Anyone who has seen a spy movie or two will recognize the premise behind sweeping for bugs. In the old days, these bugs were listening devices in a room or attached to a telephone handset. They then evolved to hidden cameras.
Recent technology developments mean this level of espionage is no longer something for just the spy movies and intelligence agencies. A $30 Raspberry Pi device could be trivially used for this exact purpose. The idea is simple: Slip into a bank or retail store like an average customer and quickly plug a thumb-sized computer into a power or network jack. Of course, you are even less likely to get caught if you bribe or coax an insider to plant it.
Who Let the Spies In?
Recently, we detected a Raspberry Pi device that suddenly popped up on the network of one of our financial services customers. If that wasn't troubling enough, the device in question was communicating using the remote access tool (RAT) TeamViewer.
As you might have guessed, there is no malware involved in this incident — so, the rest of the customer's extensive security stack couldn't be bothered. This just looked like a random internal device communicating to a number of external destinations with stellar reputations.
How and why did we think this was interesting? It speaks to the value of threat hunting. To a skilled human, a few things stand out. This was the only device of this type on the network, and it appeared to be communicating via TeamViewer far more than it was doing anything else. Given the stringent regulatory requirements that financial services organizations have to comply with, this device just didn't fit.
In fact, the platform surfaced other information automatically that would be relevant to any investigation. For instance, we noticed that many of the activities were extremely long-lived, which strongly pointed to this being a tunnel.
What could adversaries do with this type of access? For starters, they could simply monitor internal traffic passively and upload the data. And we all know how squishy the insides of networks can be with data flow. The RAT also gives adversaries an unfettered backdoor into the network from where they can spread laterally deeper and target the crown jewels of the organization in question. This is especially true because tools like TeamViewer find innovative ways to bypass controls, such as firewalls, that are designed to build a strong perimeter around that squishy internal network.
The Investigation Continues
We are in an unprecedented time where organizations are facing monumental challenges, including to their bottom line. This can often trickle down and result in disgruntled employees who want to exact revenge. But it can also open the door to adversaries who will pay employees to steal intellectual property. It gives these adversaries a level of separation and deniability that they planted the bug.
Of course, it could be something less sinister but perhaps equally dangerous: just an employee forced to work from home but looking to access the network remotely.
The other aspect to consider in most offices, and especially in consumer finance institutions and retailers, where strangers walking in and out is not uncommon, planting one of these devices does not require James Bond's skills! All in all, this is a classic case of an insider threat, even if the perpetrator is not an insider.
In order to minimize attack scenarios from a disgruntled insider, enterprises should place priority on the following:
- Promoting great company culture with emphasis on making all employees feel satisfied with (and accountable for) their company. Happy employees don't turn into insider threats.
- Security awareness training and cybercrime reporting procedures also help immensely. For instance, a Tesla employee was recently offered $1 million to install malware on the company's network. Not only did the insider not fall into this trap but, in fact, worked with Tesla and law enforcement to have the perpetrator apprehended.
- Monitoring for new devices that enter the network, especially those with suspicious or atypical communication patterns. This should be a regular part of the organization's threat-hunting methodology
- Physical security (especially when you have a retail or other customer-physical presence), including video recording and security guards, for example.
Regardless of the motive, the fact that this attack involved both an unmanaged device and no malware exposes gaps in cybersecurity visibility that must be addressed.