New Malware Ramsay, Can Steal Data From Air-Gapped Computers

New Malware Ramsay, Can Steal Data From Air-Gapped Computers
 
     Sudais Asif posted a May 14. 2020 article to the cyber security and technology website, HackRead.com, with the title above. For the better part of two decades, government and corporate entities, and others — have ‘protected’ their most precious digital information on stand-alone, air-gapped computers. And, not surprising — cyber thieves have been devising creative and clever ways to successfully breach air-gapped computers, via drones, using the effluent heat from keyboards and so on. In the past couple of years, air-gap malware began to emerge, providing yet another digital gateway into where the ‘digital crown jewels’ are stored.
     The latest example of this air-gap malware Mr. Asif notes is “Ramsay, which has three different versions designed to steal different documents Including: Word, PDF, and Zip files, and then covertly transmit them back to the attackers,” though the method of the data exfiltrtation is still not yet known. The cyber security firm, ESET, who discovered Ramsay, noted that the malware is “complex and evolving.” For example Mr. Asif notes, later versions of Ramsay involve a “spreader component,” that is used to infect portable executable (PE) files that could be found on both portable and network shared drives.”
     ESET said they were unable to identify who or what nation-state was behind the development/deployment of this new air-gapped malware; but, noted that “there were similarities between Ramsay, and the Retro malware — which may hint at its common origins lying with a hacking group known as DarkHotel.”  DarkHotel, which was first observed in the wild in 2014, has been linked by some to a North Korean hacking group. DarkHotel selectively targeted high profile business leaders at major hotels, mostly in Asia — through the hotel’s WiFi network. But, the murky world of sophisticated malwre is a digital wilderness of mirrors; and, determining with certainty who is actually behind such a cyber offensive/attack is very difficult to do. Adding to the difficulty of deteming attribution, is the fact that industrial-grade, artificial intelligence empowered, stealth malware is available on the Dark Web, or elsewhere — if you have the right contacts and can afford it.
     Mordechai Guri, the Director of the Cyber Security Research Center at Ben Gurion University, has spent the last several years focusing on how cyber thieves covertly exfiltrate data from an air-gapped computer. In a February 16, 2018 article in WIRED.com, by Andy Greenberg, Mr. Guri explained how he and his team “invented one devious hack after another — that takes advantage of the accidental and little-noticed emissions of a computer’s components — everything from light, to sound, to heat.” Mr. Greenberg wrote that “Guri, and his fellow Ben Gurion researchers have shown, for instance, that it’s possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. The Ben-Gurion team has even shown that they can pull data off a computer protected not only by an air gap; but, also a Faraday cage designed to block all radio signals.” That was in 2018, so you know the digital landscape has only gotten more vulnerable.
      “Guri’s work aims to show that once that infection has happened, hackers don’t necessarily need to wait for another traditional connection to exfiltrate stolen data,” Mr. Greenberg wrote. “Instead they can use more insidious means to leak information to nearby computers — often to malware on a smartphone, or another infected computer on the other side of the air gap.”
     “Guri’s team has “made a tour de force of demonstrating a myriad of ways that malicious code deployed into a computer can manipulate the [surrounding] physical environment, in order to exfiltrate secrets [or sensitive/proprietary data],” said Eran Tromer, a [technology] research scientist at Columbia University.  “Tromer,” Mr. Grennberg wrote, explained “that the team often tests their techniques on consumer hardware that’s more vulnerable than stripped-down machines built for high-security purposes.”  “Still,” Mr. Greenberg notes, “they [Guri’s team] get impressive results.”  “Within this game, answering this question of whether you can form an effective air gap to prevent intentional exfiltration, they’ve made a resounding case for the negative.”   
 
