208
submitted 3 days ago by misk@sopuli.xyz to c/technology@lemmy.world
top 48 comments
sorted by: hot top controversial new old
[-] wyrmroot@programming.dev 9 points 2 days ago

So far, we haven’t been able to trace back to the initial compromise vector in the campaigns seen in our telemetry.

They hypothesize that attaching a compromised USB drive to an air gapped system is to blame. That seems to be a well known vector at this point. Does it matter much what tool is used to copy data once it’s in?

[-] JordanZ@lemmy.world 1 points 1 day ago

People literally just drop usb drives in the parking lot of places they want to compromise hoping some idiot will plug it into a machine inside. So they might want to check their security tapes of the parking lot.

I’ve sent a usb drive through the washing machine a couple times. Still works fine. So can’t imagine rain bothers them too much.

[-] linearchaos@lemmy.world 1 points 13 hours ago

There are USB cables that do this now. Air capped machines need to be better about sanitizing USB.

[-] lud@lemm.ee 2 points 22 hours ago

People literally just drop usb drives in the parking lot of places they want to compromise hoping some idiot will plug it into a machine inside.

You say that like it's some common occurrence. Is it? As far as I know the CIA, FBI, or NSA (Can't remember) did a test where they did that in their own parking lot and lots of people fell for it. But is there any evidence of it being done maliciously?

[-] ATDA@lemmy.world 2 points 20 hours ago

Even if it isn't an intentional attack you don't want people bringing God knows what on USB sticks that may or may not just be infected from the users own home PC. USB storage devices are lovely targets.

But yeah the South Korean military got infected by a soldier plugging in a planted USB stick.

I think the narrative of a targeted attack is easier to sell though. Make it us vs them and people grasp the concept a little better. This is very common in information security training in a lot of fields in my experience.

[-] capital@lemmy.world 6 points 2 days ago

The basic flow of the attack is, first, infecting an Internet-connected device through a means ESET and Kaspersky have been unable to determine. Next, the infected computer infects any external drives that get inserted. When the infected drive is plugged into an air-gapped system, it collects and stores data of interest. Last, when the drive is inserted into the Internet-connected device, the data is transferred to an attacker-controlled server.

Guys, storage devices move data from one machine to another. /pikachuface

[-] echodot@feddit.uk 29 points 3 days ago* (last edited 3 days ago)

Air gap systems prevent viruses, in the same way that living in a clean room prevents biological infections.

But if a disease gets into your clean room you'll still get sick, should not be a surprise to anyone.

Really though, an air cap system should either disable USB ports or employees should have enough brain cells to not plug in random devices. It's all up to physical security to prevent a bad actor gaining excess to the facility.

[-] InverseParallax@lemmy.world 4 points 2 days ago

God, flashbacks to having to copy files to and from 3.5 floppies to get them on secure nodes on the military comm system I was fixing.

[-] echodot@feddit.uk 5 points 2 days ago

When I first started we had a system to get documents onto a secure network and it was the most batshit insane system ever invented by anyone.

You would print the document off, take a photograph of it with the world's oldest digital camera, It took 3 and 1/4 in floppy disks, then transfer that floppy disk onto a secure network. Run an OCR program on the system to get the text back into a searchable format.

I have absolutely no idea why this was the method, but every time I questioned it I just got told that's the way it is.

[-] kureta@lemmy.ml 22 points 3 days ago

We had air gapped systems (we didn't have internet) in the 90s and they still got viruses(from floppy disks). I don't understand what is new?

[-] ikidd@lemmy.world 22 points 2 days ago

Hell, there was a time dropping USB sticks in a parking lot would get systems like this infected. That might be how Stuxnet got into the Iranian centrifuges.

[-] Maggoty@lemmy.world 12 points 2 days ago

Was a time?

It's absolutely still a thing. Just label it "VP Qrtly".

[-] lando55@lemmy.world 4 points 2 days ago

"Vascular... penus... quart of lye? I gotta see what's on this"

[-] conciselyverbose@sh.itjust.works 59 points 3 days ago

Did people think that not connecting to a network was a magic technique that prevented infections from being spread on USB drives if you move them back and forth?

[-] JasonDJ@lemmy.zip 42 points 3 days ago* (last edited 3 days ago)

It's weird for the title to focus on the tools, and not the attack itself.

Two attacks on production air-gapped networks, with different tools, from the same group, is pretty damn impressive. Especially for a group not backed by a nation-state.

Edit: it sounds like this was a multi-stage attack...compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That's pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser...the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).

[-] lud@lemm.ee 1 points 22 hours ago

it sounds like this was a multi-stage attack...compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That's pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser...the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).

Yeah, that's pretty damn impressive.

[-] specialseaweed@sh.itjust.works 11 points 3 days ago

No but it’s a good start. The problem is that literally everyone would do it, from directors to the lowest paid people on the job. EVERYBODY does it. We detected and blocked, so then they started hardwire connecting to switches that they saw in offices. We had blocked those, so they started trying to connect to industrial switches out in the factories.

It was maddening.

[-] Badeendje@lemmy.world 3 points 3 days ago

But switches have all ports set to shut and open ports bound to the device connected.. or is this not common?

[-] specialseaweed@sh.itjust.works 3 points 3 days ago

It depends on the environment for sure. That was standard at the end of my career but definitely not at the beginning.

[-] corsicanguppy@lemmy.ca 1 points 3 days ago

literally

There are other adverbs.

everyone would do it, from directors to the lowest paid people on the job

Ensure the kernel filters out all USB except for the major/minor used by mice and keyboards. This is absolutely standard for secret-squirrel shit. Default to rejected, but allow a few.

[-] Nighed@feddit.uk 2 points 2 days ago

There are 'keyboards' that when plugged in type Win+R CMD.exe then do whatever you want. (Other terminals are available)

I guess that stops users from trying in the first place though.

