Normally, we start investigating a cyberincident by looking for a source of infection. The source is not difficult to find — we look for an e-mail with a malware attachment or a malicious link, or for a hacked server. As a rule, security specialists have a list of equipment, so all you need to do is figure out which machine started the malicious activity. But what if all of your computers are clean — yet malicious activity is still occurring?
Recently, our experts investigated precisely such a situation. What they found: the attackers physically connected their own equipment to the corporate network.
This style of attack, dubbed DarkVishnya, begins with a criminal bringing a device to a victim’s office and connecting it to the corporate network. Through that device, they can remotely explore company’s IT infrastructure, intercept passwords, read information from public folders, and much more.
The technical details of this attack can be found in this Securelist post. In this particular case, malefactors targeted several banks in Eastern Europe. However, the method has potential for use against any big company. The bigger the better; it is much simpler to hide a malicious device in a large office — and especially effective if a company has many offices around the world connected to one network.
Investigating this case, our experts encountered three types of devices. We do not yet know whether all of them were planted by one group, or if there were multiple actors, but all attacks used the same principle. The devices involved were:
- A cheap laptop or netbook. Attackers do not need a flagship model; they can buy a used one, plug in a 3G modem and install a remote-control program. They then simply hide the device to evade notice and connect two cables — one to the network and another to a power supply.
- A Raspberry Pi. A miniature computer that is powered over a USB connection, a Raspberry Pi is inexpensive and inconspicuous — easier to purchase and hide in an office than a laptop. It can be plugged into a computer, where it will be camouflaged between wires, or, for example, in a USB port on a TV in a lobby or waiting area.
- A Bash Bunny. Intended for use as a tool for penetration testing, the Bash Bunny is freely sold on hacker forums. It does not need a dedicated network connection; it works through a computer’s USB port. On the one hand, that makes it easier to hide — it looks like a flash drive. On the other hand, device control technology can react to it immediately, making this option less likely to succeed.
How are they connected?
Even in companies where security issues are taken seriously, planting such a device is not impossible. Couriers, job seekers, and representatives of clients and partners are commonly allowed into offices, so malefactors can try to impersonate any of them.
An additional risk: Ethernet sockets are installed almost everywhere in offices — in corridors, meeting rooms, halls, and so forth. Look around the average business center and you’ll probably find somewhere to hide a small device connected to the network and to a power supply.
What should you do?
This attack has at least one weak spot — an attacker must come to the office and physically attach a device. Therefore, you should start by restricting access to the network from places accessible by outsiders.
- Disconnect unused Ethernet outlets in public areas. If that is not possible, at least isolate them on a separate network segment.
- Situate Ethernet sockets in view of security cameras (that could be a deterrent or will at least be helpful in case you need to investigate an incident).
- Use a security solution with reliable device control technologies (for example, Kaspersky Endpoint Security for Business).
- Consider using a specialized solution for monitoring anomalies and suspicious activity on the network (for example, Kaspersky Anti Targeted Attack Platform).