Security experts describe a real attack case that sees the attackers using a small, unidentified hardware device to hack into the target network.
Is it possible to hack into a network using a sort of invisibility cloak?
The short answer is, YES it is. We came to this conclusion after
analyzing an incident after an audit in a Tier-1 bank.
The audit revealed some
irregularities and it became evident that an external party had continuous
access to the internal and secured parts of the network. After investigating
the computing assets of the bank, such as the servers, the desktop workstations
and management’s laptop for malware with remote access capabilities, nothing
was discovered. Subsequently, investigations focused on deep monitoring of the
ingoing and outgoing communications from the network hoping there would be an
indication as to what was occurring.
Again, no evidence was found
for the full remote access. The Cybersecurity Investigations Practice of a
leading global consulting firm was approached for assistance. The team found
that an authentic laptop of the bank was entirely cloned and was connecting to
the network infrastructure via an out-of-band channel in parallel to the
existing and legitimate laptop.
In addition to the certificate, the network access profile and envelope were authentic and valid, meaning that none of the existing security and monitoring tools recognized it as a rogue device. The attackers were using a “ghost” malicious device that was acting in the shadow of the legitimate one.
Upon further investigation, a small, unidentified hardware device was found to be installed in one of the distribution cabinets and was providing the perpetrator with remote access capabilities, with the existing security measures completely oblivious. No one knew what this device was, what it was doing, who brought it in, and when.
The invisibility cloak
The attackers used a
legitimate off-the-shelf network router sold by a third party. Besides its
other modus operandi, the device supports a virtual cable mode whereby two
devices can be paired, and each installed at different locations while
operating as if they are interconnected using a standard passive LAN cable. The
two devices are able to reroute and tunnel the communication via a simple
switchboard application, allowing traffic to be intercepted and data packets to
be injected and streamed back into the network, in addition to being able to
carry out more complex man in the middle (MiTM) attacks.
These devices do not have an
IP or MAC address meaning that Intrusion Detection Systems (IDS), Network
Access Control (NAC) and Network Monitoring tools are unable to detect them –
hence the “invisibility” cloak. The entire manipulation is conducted on the
Physical Layer (Layer 1) and the Data-Link Layer (Layer 2); so all higher-level
communications are considered authentic and safe.
Attack tool used
In this specific incident, the
tool used was the PocketPort2 mobile router from Proxicast, with similar
characteristics to the device described by Kaspersky’s report named –
DarkVishnya describing bank hacking in Estren Europe. The device pair was
configured to run in virtual cable mode and to use a private switchboard server
to ensure that there will be no traces back to the origin of the attacker.
Theoretically, any hardware
platform with an operating system and set of drivers that support promiscuous
mode and the ability to directly transmit data packets (raw sockets) can be
adapted to act as a rogue device. Stolen data can be leaked through local
storage or an out-of-band communication channel (preferably wireless) without
being detected by current network security tools such as IDS and NAC.
What one can do? Expand your Rogue Device Mitigation coverage by implementing Cyber Physical measures along-side “traditional” cyber security solutions.”
About the author: Sepio Systems
Sepio is disrupting the cyber-security industry by uncovering hidden hardware attacks. Bad actors are gaining access by implanting rogue hardware – Sepio’s Rogue Device Mitigation (RDM) stops them.
The post Hacking a network, using an ‘invisibility cloak’ – Is it that simple? appeared first on Security Affairs.