Air gap systems prevent viruses, in the same way that living in a clean room prevents biological infections.
But if a disease gets into your clean room you’ll still get sick, should not be a surprise to anyone.
Really though, an air cap system should either disable USB ports or employees should have enough brain cells to not plug in random devices. It’s all up to physical security to prevent a bad actor gaining excess to the facility.
Did people think that not connecting to a network was a magic technique that prevented infections from being spread on USB drives if you move them back and forth?
It’s weird for the title to focus on the tools, and not the attack itself.
Two attacks on production air-gapped networks, with different tools, from the same group, is pretty damn impressive. Especially for a group not backed by a nation-state.
Edit: it sounds like this was a multi-stage attack…compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That’s pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser…the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).
No but it’s a good start. The problem is that literally everyone would do it, from directors to the lowest paid people on the job. EVERYBODY does it. We detected and blocked, so then they started hardwire connecting to switches that they saw in offices. We had blocked those, so they started trying to connect to industrial switches out in the factories.
It was maddening.
literally
There are other adverbs.
everyone would do it, from directors to the lowest paid people on the job
Ensure the kernel filters out all USB except for the major/minor used by mice and keyboards. This is absolutely standard for secret-squirrel shit. Default to rejected, but allow a few.
This was a long time ago in a different world. I’m an old man now. My job now is coaching soccer and gardening and baking, but thanks for writing that. Hopefully new admins see it.
And it was literally.
There are ‘keyboards’ that when plugged in type Win+R CMD.exe then do whatever you want. (Other terminals are available)
I guess that stops users from trying in the first place though.
But switches have all ports set to shut and open ports bound to the device connected… or is this not common?
It depends on the environment for sure. That was standard at the end of my career but definitely not at the beginning.
So far, we haven’t been able to trace back to the initial compromise vector in the campaigns seen in our telemetry.
They hypothesize that attaching a compromised USB drive to an air gapped system is to blame. That seems to be a well known vector at this point. Does it matter much what tool is used to copy data once it’s in?
We had air gapped systems (we didn’t have internet) in the 90s and they still got viruses(from floppy disks). I don’t understand what is new?
It seems like they could be rendered ineffective by simply disabling auto run and forcing removable drives to mount noexec.
Well it’s believed it entices users to click the malware to run by disguising itself as the last accessed folder with the same name and folder icon.
In that case having the option to always show extensions enabled would be helpful for trained users who care to be careful.
It’s not that interesting sounding given we know the NSA and eyes countries have developed compromised firmware for certain hard drives to enable true spread without interaction or hope of prevention. Whenever I see one of these I wonder if it’ll be a case of compromising the device itself but it’s this old stuff instead which can be defeated with a good security posture.
When the drive is mounted noexec it’s not possible to run any programs on it. You can also mount any user writable directories noexec so they can’t copy the program somewhere else and run it.
Hidden file extensions is such a terrible default it amazes me that Microsoft is still doing that
macOS does this too shockingly despite using the file extension as a “hint” to the file type. I think it’s unique in that most UNIX/Linux systems use magic number and Windows blindly accepts that the file is of the type that matches the extension.
Yeah our corporate machines won’t run any external media. I assumed that was standard practice.
This should be the default on all PCs.
Does any Linux distro have autorun? Because Windows isn’t really an OS anyway.
Yes, Linux has autorun and some distros have it enabled by default.
I thought we learned that like two decades ago.
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
Removed by mod
To be fair, you could compromise Windows 98 by looking at it funny.
You would be shocked at the amount of times employees would bring devices into our air gapped network.