 A Magnetic Houdini 
 
        Back in early 2018, “Guri’s Ben-Gurion team revealed a new technique they call MAGNETO,” which Mr. Greenberg wrote. “Guri describes as the most dangerous yet of the dozen covert channels they’ve developed over the last four years. By carefully coordinating operations on a computer’s processor core to create certain frequencies of electrical signals, their malware can electrically generate a pattern of magnetic forces powerful enough to carry a small stream of information to nearby [unauthorized/hostile] devices.”  
     Mr. Greenberg wrorte that “Guri’s team went so far as to build an android app they call ODINI, named for the escape artist, Harry Houdini, to catch those signals using a [mobile] phone’s magnetometer, the magnetic sensor that enables its compass; and, remains active — even when the phone is in airplane mode.  Depending on how close the smartphone “bug” is to the target air-gapped computer, the team could exfiltrate stolen data at between one and forty bits a second — even at the slowest rate, fast enough to steal a password in a minute, or a 4,096-bit encryption key in a little over an hour,” [WIRED.com article has a video demonstrating the technique].
     Mr. Greenberg added that “plenty of other electromagnetic covert channel techniques, have in the past, used the radio signals generated by computer’s electromagnetism…to spy on their operations — the NSA’s decades-old implementation of the technique, which the agency called TEMPEST, has even been declassified.  But in theory,” he wrote, “the radio signals on which those techniques depend, would be blocked by metal shielding of Faraday cages around computers, or even entire Faraday rooms used in some secure environments.”
     “Guri’s technique, by contrast,” Mr. Greenberg wrote “communicates not via electromagnetically induced radio waves; but, with strong magnetic forces that can penetrate even those Faraday barriers, like metal-lined walls, or smartphone kept in a Faraday bag.”  “The simple solution to other techniques was simply to put the computer in a Faraday cage — and all the signals are jailed,” Guri told WIRED. “We haven’t shown it doesn’t work like that.”
Secret Messages, Drones, And Blinking Lights
     “For Guri, that Faraday-busting technique caps off an epic series of data heist tricks, some of which he describes as far more “exotic” than his latest,” Mr. Greenberg wrote.  “The Ben-Gurion team started, for instance, with a technique called Air-Hopper, which used a computer’s electromagnetism to transmit FM radio signals to a smartphone, a kind of modern update to the NSA’s TEMPEST technique. Next, they proved with a tool called BitWhisper, that the heat generated by a piece of malware manipulating a computer’s processor can directly — if slowly — communicate data to adjacent, disconnected computers,” [or maybe even a ‘hostile’ mobile phone that has been clandestinely placed  by a trusted insider, or a mico/miniature drone?]
     “In 2016,” Mr. Greenberg ended, “Guri’s team switched to acoustic attacks, showing they could use noise generated by a hard drive’s spinning, or a computer’s internal fan to send 15 to 20 bits per minute to a nearby smartphone.  The fan attack, they show in a video [on Mr. Greenberg’s article, works even when music is played nearby.”
     It is no surprise that cyber thieves and hostile digital sleuths have found a way to breach stand-alone, air-gapped systems.  After all, that’s where the digital ‘goods’ as a modern-day Willie Sutton might say.  And, the threat to air-gapped systems/networks has grown exponentially in the past decade.
     As Mr. Greenberg noted in a February 22, 2017 WIRED.com article, “an air-gap, in computer security, is sometimes seen as an impenetrable defense,” though, as you might guess, that is no longer the case, and hasn’t been for a least five years, if not more.  You build s better cyber mousetrap; and, the cyber thieves and others find a way to overcome the ‘impenetrable’ defense.  Remember, there wasn’t a single Medieval castle in Europe that wasn’t eventually breached or fatally compromised. “Malware like Stuxnet and the Agent.btz worm that infected American military systems over a decade ago, have proven that air-gapped systems can’t entirely keep motivated hackers [or a hostile intelligence organization] out of ultra-secret systems — even isolated systems need code updates, and new data, opening them to attackers with physical access.  And, once an air-gapped system is infected, “researchers have demonstrated a grab-bag of methods for extracting information from them — despite their lack of an Internet connection, from electromagnetic emanations to acoustic and heat signaling techniques — many developed by the new LED spying technique,” Mr, Greenberg wrote at the time.
