Network Attack: Invisible Network Devices

Man in the Middle Attack Case Study

A Network Attack refers to any unauthorized attempt to gather, disrupt, or manipulate information or services on a computer network. In a recent high-profile incident involving a Tier 1 bank, an alarming hardware network attack was executed. Shockingly, this attack went undetected within the bank’s environment for an extended period. Raising concerns about the effectiveness of their security measures.

During a comprehensive audit conducted by the bank, various irregularities were uncovered. Pointing towards the unauthorized access of internal and secured areas of the network by an external party. Despite thorough examinations of the bank’s computing assets, including servers, desktop workstations, and management’s laptops, no malware with remote access capabilities was discovered.

With no concrete evidence of full remote access, the bank sought the assistance of the Cybersecurity Investigations Practice of a renowned global consulting firm. The expert team uncovered a startling revelation. A genuine laptop belonging to the bank had been completely cloned (spoofed laptops). This cloned device was surreptitiously connecting to the network infrastructure through an out-of-band channel. Running parallel to the existing and legitimate laptop.

The perpetrators had executed their attack in the shadows. Exploiting the authentic network access profile, envelope, and certificate of the cloned laptop. Consequently, none of the bank’s existing security and monitoring tools detected the rogue device.

Network Attack Study

The attackers used a legitimate off-the-shelf network router sold by a third party. Besides its other modus operandi, the device supports a virtual cable mode whereby two devices can be paired. Each installed at different locations while operating as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application. Allowing traffic to be intercepted and data packets to be injected and streamed back into the network. In addition to being able to carry out more complex man in the middle attacks.

These devices do not have an IP or MAC address meaning that Intrusion Detection Systems (IDS), Network Access Control (NAC) and Network Monitoring tools are unable to detect them. The entire manipulation is conducted on the Physical Layer (Layer 1) and the Data-Link Layer (Layer 2). So all higher-level communications are considered authentic and safe.

Tools Used for Network Attack

In this specific incident, the tool used was the PocketPort2 mobile router from Proxicast. The device pair was configured to run in virtual cable mode and to use a private switchboard server to ensure that there will be no traces back to the origin of the attacker.

Sepio has also been able to detect and mitigate similar types of attacks that were conducted using different tools that acted in a similar manner. Examples of such devices are mAP lite and AR150 – both purchased legally from reputable vendors.

Theoretically, any hardware platform with an operating system and set of drivers that support promiscuous mode and the ability to directly transmit data packets (raw sockets) can be adapted to act as a rogue device. Stolen data can be leaked through local storage or an out-of-band communication channel (preferably wireless) without being detected by current network security tools such as IDS and NAC.

Unraveling Network Attacks Through Hardware Visibility and Policy Enforcement

Many times, enterprises’ IT and security teams struggle in providing complete and accurate visibility into their hardware assets. Especially in today’s extremely challenging IT/OT/IoT environment. This is due to the fact that often, there is a lack of visibility, which leads to a weakened policy enforcement of hardware access.

This may result in security accidents, such as ransomware attacks, data leakage, etc. In order to address this challenge, ultimate visibility into your Hardware assets is required. Regardless of their characteristics and the interface used for connection as attackers. Moreover, it is important to be practical and adjust to the dynamic Cybersecurity defenses put in place to block them. As well as take advantage of the “blind” spots. Mainly through USB Human Interface Device (HID) emulating devices or Physical layer network implants (Bad USB).

In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular policies for the system to enforce.

Sepio Solution

Sepio is the leader in the Rogue Device Mitigation (RDM) market. Is disrupting the cybersecurity industry by uncovering hidden hardware network attacks and USB interfaces. Sepio’s Asset Risk Management (ARM) solution, identifies, detects and handles all peripherals; no device goes unmanaged.

The only company in the world to undertake Physical Layer fingerprinting, Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices. Automatically blocking any attacks. With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.

Invisible Network Devices (PDF)
March 25th, 2021