By Any Means Necessary: Unconventional Attack Vector Targets State and Local Governments
Human curiosity is both natural and infinitely exploitable. Human curiosity is leveraged for social engineering attacks in red-teaming and penetration testing. This was clearly evidenced by a study that reported that 48% of people who find a random flash drive will plug it into their computer and run files from it (N=297). This poor security practices is reinforced by companies like General Motors using snail mail to send Jeep owners a USB flash drive in order to update a security vulnerability that allowed attackers to remotely take control over their vehicles.
Security Blogger Brian Krebs is reporting that several state and local governments are being targeted with an unconventional spear phishing campaign involving Compact Discs (CDs) sailed mailed from China. While snail mail as an attack vector is uncommon compared to e-mail, drive-by downloads, or malvertising, it is sometimes the unexpected methods that could achieve the desired results. Krebs reports that agencies including State Archives, State Historical Societies, and a State Department of Cultural Affairs have received these CDs in the mail accompanied with a letter in poorly written English with random Chinese characters interlaced.
If a curious recipient is inclined to insert the CD into a computer (provided they can still find a computer with a CD-ROM drive), they would be presented with Microsoft Word documents with malicious embedded Visual Basic scripts. The files likely would include additional social engineering tactics to entice the user into enabling macros and embedded content to launch the attack.
The target of this attack is also interesting in that attackers are targeting ancillary state and local agencies that are likely not trained as well as employees who work closer to the respective governments or have the preventative security controls. However, these targeted agencies may have access to larger government systems which may be the ultimate target. As cities grow more reliant on networked and interconnected systems, they also expose themselves to a greater attack surface and increase the potential impact of a successful attack. The city of Atlanta famously went offline due to an outbreak of the SamSam malware strain. Baltimore’s 911 Emergency Response System went offline for several hours as the result of a cyberattack. The San Francisco Transit Authority was unable to collet any fares for more than two days because its systems were encrypted. State and local governments often function similar to non-profit organizations which means budgets are tight and expenditures on cybersecurity are heavily scrutinized. This often leads to these municipalities purchasing security solutions that are only “good enough”.
What if this attacker used a USB flash drive? What if the attackers took the time to write a well-crafted letter with a reasonable explanation of why the recipient should insert the flash drive into a computer and run it? (e.g. written on forged letterhead from the Department of Homeland Security that this is a required security update) In this instance, the attackers did not do any of these things and seemed unsophisticated, but try and imagine what a motivated state-sponsored actor could do.
While simple, this snail mail attack method hope to exploit the human curiosity of its recipient. Humans are the weakest link in the security chain and appropriate security controls are needed to both prevent and mitigate any possible exposure. For example, Google Inc. has effectively eliminated the effectiveness all employee phishing attacks by implementing hardware two-factor authentication. This is yet another example that a good defense strategy is to always use defense in depth. No singular security control will eliminate all risk. At the time of this article, there have been no documented examples of anyone receiving these CDs of actually inserting the CD into a computer and running one of the infected documents.