Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/9/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

From Spyware to Ninja Cable

Attackers don't need sophisticated James Bondian hardware to break into your company. Sometimes a $99 device will do.

Up until just a few years ago, unless you were working as a secret agent, your only chance of seeing spy tools and gadgets was in the movies. These days, it still isn't easy to buy a lipstick pistol or a Bulgarian umbrella, but it has become shockingly easy to legally buy hardware-based cyberattack tools.

Although IT security tools have quickly and significantly improved and threat-hunting teams of the leading enterprises have become more professional, cybercriminals aren't giving up.

Document leaks, such as the NSA ANT catalog and the US Central Intelligence Agency's Vault 7, released a huge hacking tool arsenal including concepts of operation, drawings, source code, etc., and allowed individuals and specialized companies to join the game. Hardware cyberattack tools that were in the hands of only governments and intelligence agencies are now available for purchase as legitimate penetration-testing tools starting at less than $10.

A recent example of a dangerous tool is the USB Ninja cable, which was introduced earlier this year. The Ninja cable looks like any ordinary and innocent smartphone-charging cable, and will charge a smartphone as usual. However, this cable's design and internals are inspired by the leaked NSA Cottonmouth, a USB hardware implant that provides a wireless bridge into a target network as well as the ability to load exploit software onto target PCs. (For information on the original device, see the background story here.) When it was a top-secret weapon in use by the government, the unit price was $20,000. These days, when publicly offered as a pen-testing tool, anyone can buy it for around $99.

Now just imagine a cybercrime organization trying to get into a bank's internal network. Chances of being able to overcome the network security tools such as firewalls, email scanners, etc., are not that high, and every failing attempt will just make the systems and security team more alert. But what if the threat actor could drop some of those cables around the company's HQ lobby? What if a cable is left on the cafeteria table? What if the ATM custodian gets one as a freebie? Probably, this cable will be plugged into a corporate laptop sooner rather than later, just for the sake of charging the phone.

The method of using infected hardware devices as attack vehicles and as invisible doors into sensitive infrastructure is even more attractive because the attacker can jump over air gaps and enter into (or steal information from) parts of the network that are segregated from the Internet or other parts of the enterprise network.

There is a huge gap in the awareness of IT and security teams between software deployment and usage policies and those that relate to hardware devices.

Corporate employees or contractors will never be able to install or use uncontrolled software on an enterprise workstation or laptop. There are not only regulations and processes, but the entire system of authorization levels and user management will block it even if they tried.

On the other hand, in many places, anyone can bring in and connect any uncontrolled gadget or peripheral device directly to the infrastructure. Not only are there no policies in place to define what's allowed and what's forbidden, there isn't even a way for CISOs or risk officers to know and understand the attack surface they're in charge of protecting.

Know the Risk
The good news is that it's possible to address this rapidly growing threat. As always, being aware and understanding the risk is the most important step. This change in mindset is quickly taking hold in the industry —the Center for Internet Security (CIS, a nonprofit with large companies, government agencies, and academic institutions as members) has defined inventory and control of hardware assets as a top priority.

CIS urges organizations to actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. For more details, check out the tips from CIS.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Iftah Bratspiess is a cybersecurity leader and entrepreneur with over 25 years of business and technology experience as an engineer, software developer, product line owner, manager, and strategist. Throughout his career, Iftah has successfully navigated multidisciplinary ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8423
PUBLISHED: 2020-04-02
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.
CVE-2019-14868
PUBLISHED: 2020-04-02
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those env...
CVE-2019-20635
PUBLISHED: 2020-04-02
codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields.
CVE-2020-11452
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the f...
CVE-2020-11453
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it ...