Network Attack: Invisible Network Devices

Man in the Middle Attack Case Study

A network attack refers to any unauthorized attempt to gather, disrupt, or manipulate information or services on a computer network. In a recent high-profile incident involving a Tier 1 bank, an alarming hardware network attack occurred. Shockingly, this attack went undetected within the bank’s environment for an extended period, raising concerns about the effectiveness of their information-security measures and highlighting vulnerabilities in their defenses.

Case Study: A Cloned Laptop Network Attack

During a comprehensive audit conducted by the bank, various irregularities were uncovered. Pointing towards the unauthorized access of internal and secured areas of the network by an external party. Despite thorough examinations of the bank’s computing assets, including servers, desktop workstations, and management’s laptops, no malware, viruses, or spyware with remote access capabilities was discovered.

Lacking evidence of full remote access, the bank sought help from a renowned cybersecurity consulting firm. The investigation revealed a startling network attack tactic: a genuine laptop belonging to the bank had been completely cloned (spoofed laptops). This cloned device was surreptitiously connecting to the network infrastructure through an out-of-band channel, bypassing firewall protections and existing security policies.

The perpetrators had executed their attack in the shadows. Exploiting the authentic network access profile, envelope, and certificate of the cloned laptop. Consequently, none of the bank’s existing intrusion prevention systems or endpoint security tools detected the rogue device.

How the Network Attack Was Executed

The attackers used a legitimate off-the-shelf network router sold by a third party. Besides its other modus operandi, the device supports a virtual cable mode whereby two devices can be paired. Each installed at different locations while operating as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application. Allowing traffic to be intercepted and data packets to be injected and streamed back into the network. In addition to being able to carry out more complex man in the middle attacks.

These devices do not have an IP or MAC address meaning that that intrusion prevention tools, Network Access Control (NAC) and Network Monitoring tools are unable to detect them. The entire manipulation is conducted on the Physical Layer (Layer 1) and the Data-Link Layer (Layer 2). So all higher-level communications are considered authentic and safe. This makes incident response efforts particularly challenging.

Tools Used for Network Attack

In this specific incident, the tool used was the PocketPort2 mobile router from Proxicast. The device pair was configured to run in virtual cable mode and to use a private switchboard server to ensure that there will be no traces back to the origin of the attacker.

Sepio has also been able to detect and mitigate similar types of attacks that were conducted using different tools that acted in a similar manner. Examples of such devices are mAP lite and AR150 – both purchased legally from reputable vendors. These tools can be adapted for rogue activities, potentially breaching enterprise security measures and circumventing authentication protocols.

Theoretically, any hardware platform with an operating system and set of drivers that support promiscuous mode and the ability to directly transmit data packets (raw sockets) can be adapted to act as a rogue device. Stolen data can be leaked through local storage or an out-of-band communication channel (preferably wireless) without being detected by current network security tools such as IDS and NAC.

Preventing Network Attacks with Hardware Visibility

Many times, enterprises’ IT and security teams struggle in providing complete and accurate visibility into their hardware assets. Especially in today’s extremely challenging IT/OT/IoT environment. Malicious actors often exploit these blind spots to carry out attacks. This lack of visibility weakens security policies, making networks susceptible to hacking, phishing, and zero-day exploits.

This may result in security accidents, such as ransomware attacks, data leakage, etc. In order to address this challenge, ultimate visibility into your Hardware assets is required. Regardless of their characteristics and the interface used for connection as attackers. Moreover, it is important to be practical and adjust to the dynamic Cybersecurity defenses put in place to block them. As well as take advantage of the “blind” spots. Mainly through USB Human Interface Device (HID) emulating devices or Physical layer network implants (Bad USB).

In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular policies for the system to enforce.

Sepio’s Solution for Network Attack Prevention

Sepio is the leader in the Rogue Device Mitigation (RDM) market. Is disrupting the cybersecurity industry by uncovering hidden hardware network attacks and USB interfaces. Sepio’s Asset Risk Management (ARM) solution ensures comprehensive enterprise security by:

  • Physical Layer Fingerprinting: Identifying rogue hardware through device descriptors.
  • Machine Learning Analysis: Detecting abnormal device behavior (e.g., a mouse acting as a keyboard).

Schedule a Demo to see how Sepio’s Asset Risk Management (ARM) solution can give you the hardware visibility and protection you need.

Invisible Network Devices (PDF)
March 25th, 2021