Invisible Network Devices Brief
In a recent high-profile incident involving a Tier 1 bank, an alarming hardware attack known as a Man in the Middle attack was executed. Shockingly, this attack went undetected within the bank’s environment for an extended period, raising concerns about the effectiveness of their security measures.
During a comprehensive audit conducted by the bank, various irregularities were uncovered, pointing towards the unauthorized access of internal and secured areas of the network by an external party. Despite thorough examinations of the bank’s computing assets, including servers, desktop workstations, and management’s laptops, no malware with remote access capabilities was discovered.
With no concrete evidence of full remote access, the bank sought the assistance of the Cybersecurity Investigations Practice of a renowned global consulting firm. The expert team uncovered a startling revelation—a genuine laptop belonging to the bank had been completely cloned. This cloned device was surreptitiously connecting to the network infrastructure through an out-of-band channel, running parallel to the existing and legitimate laptop.
The perpetrators had executed their attack in the shadows, exploiting the authentic network access profile, envelope, and certificate of the cloned laptop. Consequently, none of the bank’s existing security and monitoring tools detected the rogue device.
MiTM Network Attack Study
The attackers used a legitimate off-the-shelf network router sold by a third party. Besides its other modus operandi, the device supports a virtual cable mode whereby two devices can be paired, and each installed at different locations while operating as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application, allowing traffic to be intercepted and data packets to be injected and streamed back into the network, in addition to being able to carry out more complex man in the middle attacks.
These devices do not have an IP or MAC address meaning that Intrusion Detection Systems (IDS), Network Access Control (NAC) and Network Monitoring tools are unable to detect them. The entire manipulation is conducted on the Physical Layer (Layer 1) and the Data-Link Layer (Layer 2). So all higher-level communications are considered authentic and safe.
Tools Used for MiTM Network Attack
In this specific incident, the tool used was the PocketPort2 mobile router from Proxicast. The device pair was configured to run in virtual cable mode and to use a private switchboard server to ensure that there will be no traces back to the origin of the attacker.
Sepio has also been able to detect and mitigate similar types of attacks that were conducted using different tools that acted in a similar manner.
Examples of such devices are mAP lite and AR150 – both purchased legally from reputable vendors.
Theoretically, any hardware platform with an operating system and set of drivers that support promiscuous mode and the ability to directly transmit data packets (raw sockets) can be adapted to act as a rogue device. Stolen data can be leaked through local storage or an out-of-band communication channel (preferably wireless) without being detected by current network security tools such as IDS and NAC.
Many times, enterprises’ IT and security teams struggle in providing complete and accurate visibility into their hardware assets, especially in today’s extremely challenging IT/OT/IoT environment. This is due to the fact that often, there is a lack of visibility, which leads to a weakened policy enforcement of hardware access. This may result in security accidents, such as ransomware attacks, data leakage, etc. In order to address this challenge, ultimate visibility into your Hardware assets is required, regardless of their characteristics and the interface used for connection as attackers. Moreover, it is important to be practical and adjust to the dynamic Cybersecurity defenses put in place to block them, as well as take advantage of the “blind” spots – mainly through USB Human Interface Device (HID) emulating devices or Physical layer network implants.
In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. Sepio is the leader in the Rogue Device Mitigation (RDM) market and is disrupting the cybersecurity industry by uncovering hidden hardware attacks operating over network and USB interfaces. Sepio’s Asset Risk Management (ARM) solution, identifies, detects and handles all peripherals; no device goes unmanaged.
The only company in the world to undertake Physical Layer fingerprinting, Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices, automatically blocking any attacks. With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.