Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
You might think that an air-gapped network will keep you safer from attackers, and you are right. It’s pretty obvious that isolating a computer or network and preventing it from establishing an external connection will leave threat actors with fewer means to break into your systems, but not entirely safe.
Security researchers have discovered a new malware used by threat actors to exfiltrate data from isolated systems as part of a multi-stage process, and it leverages USBs as entry points.
The Attack Explained: Threat Actors Are Infecting Your Systems Using Removable Media
When a corrupted storage device is attached to an IT system that is physically disconnected from the Internet, the malware’s primary goal is to infect removable media with a worm that nests there. The researchers claim that the virus was probably produced by the APT31 hacker collective, also known as Zirconium, Judgement Panda, and Panda.
The malware reportedly consists of at least three modules, each of which performs a different task. The first main module is in charge of managing removable drives. This includes gathering data about each drive, copying each drive’s filesystem structure to a local temporary folder and maintaining the structure, collecting stolen files from drives, infecting newly connected drives with second-step malware, and taking screenshots and window titles on the infected machine.
The malware module is then copied to newly attached drives in the form of executable files and DLL payloads, and marked as hidden or deleted.
Finally, when a user clicks on a link file, the infection chain starts on the target system. The second module then executes a batch script to gather private information and save it to the removable disk’s “$RECYCLE.BIN” folder, where it will subsequently be retrieved by a different module on a device with an active Internet connection and sent to a server under the control of the attackers.
Security researchers claim that it was challenging to find and analyze the virus due to encrypted payloads that were concealed in distinct binary files. Additionally, the malware injects some harmful code, such as DLL hijacking and a series of memory injections, into the memory of legitimate apps.
How To Keep Your Company Protected Against Such Attacks?
Many APTs and targeted cyberespionage activities routinely exfiltrate data from air-gapped networks. And despite the availability of a wide range of exfiltration techniques, threat actors typically select TTPs focused on infecting removable media.
USB ports represent possible access points for threat actors to infect even air-gapped servers and endpoints, with possibly devastating results.
USBs can be rigged with malware, similar to what we have talked about in this article, or there are USB Killer-type devices, which are modified USB devices modified to deliver an electrical surge that can damage or destroy hardware where the altered thumb drive is inserted into a computer’s USB port. The modified drive basically instructs the onboard capacitors of the computer to rapidly charge and discharge a series of times. If continued, the frequent overcharging will physically damage the computer’s electrical system by overloading the USB port.
Heimdal®’s Head of Pre-Sales, Robertino Matausch spoke with us and told us that companies need to be careful and have procedures in place even for air-gapped systems.
You are never isolated. Absolutely never. You have to have at least some procedures in place on how to protect your air-gapped systems.
Some of the procedures you can implement are to not grant anybody access as an admin. That is valid in the connected world and also in an air-gapped environment because most of the malware is using elevated rights from the local admin to penetrate the systems. The second thing you can do is to disable and get rid of the USB ports
Robertino Matausch, Heimdal®’s Head of Pre-Sales
To secure not only your connected systems but your air-gapped systems as well, Heimdal® offers you two solutions. With our Privilege Access Management (PAM) solution, you have full control over the user rights of your employees, create custom elevated rights sessions, automatically end the users’ sessions whenever a threat is detected, and much more.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Also, with our Next-Gen Antivirus, Firewall & MDM solutions, you will be able to disable your USB ports and make them useless in case threat actors want to leverage them to break into your air-gapped system.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Book a demo and see for yourself how the Heimdal® solutions suit your company’s needs!
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
