DarkVishnya: Hollywood-style Tactics Yield Millions in Stolen Funds
In Christopher Nolan’s masterpiece conclusion to the Dark Knight Batman movie series, the antagonist attempts to sabotage his nemesis billionaire’s (Bruce Wayne/Batman) finances by purchasing numerous put options with short expirations. He accomplishes this by breaking into the fictitious Gotham Stock Exchange and plugging a laptop into a physical terminal inside the exchange. (They eventually go mobile with some type of cellular connection) Aside from this being not only far-fetched and terrible plan to bankrupt someone, it does demonstrate a very real attack vector that many organizations fail to protect. Physical security is another layer in the defense in depth model and often overlooked because it is by nature difficult to protect. While most stock exchanges around the world would not fare well against an attack by several well-trained and well-armed mercenaries, the attack on Gotham’s Stock Exchange could have been mitigated with a few simple security practices.
Several Eastern European banks reported attacks against their network infrastructure to local data forensic companies. When the forensic teams arrived, they did not find backdoors in software being used, exploit kits cleverly installed on users’ workstations, or evidence of phishing attacks. Instead, they found laptops, Raspberry Pis, and bash bunny USB devices plugged into the network. A laptop or Raspberry Pi containing a 3G/LTE modem could be remotely accessed and controlled from anywhere in the world. When these devices are plugged into an ethernet port and a power supply, an attacker can gain local access to the network without having to be near the device, a limitation of a Rogue Access Point attack. Once an attacker gains access to the local network, they can sniff traffic looking for passwords in the clear or using weak hashing and encryption, scan for other machines on the network to attack with brute force, weak, or default credentials, and gain access to unprotected shared folders. Losses to these affected banks are estimated to be in the tens of millions of dollars.
Even with organizations that take security issues seriously, physical security against these types of attacks is so difficult because organizations need to allow contractors, vendors, job applicants, and even disgruntled employees access to areas where production network traffic is flowing. I have personally seen IP telephones in a public waiting area with multiple exposed ethernet ports. One organization I visited required recording the serial number of a laptop prior to bringing it into a secure area and they would check to make sure the laptop exited the secure area and that its serial number matched the one on record. This was a great security practice, but significantly slowed down the check-in process as my team was standing around for quite a while as they checked everyone’s laptop, twice. (It did not help that Apple prints their serial numbers in microscopic print on the bottom of the machine and use grey text on the metallic background.) When visiting that same organization just over a year later, they did away with this practice as it was too time prohibitive; another illustration of balancing security with convenience.
A much simpler way to prevent a Gotham Stock Exchange-type attack is to implement basic port security. Port security ensures that a device plugged into a given ethernet port must match a pool of known MAC addresses in order to receive service. If I unplugged the IP phone in the waiting area and plugged in my laptop, port security would prevent the previously unknown MAC address on my laptop from connecting to the corporate network. This method is not perfect, since I can simply read the MAC address off of the IP phone and spoof the MAC onto my laptop, but it will stop most drive-by rogue device installations and add an additional layer of complexity to any potential attackers. Similarly, Gotham’s Stock Exchange would likely know the MAC addresses of all their trading terminals and these are likely not going to change so they could have implemented strict port security. When Bane’s thugs broke in, they were under time pressure to launch the malicious trades and forcing them to read and spoof a MAC address could have delayed them enough before the trades executed. This is all based on a hypothetical situation from a movie with a far-fetched plot, but the applications still apply to real world scenarios.
I have demonstrated that port security is not full-proof and there are known attacks against it, but it is a great security measure to add to a defense in depth strategy. Preventing a determined attacker from gaining rogue access to the network will require moving up the OSI stack. Using a transparent outbound proxy will protect machines on the network from further attack and exploitation. DarkVishnya and rogue access device attempt to spread laterally to other machines on the network using brute force, weak, and hard-coded credentials. When these systems become compromised, a transparent outbound proxy with IDS and IPS capabilities, SSL inspection, and next generation firewall will see and block the affected machine attempting to call out to a command and control server, download a malicious payload, and use organization-defined controlled protocols such as SSH. The rogue access device will have its own 3G/LTE connection, but the devices it attempts to infect will necessarily need to access the internet using its native connection at some point. Proper network hygiene and network segmentation for exposed ethernet ports can control lateral movement within the organization.
The only way to really secure a network is to build a SCIF. However, the cost and complexity of doing that is prohibitive for most organizations so compensating controls such as port security, web proxy, IPS/IDS, SSL Inspection, and next generation firewall will significantly help protect against rogue device attacks.