DarkVishnya: Attacking from the Inside – Again
Written by: Mike Parkin, Attivo Networks Product Marketing Engineer – Once again, cyberattacks that rely on physical access have made headlines. This time, the culprit is an attack dubbed DarkVishnya that came to light targeting banks in Eastern Europe. This sophisticated attack relies on intruders placing devices on the physical network, ranging from inexpensive laptops or Raspberry Pi type devices, to Bash Bunny style USB devices that can be placed unobtrusively into an office or branch location. By using a built in, or attached, GPRS/3G/LTE wireless module, the attackers can remotely access their malicious kit, in this case, breaking into networks to steal tens of millions of dollars.
Using a physical connection like this isn’t new, but it remains one of the most effective attack vectors. “If I can touch the machine, I can own the machine” has been a truism for many years and it applies equally in the context of a network-based attack. Access to the corporate network lets an attacker bypass the defensive perimeter. Their kit looks like a normal laptop, printer, USB device, or something else that doesn’t appear out of place in the environment. Attackers can even avoid whitelisting tools and domain policies by using fileless attacks and standard administration tools like PowerShell and psexec. Essentially, the intruder gets access equivalent to an insider because they are inside.
With the DarkVishnya attack, like many others before it, intruders are going after user and admin credentials, valuable files, and other assets they can leverage to reach their intended goals. How an organization can reliably stop this sort of ‘physical access’ attack is the question.
Tackling the Threat Within
Locking down network access is easy on paper, but considerably more difficult in practice. Implementing technical controls that restrict network access to authorized systems can be quite effective, but it also takes a great deal of effort and may not be practical in environments where users need mobility and easy access. Access policies can also be effective, but, again, implementation can clash with the constant push and pull between effective security and user efficiency.
This means that even when an organization expends the considerable resources needed to implement industry best practices, it may not be enough. Attackers can often find ways to get the access they want, while staying under the radar during their intrusion. Ultimately, that is the challenge organizations need to address.
When an attacker leverages physical level techniques to penetrate the environment, as demonstrated here with DarkVishnya, there are still opportunities for the defense to regain the upper hand. Even with a physical foothold in the environment, an attacker still needs to do reconnaissance to find their targets and acquire credentials to escalate their privileges. This is where an organization can leverage Deception Technology to catch a threat actor early in the attack cycle, even if they’re already inside.
In the event that an attacker breaches the perimeter, decoys and lures are spread across the environment, appearing identical to live assets, in anticipation of an attack. So, regardless of an adversary enters, they still won’t be able to tell the difference between live assets and the decoys that were placed to trick them into revealing themselves.
For example, let’s assume a Dark Vishnya attacker has successfully dropped a remote into a target network that’s protected with deception. They can glean some information from passive listening, but that will only identify potential targets for them to scan or attack. Once they launch a scan, even a “low and slow” one, intended to fly under the radar of conventional defenses, the decoy systems will spot the scan and raise high-fidelity alerts on the activity.
Alternatively, they may have succeeded in breaching a local system and are leveraging that device to steal credentials to escalate their privileges. By placing deceptive credentials on live hosts that lead to decoy assets, Deception Technology again gives the defender the upper hand.
These are not just hypothetical examples. Penetration testers have used these exact techniques for years to great effect, and experience has also shown that Deception Technology can reliably identify these techniques while they are in use. For example, an Attivo Networks customer has shared that they caught a penetration testing team who gained physical access to their building and hid a laptop they connected to the network with a Mi-fi device behind a file cabinet. The pen-testers later remotely accessed the laptop to enumerate the network and were subsequently detected by the Attivo ThreatDefend™ solution.
It doesn’t matter how an attacker gets into the environment, whether through an email attack, remote exploit, or physically compromising the network, Deception Technology shifts the advantage back to the defender. By spreading decoys across the internal attack surface, deception will reliably detect and isolate an attacker before they can reach their target. It enhances the organization’s conventional defense without relying on signatures, extensive tuning, or increasing the information security team’s workload.
Even in the face of new, physical, cyberattacks, deception technology fills in the gaps to give the defense a concrete advantage.