Security consulting company NetraGard has demonstrated that something as seemingly innocuous as a USB mouse, along with tidbits of information freely available on the Internet, can provide a hacker quick and easy access to a seemingly secure IT environment.
In a blog post on the company’s website, NetraGard founder Adriel Desautels explained that his company was hired to test the security of a client’s network while adhering to some very stringent restrictions: The NetraGard team could target only one IP address, offering no services, bound to a firewall. Further, the team couldn’t even use social engineering tactics, such as duping an employee to reveal information over the phone or via email. They couldn’t even physically access the client’s campus.
NetraGard’s solution: Transform a Logitech USB mouse into an HID (hacker interface device) by installing on it a mini-controller and a micro Flash drive loaded with custom malware. The blog post goes into explicit detail of the painstaking process of operating on the mouse.
Once plugged in to a USB port, the altered mouse’s payload launched, spreading the malware across the client’s network. NetraGard specified that the malware they used was a homegrown variety that doesn’t do any actual damage; it simply spreads like a virus so its progress can be tracked.
Desautels wrote that his team discovered the client used antivirus software McAfee thanks to public Facebook posts made by the client’s employees. With that information, NetraGard was able to groom its homegrown malware to circumvent McAfee’s antivirus wares.
The final step: NetraGard purchased a list of its client’s employees from Jigsaw and used the info to choose a target employee to ship the mouse to. Desautels wrote that his team repackaged the mouse so that it appeared brand new and included in the shipment marketing materials so as to make it look like a promotional gadget. Three days later, he wrote, the device called home, indicating that the breach was a success.
The anecdote is a sobering reminder of how susceptible networks are today, even those of seemingly well-prepared companies. Notably, end-users were once again among the weakest links that enabled the attack to be effective: NetraGard was able to tailor its malware to circumvent the client’s antivirus software because employees blabbed publically on Facebook that their company used McAfee.
Further, an end-user was responsible for plugging in a mouse received in the mail. Although said mouse was well disguised as a legitimate promotional device, the way today’s phishing emails and scareware are designed to look as though they came from legitimate companies.
If anything, the scenario should prompt IT admins to develop or revise their in-house policies and controls — and to educate end-users accordingly — so as to reduce the chance of these types of breaches. It’s conceivable that cyber criminals in the near future will embrace similar techniques with any type of USB device.