ClearEnergy | UMASploit v1.0.1

Introduction

In April 4, 2017 researchers at CRITIFENCE® Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have demonstrated a new proof of concept ransomware attack aiming to erase (clear) the ladder logic diagram in Programmable Logic Controllers (PLCs).

UMASploit is the library behind ClearEnergy proof of concept ransomware attack that CRITIFENCE researchers used in their proof of concept ransomware research.

The current version of UMASploit includes the following classes and will be updated soon: UMAS Login Key Generator (ULKG) Modbus Remote Command Tool (MRCT)

NOTE: The full source of ClearEnergy is currently under restrictions and cannot be released.

The vulnerabilities behind the ransomware a.k.a ClearEnergy affects a massive range of PLC models of world’s largest manufacturers of SCADA and Industrial Control Systems. This includes Schneider Electric Unity series PLCs and Unity OS from version 2.6 and later, other PLC models of leading vendors include GE and Allen-Bradley (MicroLogix family) which are also found to be vulnerable to the ransomware attack.

ClearEnergy, which is based on vulnerabilities CVE-2017-6032 (SVE-82003203) and CVE-2017-6034 (SVE-82003204) that have been discovered by CRITIFENCE security researchers, disclosed profound security flaws in the UMAS protocol of the vendor Schneider Electric.

UMAS protocol seems to suffer from critical vulnerabilities in the form of bad design of the protocol session key, which results in authentication bypass. UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system.

UMASploit developed for research purposes only, it is strongly recommended that you do not use this tool for illegal purposes.

UMAS Login Key Generator (ULKG)

Overview

UMAS Login Key Generator (ULKG) is part of ClearEnergy - UMASploit package. ULKG allows to send a login request to target PLC that vulnerable to ClearEnergy vulnerabilities in order to get a UMAS Session Key (Identifier). You can use this session key later with Modbus Remote Command Tool (MRCT) in order to send remote adminitrative commands to the vulnerable PLC.

How to Use

Example:

ULKG.py

Run the tool to fetch a UMAS Session Key (Identifier)

Modbus Remote Command Tool (MRCT)

Overview

Modbus Remote Command Tool (MRCT) is part of ClearEnergy - UMASploit package. MRCT allows to send a remote administrative commands to a target PLC that vulnerable to ClearEnery vulnerabilities.

NOTE: You will need to specify the session key manually.

How to Use

Modify the 'key' part in the code to include the one you fetched with ULKG. Select the commands you want to send (in the 'packets' array) to the target PLC and run the tool.

Example:

MRCT.py

WARNING

ClearEnergy - UMASploit is a a set of tools allows to test if a target PLC on a SCADA networks is vulnerable to ClearEnergy vulnerabilities, irespponsible use of ClearEnergy - UMASploit can cause damage to Critical Infrastructure, SCADA, Industrial Control Systems and other field hardware. CRITIFENCE will not be responsible for any damage that caused by using this source code.