A Tier 1 bank audit revealed some irregularities and it became evident that an external party had continuous access to the internal and secured parts of the network. After investigating the computing assets of the bank, such as the servers, the desktop workstations and management’s laptop for malware with remote access capabilities, nothing was discovered. Subsequently, investigations focused on deep monitoring of the in going and out going communications from the network hoping there would be an indication as to what was occurring. Again, no evidence was found for the full remote access. The Cybersecurity Investigations Practice of a leading global consulting firm was approached for assistance. The team found that an authentic laptop of the bank was entirely cloned and was connecting to the network infrastructure via an out-of-band channel in parallel to the existing and legitimate laptop.
The network access profile and envelope, in addition to the certificate, were authentic and valid meaning that none of the existing security and monitoring tools recognized it as a rogue device.
The attackers were using a “ghost” malicious device that was acting in the shadow of the legitimate one. Upon further investigation, a small, unidentified hardware device was found to be installed in one of the distribution cabinets and was providing the perpetrator with remote access capabilities, with the existing security measures completely oblivious. No one knew what this device was, what it was doing, who brought it in, and when.
Invisible Network Devices
In this specific incident, a BeagleBone board running USBProxy was used that, when attached to the scanning device and the computer system that stores the records of genuine handprints, allowed the attacker to bypass the authentication.
The BeagleBone does not require any extra hardware in addition to its superior set of input/output features, making it easy to interface with exterior electronics.
Sepio Systems is the leader in the Rogue Device Mitigation (RDM) market and is disrupting the cybersecurity industry by uncovering hidden hardware attacks operating over network and USB interfaces. SepioPrime, which orchestrates Sepio’s solution, identifies, detects and handles all peripherals; no device goes unmanaged.
The only company in the world to undertake Physical Layer fingerprinting, Sepio Systems calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices, automatically blocking any attacks. With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.