Did people think that not connecting to a network was a magic technique that prevented infections from being spread on USB drives if you move them back and forth?
It’s weird for the title to focus on the tools, and not the attack itself.
Two attacks on production air-gapped networks, with different tools, from the same group, is pretty damn impressive. Especially for a group not backed by a nation-state.
Edit: it sounds like this was a multi-stage attack…compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That’s pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser…the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).
No but it’s a good start. The problem is that literally everyone would do it, from directors to the lowest paid people on the job. EVERYBODY does it. We detected and blocked, so then they started hardwire connecting to switches that they saw in offices. We had blocked those, so they started trying to connect to industrial switches out in the factories.
It was maddening.
But switches have all ports set to shut and open ports bound to the device connected… or is this not common?
It depends on the environment for sure. That was standard at the end of my career but definitely not at the beginning.
literally
There are other adverbs.
everyone would do it, from directors to the lowest paid people on the job
Ensure the kernel filters out all USB except for the major/minor used by mice and keyboards. This is absolutely standard for secret-squirrel shit. Default to rejected, but allow a few.
This was a long time ago in a different world. I’m an old man now. My job now is coaching soccer and gardening and baking, but thanks for writing that. Hopefully new admins see it.
And it was literally.
It seems like they could be rendered ineffective by simply disabling auto run and forcing removable drives to mount noexec.
This should be the default on all PCs.
I thought we learned that like two decades ago.
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
Does any Linux distro have autorun? Because Windows isn’t really an OS anyway.
Yes, Linux has autorun and some distros have it enabled by default.
Windows isn’t an OS? What kind of nonsense is this?
I’d say the team from DEC who created it, would differ.
You would be shocked at the amount of times employees would bring devices into our air gapped network.
Yeah our corporate machines won’t run any external media. I assumed that was standard practice.
Is this mitigated by blocking mass storage devices on all devices on the air gapped network? Seems like the minimum you would want to do on a network important enough to air gap.
Depends. If you need updates on the software used in the air gapped network you won’t have lot of options. Burning cd’s doesn’t sound so crazy all of a sudden though…
Having worked in classified areas, both as an admin and an unprivileged user, CDs were normally the method of transferring data up the network. (Transferring down rarely occurred, and even then you’d be limited to plaintext files or printouts.)
I’ve seen more places use data diodes to perform one- or two-way transfers so that requests can be streamlined and there’s no loose media to worry about tracking. It’s not super fast and higher speeds mean more expensive equipment, but it covers 98% of software update needs, and most non-admin file transfers were under 20MB anyways.
Anything that did require a USB drive, like special test equipment (STE) or BIOS updates, had to use a FIPS-140-1 approved drive that offered a ready-only mode via PIN. This drive could only be written to from a specific workstation that was isolated from the rest of the machines (where data was transferred via CDs of course) and required two persons to perform the job to ensure accountability.
Not the most time-efficient way of doing things, and not completely bulletproof, but it works well enough to keep things moving forward.
You can greatly reduce the attack surface by limiting device use to specific users or maybe even specific devices that are controlled.
I mean therein lies the problem. If you remove mass storage devices but allow cds then that’s just a different attack vector to exploit. You could potentially make it so there is no way to interface with any kind of storage but then when someone finds a way to break things open with a hid device you now have no practical way to fix the issue (plus working with the machine will be a nightmare)
CDs have an advantage over USB drives in that they can’t actually secretly be USB HID devices like a fake keyboard or mouse that runs a bunch of commands when it plugs in. It’s only a storage device.
A super secure environment might then lock down all USB devices to ones known by them and then epoxy all ports and devices.
No. This exploit worked because the medium is read-write. Once a disc is finalized, it cannot be written to. You can’t exfiltrate data via the CD.
I’m sure there’s some modified CD burner out there that can write to a finalized disc, but this would only work where the air-gapped machine supports it, and also even has a drive that can write.
Wouldn’t you validate that update on a test machine in an isolated environment…like we’ve done since forever?
That still won’t say anything about the reliability of the medium. The update itself isn’t the problem.
Air gap systems prevent viruses, in the same way that living in a clean room prevents biological infections.
But if a disease gets into your clean room you’ll still get sick, should not be a surprise to anyone.
Really though, an air cap system should either disable USB ports or employees should have enough brain cells to not plug in random devices. It’s all up to physical security to prevent a bad actor gaining excess to the facility.
Compromised air-gapped systems with http server and GoogleDrive?
Saywhat?
