Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
David Pearson
David Pearson
Connect Directly
E-Mail vvv

Modern Day Insider Threat: Network Bugs That Are Stealing Your Data

Attacks involving an unmanaged device and no malware expose gaps in cybersecurity that must be addressed.

Anyone who has seen a spy movie or two will recognize the premise behind sweeping for bugs. In the old days, these bugs were listening devices in a room or attached to a telephone handset. They then evolved to hidden cameras.

Related Content:

The Inside Threat from Psychological Manipulators

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

Recent technology developments mean this level of espionage is no longer something for just the spy movies and intelligence agencies. A $30 Raspberry Pi device could be trivially used for this exact purpose. The idea is simple: Slip into a bank or retail store like an average customer and quickly plug a thumb-sized computer into a power or network jack. Of course, you are even less likely to get caught if you bribe or coax an insider to plant it.

Who Let the Spies In?
Recently, we detected a Raspberry Pi device that suddenly popped up on the network of one of our financial services customers. If that wasn't troubling enough, the device in question was communicating using the remote access tool (RAT) TeamViewer.

As you might have guessed, there is no malware involved in this incident — so, the rest of the customer's extensive security stack couldn't be bothered. This just looked like a random internal device communicating to a number of external destinations with stellar reputations.

How and why did we think this was interesting? It speaks to the value of threat hunting. To a skilled human, a few things stand out. This was the only device of this type on the network, and it appeared to be communicating via TeamViewer far more than it was doing anything else. Given the stringent regulatory requirements that financial services organizations have to comply with, this device just didn't fit.

In fact, the platform surfaced other information automatically that would be relevant to any investigation. For instance, we noticed that many of the activities were extremely long-lived, which strongly pointed to this being a tunnel.

What could adversaries do with this type of access? For starters, they could simply monitor internal traffic passively and upload the data. And we all know how squishy the insides of networks can be with data flow. The RAT also gives adversaries an unfettered backdoor into the network from where they can spread laterally deeper and target the crown jewels of the organization in question. This is especially true because tools like TeamViewer find innovative ways to bypass controls, such as firewalls, that are designed to build a strong perimeter around that squishy internal network.

The Investigation Continues
We are in an unprecedented time where organizations are facing monumental challenges, including to their bottom line. This can often trickle down and result in disgruntled employees who want to exact revenge. But it can also open the door to adversaries who will pay employees to steal intellectual property. It gives these adversaries a level of separation and deniability that they planted the bug.

Of course, it could be something less sinister but perhaps equally dangerous: just an employee forced to work from home but looking to access the network remotely. 

The other aspect to consider in most offices, and especially in consumer finance institutions and retailers, where strangers walking in and out is not uncommon, planting one of these devices does not require James Bond's skills! All in all, this is a classic case of an insider threat, even if the perpetrator is not an insider. 

In order to minimize attack scenarios from a disgruntled insider, enterprises should place priority on the following: 

  • Promoting great company culture with emphasis on making all employees feel satisfied with (and accountable for) their company. Happy employees don't turn into insider threats.
  • Security awareness training and cybercrime reporting procedures also help immensely. For instance, a Tesla employee was recently offered $1 million to install malware on the company's network. Not only did the insider not fall into this trap but, in fact, worked with Tesla and law enforcement to have the perpetrator apprehended.
  • Monitoring for new devices that enter the network, especially those with suspicious or atypical communication patterns. This should be a regular part of the organization's threat-hunting methodology
  • Physical security (especially when you have a retail or other customer-physical presence), including video recording and security guards, for example.

Regardless of the motive, the fact that this attack involved both an unmanaged device and no malware exposes gaps in cybersecurity visibility that must be addressed. 

David Pearson has been analyzing network traffic for well over a decade, having used Wireshark ever since it was Ethereal. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/27/2020 | 6:57:41 PM
Re: How can a Raspberry PI plugged in to a power outlet, give access to an internal network?
I was reading between the lines here that the raspberry pi plugged into a power outlet would have wifi enabled and configured for the target network. 


Agreed that in high traffic areas, disabled USB ports and sweeping for devices that do not belong should be table-stakes. 
User Rank: Apprentice
10/22/2020 | 7:49:27 PM
How can a Raspberry PI plugged in to a power outlet, give access to an internal network?
I am missing the link of understanding on how can a Raspberry PI plugged in to a power outlet, give access to an internal network.

Of course, there are many instances where a thumbdrive plugged into a spare USB port on a point of sale machine or work computer can give network access, but I would hope all financial institutions have disabled USB ports.  So unless the company has a powerline ethernet connection, can some one explain how this would work?

Other points in the article are great, and SecOps should be looking for and validating all new devices on the network on a daily basis.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.