USB devices the common denominator in all attacks on air-gapped systems

Cyberattacks on air gapped systems, including the sophisticated and dangerous 2010 Stuxnet attack that crippled a uranium enrichment facility, all have one thing in common: a USB stick.

A new ESET study of 17 malware frameworks that threat actors have used over the past decade to target air-gapped systems showed every one of them used a USB drive to introduce malware into the environment and extract data from there. The security vendor found that the best defense for organizations against attacks on air-gapped systems is to restrict USB use as much as possible and to monitor them closely in situations where the devices need to be used.

“Defending air-gapped networks against cyberattacks is a very complex topic that involves several disciplines,” says Alexis Dorais-Joncas, security intelligence team lead at ESET. “That being said, there is value in understanding how known [malware] frameworks operate in air-gapped environments and deriving ways to detect and block common malicious activities.”

Organizations often protect their most critical business and operations systems by physically separating them — or air-gapping them — from other connected networks. The goal is to ensure that an attacker who might have gained access to the enterprise network has no way of reaching these systems through lateral movement, privilege escalation, and other methods.

Even so, there have been numerous instances over the past several years where threat actors managed to bridge the air gap and access mission-critical systems and infrastructure. The Stuxnet attack on Iran — believed to have been led by US and Israeli cybersecurity teams — remains one of the most notable examples. In that campaign, operatives managed to insert a USB device containing the Stuxnet worm into a target Windows system, where it exploited a vulnerability (CVE-2010-2568) that triggered a chain of events that eventually resulted in numerous centrifuges at Iran’s Natanz uranium enrichment facility being destroyed.

Other frameworks that have been developed and used in attacks on air-gapped systems over the years include South Korean hacking group DarkHotel’s Ramsay, China-based Mustang Panda’s PlugX, the likely NSA-affiliated Equation Group’s Fanny, and China-based Goblin Panda’s USBCulprit. ESET analyzed these malware frameworks, and others that have not be specifically attributed to any group such as ProjectSauron and agent.btz. The security vendor’s researchers focused specifically on facets such as malware execution mechanisms, malware functionalities within air-gapped networks for persistence, reconnaissance, and other activities and on communication and exfiltration channels.

Big Similarities
The exercise revealed some showed major similarities among all of them — including malware frameworks from as long 15 years ago. In addition to USBs being a common thread, every malware toolkit for air-gapped networks also was the handiwork of an advanced persistent threat group. All frameworks were designed to conduct espionage and to specifically target Windows devices. More than 75% of them used malicious LNK or autorun files on USB drives to initially compromise an air-gapped system or move laterally on an air-gapped network.

“The main takeaway is that the one and only point of entry ever observed into air-gapped networks is via USB drives. That’s where organizations should focus their efforts,” says Dorais-Joncas. “[Organizations] should also realize that many of the 17 frameworks took advantage of one-day vulnerabilities, which are security flaws for which a patch existed at the time of exploitation,” he says. This means keeping air-gapped systems up to date with the latest security fixes is important and would force the attacker to either develop or acquire suitable zero-day exploits or to use less efficient techniques, he says.

ESET found that while frameworks for attacking air-gapped networks share many similarities, the way the attacks themselves are carried out tend to fall into one of two categories: connected frameworks and offline frameworks.

To read the complete article, visit Dark Reading.