Award-winning security research team unveils unique OPC UA Exploit Framework and NAS vulnerabilities at biggest hacking conferences of the year
NEW YORK – July 26, 2023 – Claroty, the cyber-physical systems protection company, today announced that Team82, its award-winning research team, will descend on Las Vegas next month for talks at Black Hat USA and DEF CON, two of the biggest cybersecurity conferences of the year. Team82’s Sharon Brizinov, director of vulnerability research, and Noam Moshe, vulnerability researcher, will present two sessions at each show.
The sessions include:
Exploiting OPC-UA in Every Possible Way: Practical Attacks Against Modern OPC-UA Architectures
Black Hat USA: Wednesday, August 9, 3:20-4:00 pm PST
DEF CON: Saturday, August 12, 2:30-3:15 pm PST
For the past two years, Team82 has been researching dozens of OPC-UA protocol stack implementations being used in millions of industrial products. Moshe and Brizinov focused on two main attack vectors: attacking OPC-UA servers and protocol gateways, and attacking OPC-UA clients. The research yielded unique attack techniques that targeted specific OPC-UA protocol implementation pitfalls that enabled Team82 to create a wide range of vulns ranging from denial of service to remote code execution. For example, researchers explored OPC-UA features such as method call processing, chunking mechanisms, certification handling, complex variant structures, monitored items, race-conditions, and many more. For each part of the specification, researchers tried to understand its caveats and exploit them to achieve RCE, information leakage, or denial of service attacks. In this talk, Moshe and Brizinov will share the journey and methods, and release an open-source framework with all of the techniques and vulnerabilities to exploit modern OPC-UA protocol stacks.
A Pain in the NAS: Exploiting Cloud Connectivity to PWN Your NAS
Black Hat USA: Wednesday, August 9, 10:20-11:00 am PST
DEF CON: Friday, August 11, 12:30-1:15 pm PST
At Pwn2Own Toronto 2022, Team82 chained multiple bugs to exploit both Synology and Western Digital NAS devices by abusing vulnerabilities in the device, cloud and the mutual trust between them. After reviewing the pairing mechanism of NAS devices with Western Digital (WD) and Synology cloud platforms, surprisingly, researchers discovered that devices authenticate to the cloud using a hardware identifier which is later used by users to remotely access their devices. Using this, Team82 was able to impersonate any given NAS device and perform phishing attacks that yielded admin rights on any targeted WD or Synology device. Moshe and Brizinov will explain the pairing process of WD and Synology NAS. They will elaborate on the overall architecture of the cloud offering and focus on the vulnerabilities found, including ways to enumerate and impersonate all edge devices using certificate transparency log (CTL), and steal cloud proxy auth tokens. This enabled researchers to download every file saved on the NAS devices, alter or encrypt them, and bypass NAT/Firewall protection to achieve full remote code execution on all cloud-connected NAS (and to gain $$$ from Pwn2Own).
Additionally, David Guffrey, principal biomed customer success manager at Claroty and former medical device cybersecurity program manager for Mass General Brigham, will keynote at the DEF CON BioHacking Village, along with Thermo Fisher senior strategist Nina Alli and CareFirst BlueCross BlueShield CISO Rob Suárez, in a session titled, “Securing the Whole System: Corpal to Corporate.” The keynote will take place on Friday, August 11 at 10:00 am PST.
Visit Claroty’s booth #1960 at Black Hat and learn more about where you can find Claroty in Las Vegas next month here.
About Claroty
Claroty empowers organizations to secure cyber-physical systems across industrial, healthcare, and commercial environments: the Extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection, and secure remote access. Backed by the world’s largest investment firms and industrial automation vendors, Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America. To learn more, visit claroty.com.