[-] specialseaweed@sh.itjust.works 2 points 2 days ago* (last edited 2 days ago)

This was a long time ago in a different world. I’m an old man now. My job now is coaching soccer and gardening and baking, but thanks for writing that. Hopefully new admins see it.

And it was literally.

[-] cmnybo@discuss.tchncs.de 59 points 3 days ago

It seems like they could be rendered ineffective by simply disabling auto run and forcing removable drives to mount noexec.

[-] Link@rentadrunk.org 49 points 3 days ago

This should be the default on all PCs.

[-] AbidanYre@lemmy.world 42 points 3 days ago
[-] x00za@lemmy.dbzer0.com 6 points 3 days ago

Maybe the target systems are more than 2 decades old.

[-] AbidanYre@lemmy.world 5 points 2 days ago

To be fair, you could compromise Windows 98 by looking at it funny.

[-] specialseaweed@sh.itjust.works 8 points 3 days ago

You would be shocked at the amount of times employees would bring devices into our air gapped network.

[-] expr@programming.dev 6 points 3 days ago

Yeah our corporate machines won't run any external media. I assumed that was standard practice.

[-] Majestic@lemmy.ml 3 points 3 days ago

Well it’s believed it entices users to click the malware to run by disguising itself as the last accessed folder with the same name and folder icon.

In that case having the option to always show extensions enabled would be helpful for trained users who care to be careful.

It’s not that interesting sounding given we know the NSA and eyes countries have developed compromised firmware for certain hard drives to enable true spread without interaction or hope of prevention. Whenever I see one of these I wonder if it’ll be a case of compromising the device itself but it’s this old stuff instead which can be defeated with a good security posture.

[-] Chronographs@lemmy.zip 19 points 3 days ago

Hidden file extensions is such a terrible default it amazes me that Microsoft is still doing that

[-] undefined@links.hackliberty.org 2 points 3 days ago

macOS does this too shockingly despite using the file extension as a “hint” to the file type. I think it’s unique in that most UNIX/Linux systems use magic number and Windows blindly accepts that the file is of the type that matches the extension.

[-] cmnybo@discuss.tchncs.de 3 points 3 days ago

When the drive is mounted noexec it's not possible to run any programs on it. You can also mount any user writable directories noexec so they can't copy the program somewhere else and run it.

[-] stealth_cookies@lemmy.ca 13 points 3 days ago

Is this mitigated by blocking mass storage devices on all devices on the air gapped network? Seems like the minimum you would want to do on a network important enough to air gap.

[-] HC4L@lemmy.world 9 points 3 days ago

Depends. If you need updates on the software used in the air gapped network you won't have lot of options. Burning cd's doesn't sound so crazy all of a sudden though...

[-] KamikazeRusher@lemm.ee 14 points 3 days ago

Having worked in classified areas, both as an admin and an unprivileged user, CDs were normally the method of transferring data up the network. (Transferring down rarely occurred, and even then you’d be limited to plaintext files or printouts.)

I’ve seen more places use data diodes to perform one- or two-way transfers so that requests can be streamlined and there’s no loose media to worry about tracking. It’s not super fast and higher speeds mean more expensive equipment, but it covers 98% of software update needs, and most non-admin file transfers were under 20MB anyways.

Anything that did require a USB drive, like special test equipment (STE) or BIOS updates, had to use a FIPS-140-1 approved drive that offered a ready-only mode via PIN. This drive could only be written to from a specific workstation that was isolated from the rest of the machines (where data was transferred via CDs of course) and required two persons to perform the job to ensure accountability.

Not the most time-efficient way of doing things, and not completely bulletproof, but it works well enough to keep things moving forward.

[-] stealth_cookies@lemmy.ca 3 points 3 days ago

You can greatly reduce the attack surface by limiting device use to specific users or maybe even specific devices that are controlled.

[-] quixotic120@lemmy.world 1 points 3 days ago

I mean therein lies the problem. If you remove mass storage devices but allow cds then that’s just a different attack vector to exploit. You could potentially make it so there is no way to interface with any kind of storage but then when someone finds a way to break things open with a hid device you now have no practical way to fix the issue (plus working with the machine will be a nightmare)

[-] chaospatterns@lemmy.world 3 points 3 days ago* (last edited 3 days ago)

CDs have an advantage over USB drives in that they can't actually secretly be USB HID devices like a fake keyboard or mouse that runs a bunch of commands when it plugs in. It's only a storage device.

A super secure environment might then lock down all USB devices to ones known by them and then epoxy all ports and devices.

[-] catloaf@lemm.ee 2 points 3 days ago

No. This exploit worked because the medium is read-write. Once a disc is finalized, it cannot be written to. You can't exfiltrate data via the CD.

I'm sure there's some modified CD burner out there that can write to a finalized disc, but this would only work where the air-gapped machine supports it, and also even has a drive that can write.

[-] quixotic120@lemmy.world 1 points 3 days ago

Unless it’s a rewritable cd, or the cd is the first step in a chain of exploits that allows write access on the usb ports used for peripherals so that an inside person could get away with a usb key or modified keyboard, or something else we can’t conceptualize but some group of well funded state actors can

[-] BearOfaTime@lemm.ee 1 points 3 days ago

Wouldn't you validate that update on a test machine in an isolated environment....like we've done since forever?

[-] HC4L@lemmy.world 2 points 3 days ago

That still won't say anything about the reliability of the medium. The update itself isn't the problem.

[-] homesweethomeMrL@lemmy.world 7 points 3 days ago

Compromised air-gapped systems with http server and GoogleDrive?

Saywhat?

this post was submitted on 09 Oct 2024
208 points (97.3% liked)

Technology

58633 readers
4314 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS