Brutal Kangaroo and Drifting Deadline – hacking air-gapped computers
There’s a saying that goes around: “nothing is safe if hackers are motivated” and todays topic definitely supports it. Air-gapped computers definitely make the job hard for hackers, but let’s see what can we do after learning on Stuxnet and CIA’s Brutal Kangaroo.
My previous article was about using USB attack vector which is a great introduction to this advanced method. Check it out to learn about USB in general and get a hacker’s point of view on Universal Serial Bus. In the end I briefly mentioned an advanced method which turns computers and USB sticks in something like Patient Zero spreading points for one-another. Shortly after the article was posted, Wikileaks dumped some documents that reveal how CIA did exactly that.
Without further ado, let me introduce you to the tools of trade:
(from Brutal Kangaroo user guide)
Let’s assume we have compromised a regular computer within the organization and we want to infect the air-gapped computer. Idea is to install Shadow on pivot computer and configure it to place Drifting Deadline (RiverJack exploit) on every USB that is inserted into infected computer. Now, the way CIA infects USB drives is very much different than what I imagined (I was hoping for changing the USB firmware), they simply place a Windows link file along with the payload and abuse EzCheese or RiverJack (at the time 0day) exploits. Basically, when Windows explorer parses the 2 files, payload gets executed because of mentioned exploits. This is much more practical approach, but requires an 0day.
I hope you get where we’re going – once the infected USB gets inserted in any other computer, they will become infected as well thus increasing the chance that one of those USBs will get inserted in our targeted air-gapped computer. I can’t imagine satisfaction of compromising such high profile target by having one of company officials voluntarily insert a USB in that machine.
Instead of using 0days, it is possible to compromise a USB device by patching the firmware code to install arbitrary payload. This method requires months of hard work, but hey, you don’t just autopwn air-gapped computers. To my knowledge, this idea was first publicized at Blackhat conference and it has my attention ever since. I expected the CIA to do something like that, but seems like the topic will wait to be further researched (possibly by me).