Established security systems, such as intrusion detection systems, cannot detect many attack strategies - especially if they are novel or use seemingly authorized paths. This leaves the network operator blind in one eye. In the Operational Technology (OT) of a beverage bottler, we were able to observe a hacker attack in several stages during a Rhebo Industrie 4.0 stability and security audit.
Network is scanned
While the system was running, a host that was actively scanning the network appeared in the Rhebo Industrial Protector's message window. The host queried both which ports were being used and which services were running on which system. Both are relevant steps in the context of reconnaissance for a planned attack.
ARP-Spoofing
Subsequently, a technique called ARP spoofing was detected. The ARP protocol is used to assign logical addresses (IP) to hardware addresses (Ethernet). It is stateless, so any subscriber can claim to have a specific IP address. The attacker sent ARP packets every second to periodically announce to the network that data intended for a specific log server should be sent to its hardware address. This allowed him to listen to the data traffic between the manipulated devices.
IP address of the log server changed
Industrial Protector then reported that the IP address of the log server was assigned to a new hardware address. At this point, we had already tracked and analyzed the events in detail.
From the raw data in PCAP format recorded for each message for forensic purposes, it was clear that the log data had indeed now been sent to the attacker's address. Among other things, this probably gave the attacker knowledge of a user name that was used to administer a firewall.
Bruteforce attack and SQL injection
The intruder then tried to log in to the firewall's web interface using the bruteforce method. In the forensic analysis it became clear that a whole series of default passwords were tried, each with a certain time interval and probably automated, but without success.
Another attack attempt was then made to gain access to the firewall by injecting database commands, a so-called SQL injection. However, this method was unsuccessful.
Security hole in firewall exploited
Finally, a vulnerability in the firewall web interface was exploited, which allowed the attacker to execute arbitrary code on the system. A so-called reverse shell was opened, which opens a connection from the firewall to the attacker's system, through which the attacker can then issue system commands. In this case, this was done via the popular TCP port 1337. Communication via this port was identified and reported by Industrial Protector as unknown and thus as an anomaly within the network behavior.
WHOAMI: ROOT
The commands entered by the attacker in the reverse shell were also recorded. The attacker briefly checked whether he had administrator rights, i.e. whether commands could be executed in the context of the "root" user. After that, a firewall rule was added without further ado, allowing all traffic and thus bypassing all other rules. The firewall was ineffective from this point on.
System Shutdown and Re-Setup
In this case, the real-time reporting of the events allowed the attacker to be stopped before any damage was done. The device through which the attacker had gained access to the network was taken offline and the firewall was reconfigured. As it turned out, the affected machine was running on an old version of Windows and had immediate access to the Internet.
Without Rhebo Industrial Protector, the attack would not have been noticed. Even with an intrusion detection system, the firewall reconfiguration would not have been noticed. With a tampered firewall, the attacker could have accessed sensitive systems and data without being noticed.
Rhebo Industrial Protector provides comprehensive visibility of all operations and devices on the network. A first step towards comprehensive cybersecurity is a Rhebo Industrie 4.0 stability and security audit.
