Cyber criminals' attempts to threaten IT systems are constantly evolving. For example, among the techniques that we saw this year, it is worth noting on thousands of e-commerce sites for identity theft and using LinkedIn to install spyware. Moreover, these techniques work: the damage from cybercrime in 2018 reached the mark of .
Now researchers at IBM's X-Force Red project have developed a proof-of-concept (PoC) that could be the next step in the evolution of cybercrime. It is called , and combines technical methods with other, more traditional methods.
How warshipping works
Warshipping uses an available, low-cost and low-powered computer to remotely execute attacks in the immediate vicinity of the victim, regardless of the location of the cybercriminals themselves. To do this, a small device containing a modem with a 3G connection is sent to the victim's office by regular mail. The presence of a modem means that the device can be controlled remotely.
Thanks to the built-in wireless chip, the device searches for nearby networks to monitor their network packets. Charles Henderson, head of X-Force Red at IBM, explains: "Once we see our 'warship' arrive at the victim's front door, mail room, or mail unloading point, we are able to remotely monitor the system and run tools to passively or an active attack on the victim's wireless network."
Attack with warshipping
As soon as the so-called "warship" (warship) is physically inside the victim's office, the device begins to listen for data packets over the wireless network, which it can use to penetrate the network. It also listens for user authorization processes to connect to the victim's Wi-Fi network and sends this data over a cellular connection to a cybercriminal so that he can decrypt this information and get the password to the victim's Wi-Fi network.
Using this wireless connection, an attacker can now move around the victim's network, looking for vulnerable systems, available data, and steal confidential information or user passwords.
A threat with great potential
Henderson says the attack has the potential to be a stealthy, effective insider threat: it's inexpensive and easy to implement, and it can go unnoticed by the victim. Moreover, an attacker can organize this threat from afar, being at a considerable distance. In a number of companies where a large amount of mail and parcels pass through daily, it is easy enough to overlook or overlook a small parcel.
One aspect that makes warshipping extremely dangerous is that it can bypass the email protection that the victim has in place to prevent malware and other attacks that spread through attachments.
Protecting the enterprise from this threat
Considering that in this case we are talking about a physical attack vector over which there is no control, it may seem that there is nothing that could stop this threat. This is one of those cases where being careful with email and not trusting email attachments won't work. However, there are solutions that can stop this threat.
Control commands come from the warship itself. And this means that this process is external to the IT system of the organization. automatically stop any unknown processes in the IT system. Connecting to the attacker's control server using this "warship" is a process that is unknown to security, therefore, such a process will be blocked, and the system will remain secure.
At the moment, warshipping is only a proof of concept (PoC) so far, and it is not used in real attacks. However, the incessant creativity of cybercriminals means that such a method could become a reality in the near future.
Source: habr.com