Hardware-based hacks are on the rise yet again, a former Israeli intelligence officer and longtime cybersecurity expert Yossi Appleboum told CyberNews.
In the last 15 months, experts saw what they call a dramatic increase in rogue devices. They can be anything from a simple USB stick, a wired keyboard, or a Raspberry Pi pocket-sized computer modified to help criminals hack into an organization. As a result, companies’ information can be leaked. It can be hit with ransomware or distributed denial of service (DDoS) attack.
Recently, Bleeping Computer ran a story about scammers sending fake replacement devices to Ledger customers exposed in a recent data break. Ledger is a hardware crypto wallet. In December 2020, the data for over 270,000 people who purchased a Ledger device was published on a hacker forum. Scammers used this leak as a pretext to send new hardware wallets to Ledger customers claiming they are more secure. Only it was designed to steal and not to protect.
“More organizations are spread across the globe, people are working from home, and there’s no common method and tools for normal organizations, even highly secure organizations, to deal with the impact of vulnerable USB devices in their networks,” Appleboum told CyberNews.
He is a co-founder and CEO of Israeli-based Sepio Systems, which engages in rogue device mitigation (RDM). RDM is a whole new battlefield. Even the most secure organizations can fall victim to hardware-based attacks as these rogue devices are very difficult to detect and may be sitting in the office and stealing information for years.
“Most of our customers came to us saying that they found data of their organization running outside without understanding how. Or they physically found a device by some random scan, and their concern was: how many others do they have?” Appleboum said.
In one incident, he and his colleagues were able to find dozens of attack tools within the same organization. Experts discovered a criminal organization within the company, and those criminals were bringing rogue devices to the company daily.
In October 2018, Bloomberg carried out an investigation on how China used a tiny chip to infiltrate US companies, such as Amazon and Apple. Chinese supposedly intercepted the supply chain of Supermicro, which has sold servers to Amazon, Apple, the US Department of Defence, and other companies. Hackers developed a chip that theoretically could act as a backdoor to Supermicro servers. Bloomberg’s story was then dragged to mud not only by mentioned companies but cybersecurity experts as well. But let’s not get into the details about it – the pure fact that a chip can serve as a rogue device is valid.
Five years ago, mainly government agencies used rogue devices as a strategic cyber espionage tool, Yossi said. Nowadays, they are being used by criminal organizations on behalf of some countries and criminal gangs without affiliation to a specific country.
“Mostly, you can find them coming from the far East, and I have a specific country in mind. At least once, we found an attack tool that was from Europe,” Appleboum said.
How rogue devices end up in your organization?
A couple of weeks ago, Appleboum was able to put his ends on a rogue keyboard, altered to function as an attack tool. It looked utterly legitimate, resembling a keyboard that Appleboum used. Only a small component inside the keyboard was exfiltrating everything that was typed to a remote location without leaving any traces. The keyboard belonged to a customer from financial markets.
According to Appleboum, his key clients are concerned about employees returning to working from the office and bringing the devices that might pose an additional risk to an organization.
So how do these devices end up in someone’s home or office? One common criminal strategy is social engineering. Someone just might show up at your door, ask you to hear his promotion out or fill out a survey, and then give you a USB or a similar device.
“Human nature is stronger than all of us. Good chance you will connect that device. Good chance you will be attacked that second,” Appleboum said. Once you’ve connected that device, your home network security will be compromised no matter how many security layers you might have installed. The operating system usually trusts these devices, so it might take years for you or your organization to even discover them.
Rogue devices can be brought to the organization by, for example, a pretend-to-be electrician or a cleaning lady. Sepio Systems experts found a Raspberry Pi rogue device installed into a vacuum cleaner in the company and dubbed it the Evil Maid Attack.
Rogue devices can also be taken into the organization by insiders.
Research by TAG Cyber and Sepio Systems showed that rogue devices represent a particularly intense threat to financial institutions. Cybersecurity experts generally point to advanced persistent threats (APTs), distributed denial of service (DDOS), malware-based ransomware, and other familiar means of an electronic breach as the primary vectors for targeting banks.
If a rogue device ends up in a bank, criminals will most probably start acting within a short period – days, hours, or weeks. They will not wait forever as they are lured by financial gain and want to start earning money right away.
It is a bit different with offenders who are after intelligence rather than money. The device can be sitting in an institution of their interest, for example, the Department of Defence, for years before criminals start acting on it.
“If the attacker is smart, he will wait a while because they want to see what’s going on. They want to know what types of potential security tools are running,” Appleboum explained.
Not only criminals are clever. Rogue devices are smart too.
“These tools are like a guided missile that has some kind of remote route, path correction, and the ability to do that from outside,” he said.
The cost of the attack and how to avoid it
It is easy to buy rogue devices, Appleboum explained. Most of them are sold as pen-testing tools, available for about $50-150.
“I was speaking to some law enforcement entities in several countries, begging them to start monitoring the people that are buying these tools and start black-listing people who are not pentesters and are not doing it. Unfortunately, they are not doing it,” he said.
Some more sophisticated tools, such as a keyboard, can cost way more, even thousands of dollars.
Keeping in mind that some of these tools are expensive, criminals do not choose their targets randomly. They can, for example, target a high-profile neighborhood by replacing legitimate devices in the shop with altered ones. Therefore, Appleboum suggests going shopping somewhere else if you live in such a neighborhood.
He also recommends buying only branded devices from the trusted sources and not taking gifts even if they might seem legitimate.
“Most importantly, try to limit the number of devices you connect to your computer,” Appleboum said, adding that it is not necessary to charge your phone from your computer.
More from CyberNews:
Subscribe to our newsletter