Hackers Physically Connecting Malicious Devices to Networks

Imagine that you are trying to find the source of an attack. What would you be looking for? You’d obviously try to find a malicious email, with a malware-laden attachment or link, or a hacked server that caused the issue. Then, you’d definitely be finding the infected machine. But sometimes, it’s a totally different scenario. You know there is an infection. The malicious activity keeps on occurring. But still, you can’t find an infected computer. All of them are clean!

Well, this happens when hackers physically connect to networks of corporate organizations through their own equipment and leave them connected, to do the mischief.

Security researchers at Kaspersky Lab recently investigated such a situation and they did find attackers being connected to the corporate network through their own equipment. This kind of attack has been dubbed DarkVishnya.

A Kaspersky blog post, dated December 6, 2018, states that a DarkVishnya attack, “…begins with a criminal bringing a device to a victim’s office and connecting it to the corporate network.” The blog post further says, “Through that device, they can remotely explore company’s IT infrastructure, intercept passwords, read information from public folders, and much more.”

In a Securelist post, Sergey Golovanov, Principal Security Researcher, Global Research & Analysis Team at Kaspersky Lab, explains how the attacks happen. He writes, “In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.”

The device that a hacker uses to connect to a corporate network could be a netbook or inexpensive laptop, a Raspberry Pi computer or a Bash Bunny (a special USB tool used for attacks).

Kaspersky researchers found that such attacks are executed in three stages.

In the first stage, a cybercriminal would enter the targeted organization’s premises pretending to be a job seeker, courier etc and connect a device to the local network, for example, to a system in one of the meeting rooms, blending the device into the surroundings in such a way that suspicion is not aroused.

In the second stage, hackers would remotely connect to the device and scan the local network, aiming to gain access to public shared folders, web servers and other open resources. They would harvest information about the networks and those workstations/servers that are used for making payments. They try to brute force or sniff login data for such machines and do what’s needed to bypass firewall protection. The Securelist post says, “To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels.”

In the third stage, the cybercriminals would install remote access software and retain access.

“Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely,” writes Sergey Golovanov.

Such an attack can be executed even in companies where security is taken very seriously. As already mentioned, a person can sneak in pretending to be a job seeker, a guy from a courier company or someone related to a client or partner.

To prevent such attacks from happening, companies should restrict access to networks from those places that are accessible by outsiders, Kaspersky researchers say that unused Ethernet outlets in public areas should be disconnected or isolated on a separate network segment. They also recommend that Ethernet sockets should be situated in view of security cameras. Using a security solution with reliable device control technologies and using security solutions to monitor the network for suspicious activities is recommended.