Proactive IT Security
 

Plug mouse into the computer - be compromised

2011-07-01 [Malware discussion, Protection projects, Social engineering, Spreading mechanisms, Trends & predictions]

Introduction

This week an intriguing story appeared on several Internet news sites. To mention a few, The Register reported "Hackers pierce network with jerry-rigged mouse", and Forbes' Andy Greenberg used the excellent title "How To Hack A Company With A Trojan Mouse" in his blog item.

The setup

Netraguard is a security company specializing in antihacking services by using realistic reproduction of threats.

In one of the company's assignments the client requested a network penetration attempt with the following restrictions:

  • one single IP address bound to a firewall that offered no services,
  • no use of social attack vectors based on social networks, telephone, or email,
  • no physical access to the campus and surrounding areas.

To accomplish this "mission impossible", Netraguard used what it coined PRION.
Wikipedia describes prion as "an infectious agent composed of protein in a misfolded form".

As its infectious agent Netraguard used a standard computer mouse. This mouse was modified to include

  • a Teensy microcontroller
  • a micro USB hub
  • a mini USB cable
  • a micro flash drive

The flash drive and the microcontroller were programmed to launch their programs 60 seconds after start of user activity. A special software module was created to avoid detection by the antimalware product used by the customer..

The next step was to use the database Jigsaw to find employee information, select a good potential target employee, and send the PRION disguised as a marketing gadget. 

After three days, the penetration attempt could be defined as successful.

The complete setup is described in (fun) detail in Netraguard's blog.

USB sticks - obsolete as a penetration device?

For some time USB sticks were a favorite device for targeted attacks. They were for example most likely used in the infamous Stuxnet malware for the initial infection. However, the .LNK vulnerability used by e.g. Stuxnet has been fixed, and Microsoft has disabled the autorun mechanism for USB devices in newer versions/updates of its supported operating systems.

Netraguard comments on using USB sticks in its blog:

Just mail a bunch of sticks to different people within the target company and wait for someone to plug it in; when they do its game over, they’re infected. That trick worked great back in the day but not so much any more. The first issue is that most people are well aware of the USB stick threat due to the many published articles about the subject. The second is that more and more companies are pushing out group policies that disable the autorun feature in Windows systems. Those two things don’t eliminate the USB stick threat, but they certainly have a significant impact on its level of success and we wanted something more reliable.

It is obviously true that the probability for success is greater if one uses a targeted attack with a level of sophistication as advanced as Netraguard did. It is also true that USB sticks' usability for targeted attacks have decreased in recent months.

However, Bloomberg referred in an article earlier this week to a test ran by the U.S. Department of Homeland Security about USB sticks.

In this test, computer discs and USB drives were secretly dropped in the parking lots of government buildings and private contractors. Of those who picked these up, 60 percent plugged the devices into office computers. Amazingly, if the drive or CD case had an official logo, the percentage increased to 90.

Dropping USB sticks with the organization's own logo, would most likely increase this probability even further.

However, as mentioned above, automatic launching of programs from inserted devices is considerably reduced in later months. Will this render such customized USB sticks as obsolete as attack devices? In our view no.

An attacker who targets an organization by using USB sticks as the attack vector, might prepare the (dropped & customized) USB sticks with malicious files. Such files can be prepared with file names that are tempting for the employees to open. Some examples might be

  • Proposal_for_immediate_salary_reduction.pdf
  • Upcoming_organizational_restructure.ppt
  • Summer_party_laughs.swf.

These files would contain known or - ideally - unknown exploits, which trigger infections whenever they are launched.

How to protect yourself and your organization

The abovementioned examples show that it is almost impossible to protect completely against a targeted cyberattack against an organization. A determined attacker will - if she allocates sufficient resources - at some point in time, succeed in her attack against computers and network.

This does not mean that protection should be abandoned, of course. However, it might be wise to enter a mind-set where the focus is both 

  • setting up security mechanisms corresponding to acceptable risk
  • create action plans for situations where the organization is compromised 

The first bullet point includes deployment of security software and regimes for regular software security updates. It should also include user education to raise the employee awareness on how targeted attacks against the organization might be accomplished.

The second bullet point acknowledges the fact that at some point in time, the probability for compromise of your organization's information is high. This may occur through "trojaned devices", application vulnerabilities, mistakes, disgruntled employees (present or former), and any other method.
Rather than relying on protection that presupposes that this will not happen, one should assume that it will happen and prepare accordingly.

Technical References for further reading