     “But,” Mr. Greenberg warned in that same article, “exploiting the computer’s hard drive indicator LED, has the potential to be a stealthier, higher-bandwidth, and longer-distance form of air-gap-hopping communications.” “By transmitting data from a computer’s hard drive LED with a Morse Code-like patterns of on and off signals, the researchers found they could move data as fast as 4,000 bits a second, or close to a megabyte every half hour.  Fast enough to steal encryption keys in seconds,” Mr. Greenberg warned “And, the recipient could record those optical messages to decode them later; the malware can even replay its blinks on loop,” Guri says, “to ensure that no part of the [purloined] transmission goes unseen.” “The LED is always blinking as it’s doing searching, and indexing, so no one suspects, even in the night,” Mr. Guri added.  “It’s very covert actually,” he warned. I suspect that isn’t necessarily the case any more; but, probably still an issue. 
      Cyber thieves, spy agencies, corporate espionage, and so on — have really stepped up their game in the past decade; and, put major emphasis on breaching/compromising stand-alone computers and machines — because that’s where the real secrets were kept.  And, to a large degree, that’s still the case.  And, the tactics, techniques, and tools that are being employed to breach stand-alone systems has matured, gotten more sophisticated, elegant, and unfortunately…..successful.  AI-empowered. industrial grade stealth malware is no longer just for the ‘big boys.’ From stealing highly classified secrets such as the latest research and development on a weapon system, to getting highly lucrative and confidential mergers and acquisition intelligence and trading on that insider information on the various stock exchanges, cyber thieves have been successful in breaching stand-alone systems  — and, in some cases making themselves rich on insider information; or, stealing highly classified R&D on various weapons systems.  Chinae being the poster-child for the later — and, their behavior often referred to as ‘The Great Steal Ahead.’
     But, just as cyber thieves and hostile intelligence agencies have had some success penetrating or com;promising stand-alone machines, those charged with defending against a cyber breach have also gotten creative.  I suspect there may even be a stand-alone ‘honeypot,’ — designed to lure the adversary into thinking they have a stand-alone machine in their site, only to be led into a fake stand-alone, that by all appearances is genuine/looks loaded with material that looks like the motherload but is really a Trojan Horse, or worse.  Denial and deception in cyber space is alive, and thriving. 
     Are we at the stage yet where we can tag our data and follow the digital bread crumbs back to the point of origin?  If not, are we on a path to be able to do something like that in the not too distant future?  Like the exploding dye contained in money stolen in a robbery — can we yet; or, will we at some point in the near future — have exploding digital dye, that wreaks havoc on the adversary’s network when they return and download into their systems.  I suppose you could make sure you download to a stand-alone machine in order to prevent any large-scale, cascading damage. 
       I suspect we are also at the point, or have been where even a non-sophisticated cyber thief can buy his way into the big leagues — enabling them to breach and clandestinely exfiltrate the purloined data, —  either leaving  no digital trace behind; or, leaving behind clever digital clues that make it appear someone other than you, or your country/organization was responsible for the breach.
     And, if you can extract/download data from a stand-alone, remote, isolated machine, could you also insert fake/damaging data into the stand-alone network that would be very difficult to discern?  Clever, sophisticated, targeted, and deliberate corruption of highly sensitive data could cause a weapon to misfire; or, facilitate the adversary into doing something on the policy front — that you want them to do?  Sort of reminds me of Elliott Carver in the James Bond film, “The World Is Not Enough.”  
     The bottom line to all of this is:  Stand alone computers/machines/devices are no longer ‘safe’ from breach from outsiders — if they ever really were.  But, there is no doubt that the number of ways and methods that a stand-alone machine can be compromised  is growing — both in the number of ways, and the damage that can be inflicted. Maybe we are already, or soon will be, at a point where we have ‘armored clouds,’ and ‘armored stand-alone machines, as well as camouflage stand-alone machines, honeypot stand-alone machines, infected stand-alone machines, and so on.   
     And finally, how does artificially-enhanced, industrial-grade, stealth malware — which is beginning to surface — alter and change this threat in a more sinister and devastating way?  As Albert Einstein once said, “Imagination is more powerful than knowledge.”  V/R, RCP

40 comments

  1. Like!! Thank you for publishing this awesome article.

  2. Appreciation to my father who told me regarding this weblog, this web site is really awesome.|

  3. Love watching movies every morning !

  4. Love watching movies every morning !

Leave a Reply

Your email address will not be published. Required fields are marked *