Is it possible to hack into a network using a sort of invisibility cloak?
The short answer is, YES it is. We came to this conclusion after analyzing an incident after an audit in a Tier-1 bank.
The audit revealed some irregularities and it became evident that an external party had continuous access to the internal and secured parts of the network. After investigating the computing assets of the bank, such as the servers, the desktop workstations and management’s laptop for malware with remote access capabilities, nothing was discovered. Subsequently, investigations focused on deep monitoring of the ingoing and outgoing communications from the network hoping there would be an indication as to what was occurring.
Again, no evidence was found for the full remote access. The Cybersecurity Investigations Practice of a leading global consulting firm was approached for assistance. The team found that an authentic laptop of the bank was entirely cloned and was connecting to the network infrastructure via an out-of-band channel in parallel to the existing and legitimate laptop.
In addition to the certificate, the network access profile and envelope were authentic and valid, meaning that none of the existing security and monitoring tools recognized it as a rogue device. The attackers were using a “ghost” malicious device that was acting in the shadow of the legitimate one.
Upon further investigation, a small, unidentified hardware device was found to be installed in one of the distribution cabinets and was providing the perpetrator with remote access capabilities, with the existing security measures completely oblivious. No one knew what this device was, what it was doing, who brought it in, and when.
The invisibility cloak
The attackers used a legitimate off-the-shelf network router sold by a third party. Besides its other modus operandi, the device supports a virtual cable mode whereby two devices can be paired, and each installed at different locations while operating as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application, allowing traffic to be intercepted and data packets to be injected and streamed back into the network, in addition to being able to carry out more complex man in the middle (MiTM) attacks.
These devices do not have an IP or MAC address meaning that Intrusion Detection Systems (IDS), Network Access Control (NAC) and Network Monitoring tools are unable to detect them – hence the “invisibility” cloak. The entire manipulation is conducted on the Physical Layer (Layer 1) and the Data-Link Layer (Layer 2); so all higher-level communications are considered authentic and safe.
Attack tool used
In this specific incident, the tool used was the PocketPort2 mobile router from Proxicast, with similar characteristics to the device described by Kaspersky’s report named – DarkVishnya describing bank hacking in Estren Europe. The device pair was configured to run in virtual cable mode and to use a private switchboard server to ensure that there will be no traces back to the origin of the attacker.
Theoretically, any hardware platform with an operating system and set of drivers that support promiscuous mode and the ability to directly transmit data packets (raw sockets) can be adapted to act as a rogue device. Stolen data can be leaked through local storage or an out-of-band communication channel (preferably wireless) without being detected by current network security tools such as IDS and NAC.
What one can do? Expand your Rogue Device Mitigation coverage by implementing Cyber Physical measures along-side “traditional” cyber security solutions.”
About the author: Sepio Systems
(SecurityAffairs – hacking, invisibility cloak)