Viewing a single comment thread. View all comments

abitrolly t1_j4h796y wrote

I worked at the company that originally discovered it. Siemens SCADA software are run on Windows machines that are not connected to the Internet, and hence never patched. So any kind of malware that uses autorun exploits can get there. Knowing that, it is easy to target the machines. What is not that easy is to develop a fuzzer that once installed, will properly send disruptive commands, instead of just freezing PC.

35

charleswj t1_j4ht5go wrote

>not connected to the Internet, and hence never patched

These two things are not mutually exclusive and is almost criminal in a nuclear facility

19

80burritospersecond t1_j4imm1t wrote

It's also kinda poor design to have all your emergency stop smash buttons be nothing but PLC inputs when they should be independently cutting power to the prime movers in whatever system is being controlled.

7

Burdekin_Boy t1_j4jv36w wrote

Yeah Estops into PLCs should only really be for signal/logging. Stand-alone safety relays should be in use.

3

TheImmortalIronZak t1_j4jvgft wrote

Absolutely is not. Most intelligence departments, Department of justice, homeland etc all have some departments with air gapped machines for security reasons. They can never be “hacked” or the like due to that. And as for the Iranian governments uranium enrichment center the air gapped machine’s control all aspects of the enrichment process, the centrifuges, etc for the same reason.

0

charleswj t1_j4k0o72 wrote

>Absolutely is not. Most intelligence departments, Department of justice, homeland etc all have some departments with air gapped machines for security reasons.

This is actually not true except in some edge cases. Most of the "air gapped" networks are actually only logically separated. For example DOD's NIPR (often referred to as the "low side") is their version of what most companies have, the network most directly connected to the internet, as well as the DREN (for research and development). No classified data is allowed here.

But they also have other networks, sometimes referred to as the "high side" (i.e. SIPR, JWICS), where classified data (Secret and Top Secret, respectively) can be stored. It's a common misconception that these are air gapped, but they're actually more like a VPN on top of NIPR. Additionally, there are various "gateways" (i.e. DOTS, Cross Domain Enterprise Email Service) to allow limited communication and data transfer between low and high sides.

4

mrflib t1_j4hfb34 wrote

Fuzzer?

7

abitrolly t1_j4hk8md wrote

The program that generates bogus parameters for function calls. In that case values for Siemens controllers to set that will cause chaos in controlled hardware.

17

CupResponsible797 t1_j4hm680 wrote

This is really not a context in which you would normally use the term fuzzer. Stuxnet did not "fuzz" these PLCs, it performed a series of specific steps to identify its targets and cause them to break.

26

faux_glove t1_j4k1nxx wrote

What would a fuzzer do, then?

1

CupResponsible797 t1_j4l9cr6 wrote

A fuzzer is a tool which automatically feeds semi-random data to another program in order to discover anomalous behaviours.

2

hamburglin t1_j4jnrce wrote

Thank you. Not sure what this guy has been smoking but he's got some type of imaginary cyber security world built in his head.

0

muerto1964 t1_j4j1omi wrote

The thing was genius. I think it had a total of 9(?) Zero day exploits! Most malware will only have 1 if they are very very lucky.

3

Why_Did_Bodie_Die t1_j4jpsi7 wrote

I know almost nothing about computers. I remember in the documentary they made this seem pretty significant. Can you tell me a little about what a zero day is and why it is so significant? Are they really hard to do/make/get? Maybe EILI5.

2

tygghb t1_j4k3xcu wrote

Software exploits that are "brand new" (ie. that the general public did not previously know about). Once an exploit is publically known about, the companies usually work quickly to patch them. They are therefore rare and highly sought after by bad actors.

The going rate is about $100,000 each on the dark web. When a bad guy writes malware, they typically use one zero-day exploit, maybe even two.... but to have NINE or whatever Stuxnet had, is unheard of and was a tell-tale sign that the software was created by a nation-state since the average bad guy is not going to spend $900,000+ to write their malware.

2

so_futuristic t1_j4jrpzb wrote

software vulerabilities that are unknown but to the people exploiting then

1

muerto1964 t1_j4kufni wrote

A zero day exploit is an attack vector that nobody has ever seen before. No one has seen it and therefore we probably have little defense against it. 1 is rare. 9 in the same piece of malware is unheard of

1

hamburglin t1_j4jmx0p wrote

... autorun... exploits? (I'm going to pretend that's a term in the cyber security and forensics industry that actually makes sense to continue on here). In any context that has anything to do with being relevant about getting into air gapped networks? You sure you know what you're talking about?

You then reference the use of a fuzzer in a highly targeted attack? Wth? You think they're going in there and potentially bluescreening machines and trying "best guesses" at what they need to do to perform command and control operations? That would have already been known before deploying their malware and tools.

Safe to say even if you worked there then you still don't know what you're talking about.

1

ramriot t1_j4hj9kd wrote

I could be wrong but I'm guessing by the date that the development of the exploit predates the availability of modern fuzzing software.

−4

abitrolly t1_j4hkjjs wrote

Fuzzing is a method of putting unexpected stuff into function parameters. You can write a fuzzer yourself, like `for x in random(): call(x)`.

5

charleswj t1_j4hsj4b wrote

That's only part of it. It's purpose is to discover vulnerabilities. That's not what was happening there

5

Optimistic__Elephant t1_j4nvpoj wrote

What does this fuzzing accomplish? Is the idea to find an input that returns an error of some sort?

1

abitrolly t1_j5b6xmw wrote

Find the value that will bypass safety checks and destabilize connected hardware. Just sending random noize might not help, so the fuzzer could try to steadily increase some values or execute another logic that is known to be harmful for typical process control mechanisms. I called it fuzzer because I assume it doesn't know what is the real mechanism on the other end. If you have source code and schematic of the plant, you don't need to guess and can directly write targeted destructive code.

2