[HN Gopher] Jumping the Air Gap: 15 Years of Nation-State Effort...
___________________________________________________________________
Jumping the Air Gap: 15 Years of Nation-State Effort [pdf]
Author : shishy
Score : 26 points
Date : 2021-12-10 20:37 UTC (2 hours ago)
(HTM) web link (www.welivesecurity.com)
(TXT) w3m dump (www.welivesecurity.com)
| jonathankoren wrote:
| >Over 75% of all the frameworks used malicious LNK or autorun
| files on USB drives to either perform the initial air-gapped
| system compromise or to move laterally within the air-gapped
| network.
|
| I don't get why autorun was created. It's an obvious security
| issue.
| sounds wrote:
| The executive summary is worth the 1-minute read.
|
| Interesting that all the malicious frameworks known (by ESET)
| that target air-gapped networks were for some form of espionage.
| SQueeeeeL wrote:
| "Air-gapping is used to protect the most sensitive of networks.
| In the first half of 2020 alone, four previously unknown
| malicious frameworks designed to breach air-gapped networks
| were publicly documented. ESET Research decided to revisit each
| framework known to date and to put them in perspective, side by
| side. Here are the key findings stemming from this exhaustive
| study: * All the frameworks are designed to perform some form
| of espionage. * All the frameworks used USB drives as the
| physical transmission medium to transfer data in and out of the
| targeted air-gapped networks. * We have not found any case of
| actual or suspected use of covert physical transmission
| mediums, such as acoustic or electromagnetic signals. * Over
| 75% of all the frameworks used malicious LNK or autorun files
| on USB drives to either perform the initial air-gapped system
| compromise or to move laterally within the air-gapped network.
| * More than 10--critical severity--LNK-related remote code
| execution vulnerabilities in Windows have been discovered, then
| patched by Microsoft, in the last 10 years. * All the
| frameworks were built to attack Windows systems. We have not
| found any evidence of actual or suspected malware components
| built to target other operating systems. In this white paper,
| we will describe how malware frameworks targeting air-gapped
| networks operate, and provide a side-by-side comparison of
| their most important TTPs. We also propose a series of
| detection and mitigation techniques to protect air-gapped
| networks from the main techniques used by all the mali- cious
| frameworks publicly known to date."
| lucb1e wrote:
| Bullet points require a blank line to be separated on HN
| (this happens to a lot of people):
|
| ---
|
| Air-gapping is used to protect the most sensitive of
| networks. In the first half of 2020 alone, four previously
| unknown malicious frameworks designed to breach air-gapped
| networks were publicly documented. ESET Research decided to
| revisit each framework known to date and to put them in
| perspective, side by side. Here are the key findings stemming
| from this exhaustive study:
|
| * All the frameworks are designed to perform some form of
| espionage.
|
| * All the frameworks used USB drives as the physical
| transmission medium to transfer data in and out of the
| targeted air-gapped networks.
|
| * We have not found any case of actual or suspected use of
| covert physical transmission mediums, such as acoustic or
| electromagnetic signals.
|
| * Over 75% of all the frameworks used malicious LNK or
| autorun files on USB drives to either perform the initial
| air-gapped system compromise or to move laterally within the
| air-gapped network.
|
| * More than 10--critical severity--LNK-related remote code
| execution vulnerabilities in Windows have been discovered,
| then patched by Microsoft, in the last 10 years.
|
| * All the frameworks were built to attack Windows systems. We
| have not found any evidence of actual or suspected malware
| components built to target other operating systems.
|
| In this white paper, we will describe how malware frameworks
| targeting air-gapped networks operate, and provide a side-by-
| side comparison of their most important TTPs. We also propose
| a series of detection and mitigation techniques to protect
| air-gapped networks from the main techniques used by all the
| malicious frameworks publicly known to date.
| lucb1e wrote:
| > All the frameworks used USB drives as the physical
| transmission medium [...] We have not found any case of
| actual or suspected use of covert physical transmission
| mediums, such as acoustic or electromagnetic signals
|
| What about the red channel transmission in VGA cables from
| the Snowden leaks, if memory serves?
|
| I'm happy to see this claim because I usually skip these
| articles about leaking this or that in a lab environment
| via EM (they seem too esoteric to me but the media seems to
| love it because it really plays to the imagination), but at
| the same time it worries me that I can think of a counter
| example off the top of my head. Maybe it doesn't qualify as
| a "framework" or wasn't bidirectional, even if it was used
| to leak confidential data.
| walty wrote:
| Also interesting that "All the frameworks used USB drives as
| the physical transmission medium to transfer data in and out of
| the targeted air-gapped networks. We have not found any case of
| actual or suspected use of covert physical transmission
| mediums, such as acoustic or electromagnetic signals."
| jonathankoren wrote:
| Probably because to get this stuff to work is really hard in
| practice.
|
| Several years ago, we were playing with
| https://github.com/fulldecent/system-bus-radio to work, but
| we couldn't, even though we had the right MacBooks.
___________________________________________________________________
(page generated 2021-12-10 23:00 UTC)