gurkin is aware of this apparent contradiction and explained that the low prices for SCADA are mainly related to low-interest bugs in the most popular software, such as Microsoft Internet Explorer or Windows. Attackers have more opportunities to monetize exploits written for popular software than SCADA, such as creating a botnet involved in fraudulent hacking campaigns.
Popular hacker Raoul Chiesa listed the prices of known vulnerabilities and zero-days based on the nature of buyers and affected systems in the following table.
According to the expert, exploiting the zero-day bug affecting the SCADA system could be sold to military groups in the context of information warfare for a price ranging from 400,000 to 1 million. It is interesting to note the significant price difference between zero-days and known vulnerabilities offered by military entities.
Another consideration the table raises is the various price tags for zero-day exploits sold to criminal rings and military entities, prices in these cases can be ten times those paid by scammers on underground forums.
The prices offered by Gurkin are very cheaper respect the above data, the experts justified this difference explaining that find SCADA flaws is too easy due to the lack of security by design of such systems.
“Finding SCADA vulnerabilities is a joke as many of these products were built without any software security in mind – that is why we do not do that.”
I decided to contact an expert that spends almost his time in discovering bugs in any kind of system, including SCADA. I have requested him a comment on the topics “SCADA zero-day” and prices for these exploits.
The experts provided me his opinion, but requested to remain anonymous due his activities.
Me: What do you think about SCADA zero day exploits?
The Expert: It is very difficult to approach the argument because industrial systems are complex system and present a high level of customization in term of hardware, software, configurations and network connectivity.
It is true that there are some small companies or individuals who have PLC systems accessible via the Internet, but this does not mean that they are “critical infrastructure” and most important, it is very hard to estimate the how much damage can be caused by a cyber-attack on these systems. These systems are often controlled also through manual controls, and in most cases, an attacker is not able to make arbitrary changes to configuration settings beyond specific limits.
To evaluate the cost of a zero-day we need to have a clear idea of the specific target of the attack. Evaluations and discussions can be made only about specific targets, not in general about SCADA systems.
Me: What do you think about the post published on Forbes?
The Expert: Perhaps in the Tom’s article they have discussed only attacks in the pile, instead targeted attacks through specifically designed zero-day exploits.
The article describes attacks where threat actors use Shodan as a reconnaissance tool and once discovered a range of specific IPs belonging to potential SCADA targets try to exploit them with various techniques, including commercially available packages.
Me: Which are the main problems for the security of SCADA systems?
The Expert: I think that the major problems are related to the system administration, especially the patch management, and to the design of industrial products. The lack of security by design is a serious problem; it is quite easy to discover hard-coded accounts, debugging functions still active in software and hardware components that could be exploited by hackers to compromise systems in production.
Me: What about prices of exploit packs offered by the Gleg Company?
The Expert: Gleg is free to sell its solution for any price. The final price is a company’s choice. Regarding their zero-day exploit, I cannot judge them, there are dozens of industrial SCADA software and not everyone has the same value of course. Exactly as for non- SCADA target, an exploit could have different values depending on the specific software it affects.
When approaching the price for a zero-day exploits we have to take in mind the type of the target and the nature of the buyers. We must distinguish zero-day attack on generic SCADA systems from targeted zero-day attacks.
Unfortunately, attacks in bulk are very easy to conduct, the attackers just need to locate a target with tools like the Shodan search engine for internet-connected devices and run the exploit. Shodan runs an ICS Radar that scan the Internet for “protocols that provide raw, direct access to industrial control systems”.
This kind of attacks is becoming even more frequent for this reason it is important to carefully consider the security of any industrial system exposed … and never generalize the discussion about hacking them!
SCADA security is a pillar for the protection of critical infrastructure systems. It is important to change the approach to cyber security for so critical components to avoid catastrophic incidents.
Let’s close, once again, with the suggestions provided by Dell experts to protect SCADA systems from attacks:
- Make sure all software and systems are up to date. Too often with industrial companies, systems that are not used every day remain installed and untouched as long as they are not actively causing problems. However, should an employee one day connect that system to the Internet, it could become a threat vector for SCADA attacks.
- Make sure your network only allows connections with approved IPs.
- Follow operational best practices for limiting exposure, such as restricting USB ports if they aren’t necessary and ensuring Bluetooth is disabled.
- In addition, reporting and sharing information about SCADA attacks can help ensure the industrial community as a whole is appropriately aware of emerging threats.