Did people think that not connecting to a network was a magic technique that prevented infections from being spread on USB drives if you move them back and forth?
It’s weird for the title to focus on the tools, and not the attack itself.
Two attacks on production air-gapped networks, with different tools, from the same group, is pretty damn impressive. Especially for a group not backed by a nation-state.
Edit: it sounds like this was a multi-stage attack…compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That’s pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser…the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).
No but it’s a good start. The problem is that literally everyone would do it, from directors to the lowest paid people on the job. EVERYBODY does it. We detected and blocked, so then they started hardwire connecting to switches that they saw in offices. We had blocked those, so they started trying to connect to industrial switches out in the factories.
Did people think that not connecting to a network was a magic technique that prevented infections from being spread on USB drives if you move them back and forth?
It’s weird for the title to focus on the tools, and not the attack itself.
Two attacks on production air-gapped networks, with different tools, from the same group, is pretty damn impressive. Especially for a group not backed by a nation-state.
Edit: it sounds like this was a multi-stage attack…compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That’s pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser…the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).
No but it’s a good start. The problem is that literally everyone would do it, from directors to the lowest paid people on the job. EVERYBODY does it. We detected and blocked, so then they started hardwire connecting to switches that they saw in offices. We had blocked those, so they started trying to connect to industrial switches out in the factories.
It was maddening.
But switches have all ports set to shut and open ports bound to the device connected… or is this not common?