Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/9/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

From Spyware to Ninja Cable

Attackers don't need sophisticated James Bondian hardware to break into your company. Sometimes a $99 device will do.

Up until just a few years ago, unless you were working as a secret agent, your only chance of seeing spy tools and gadgets was in the movies. These days, it still isn't easy to buy a lipstick pistol or a Bulgarian umbrella, but it has become shockingly easy to legally buy hardware-based cyberattack tools.

Although IT security tools have quickly and significantly improved and threat-hunting teams of the leading enterprises have become more professional, cybercriminals aren't giving up.

Document leaks, such as the NSA ANT catalog and the US Central Intelligence Agency's Vault 7, released a huge hacking tool arsenal including concepts of operation, drawings, source code, etc., and allowed individuals and specialized companies to join the game. Hardware cyberattack tools that were in the hands of only governments and intelligence agencies are now available for purchase as legitimate penetration-testing tools starting at less than $10.

A recent example of a dangerous tool is the USB Ninja cable, which was introduced earlier this year. The Ninja cable looks like any ordinary and innocent smartphone-charging cable, and will charge a smartphone as usual. However, this cable's design and internals are inspired by the leaked NSA Cottonmouth, a USB hardware implant that provides a wireless bridge into a target network as well as the ability to load exploit software onto target PCs. (For information on the original device, see the background story here.) When it was a top-secret weapon in use by the government, the unit price was $20,000. These days, when publicly offered as a pen-testing tool, anyone can buy it for around $99.

Now just imagine a cybercrime organization trying to get into a bank's internal network. Chances of being able to overcome the network security tools such as firewalls, email scanners, etc., are not that high, and every failing attempt will just make the systems and security team more alert. But what if the threat actor could drop some of those cables around the company's HQ lobby? What if a cable is left on the cafeteria table? What if the ATM custodian gets one as a freebie? Probably, this cable will be plugged into a corporate laptop sooner rather than later, just for the sake of charging the phone.

The method of using infected hardware devices as attack vehicles and as invisible doors into sensitive infrastructure is even more attractive because the attacker can jump over air gaps and enter into (or steal information from) parts of the network that are segregated from the Internet or other parts of the enterprise network.

There is a huge gap in the awareness of IT and security teams between software deployment and usage policies and those that relate to hardware devices.

Corporate employees or contractors will never be able to install or use uncontrolled software on an enterprise workstation or laptop. There are not only regulations and processes, but the entire system of authorization levels and user management will block it even if they tried.

On the other hand, in many places, anyone can bring in and connect any uncontrolled gadget or peripheral device directly to the infrastructure. Not only are there no policies in place to define what's allowed and what's forbidden, there isn't even a way for CISOs or risk officers to know and understand the attack surface they're in charge of protecting.

Know the Risk
The good news is that it's possible to address this rapidly growing threat. As always, being aware and understanding the risk is the most important step. This change in mindset is quickly taking hold in the industry —the Center for Internet Security (CIS, a nonprofit with large companies, government agencies, and academic institutions as members) has defined inventory and control of hardware assets as a top priority.

CIS urges organizations to actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. For more details, check out the tips from CIS.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Iftah Bratspiess is a cybersecurity leader and entrepreneur with over 25 years of business and technology experience as an engineer, software developer, product line owner, manager, and strategist. Throughout his career, Iftah has successfully navigated multidisciplinary ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.