Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/21/2020
10:00 AM
David Pearson
David Pearson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Modern Day Insider Threat: Network Bugs That Are Stealing Your Data

Attacks involving an unmanaged device and no malware expose gaps in cybersecurity that must be addressed.

Anyone who has seen a spy movie or two will recognize the premise behind sweeping for bugs. In the old days, these bugs were listening devices in a room or attached to a telephone handset. They then evolved to hidden cameras.

Related Content:

The Inside Threat from Psychological Manipulators

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

Recent technology developments mean this level of espionage is no longer something for just the spy movies and intelligence agencies. A $30 Raspberry Pi device could be trivially used for this exact purpose. The idea is simple: Slip into a bank or retail store like an average customer and quickly plug a thumb-sized computer into a power or network jack. Of course, you are even less likely to get caught if you bribe or coax an insider to plant it.

Who Let the Spies In?
Recently, we detected a Raspberry Pi device that suddenly popped up on the network of one of our financial services customers. If that wasn't troubling enough, the device in question was communicating using the remote access tool (RAT) TeamViewer.

As you might have guessed, there is no malware involved in this incident — so, the rest of the customer's extensive security stack couldn't be bothered. This just looked like a random internal device communicating to a number of external destinations with stellar reputations.

How and why did we think this was interesting? It speaks to the value of threat hunting. To a skilled human, a few things stand out. This was the only device of this type on the network, and it appeared to be communicating via TeamViewer far more than it was doing anything else. Given the stringent regulatory requirements that financial services organizations have to comply with, this device just didn't fit.

In fact, the platform surfaced other information automatically that would be relevant to any investigation. For instance, we noticed that many of the activities were extremely long-lived, which strongly pointed to this being a tunnel.

What could adversaries do with this type of access? For starters, they could simply monitor internal traffic passively and upload the data. And we all know how squishy the insides of networks can be with data flow. The RAT also gives adversaries an unfettered backdoor into the network from where they can spread laterally deeper and target the crown jewels of the organization in question. This is especially true because tools like TeamViewer find innovative ways to bypass controls, such as firewalls, that are designed to build a strong perimeter around that squishy internal network.

The Investigation Continues
We are in an unprecedented time where organizations are facing monumental challenges, including to their bottom line. This can often trickle down and result in disgruntled employees who want to exact revenge. But it can also open the door to adversaries who will pay employees to steal intellectual property. It gives these adversaries a level of separation and deniability that they planted the bug.

Of course, it could be something less sinister but perhaps equally dangerous: just an employee forced to work from home but looking to access the network remotely. 

The other aspect to consider in most offices, and especially in consumer finance institutions and retailers, where strangers walking in and out is not uncommon, planting one of these devices does not require James Bond's skills! All in all, this is a classic case of an insider threat, even if the perpetrator is not an insider. 

In order to minimize attack scenarios from a disgruntled insider, enterprises should place priority on the following: 

  • Promoting great company culture with emphasis on making all employees feel satisfied with (and accountable for) their company. Happy employees don't turn into insider threats.
  • Security awareness training and cybercrime reporting procedures also help immensely. For instance, a Tesla employee was recently offered $1 million to install malware on the company's network. Not only did the insider not fall into this trap but, in fact, worked with Tesla and law enforcement to have the perpetrator apprehended.
  • Monitoring for new devices that enter the network, especially those with suspicious or atypical communication patterns. This should be a regular part of the organization's threat-hunting methodology
  • Physical security (especially when you have a retail or other customer-physical presence), including video recording and security guards, for example.

Regardless of the motive, the fact that this attack involved both an unmanaged device and no malware exposes gaps in cybersecurity visibility that must be addressed. 

David Pearson has been analyzing network traffic for well over a decade, having used Wireshark ever since it was Ethereal. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RayE986
50%
50%
RayE986,
User Rank: Author
10/27/2020 | 6:57:41 PM
Re: How can a Raspberry PI plugged in to a power outlet, give access to an internal network?
I was reading between the lines here that the raspberry pi plugged into a power outlet would have wifi enabled and configured for the target network. 

 

Agreed that in high traffic areas, disabled USB ports and sweeping for devices that do not belong should be table-stakes. 
royt777
50%
50%
royt777,
User Rank: Apprentice
10/22/2020 | 7:49:27 PM
How can a Raspberry PI plugged in to a power outlet, give access to an internal network?
I am missing the link of understanding on how can a Raspberry PI plugged in to a power outlet, give access to an internal network.

Of course, there are many instances where a thumbdrive plugged into a spare USB port on a point of sale machine or work computer can give network access, but I would hope all financial institutions have disabled USB ports.  So unless the company has a powerline ethernet connection, can some one explain how this would work?

Other points in the article are great, and SecOps should be looking for and validating all new devices on the network on a daily basis.

 
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).