MITRE ATT&CK: Replication through removable media
Introduction
The progression of information security has been heavily focused on the internet as the primary source of threats. What may be overlooked is the specter that was around during the early days of computing that has always been and remains with us — the threat posed by removable media. While information security measures and the technology used for removable media have evolved, the basic threat that this technique may pose must not be ignored.
This article will detail the replication through removable media technique from the MITRE ATT&CK matrix. We will also explore what MITRE ATT&CK is, tell you a little about replication through removable media, give some real-world examples of this technique and also offer tips for mitigation and detection.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics, based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
A little about replication through removable media
Attackers know about the early days of computing, where viruses and other threats were spread around by way of floppy disk and other removable media. Despite advancements in technology, new forms of removable media offer attackers an avenue into systems. This is complicated by autorun features present in most (especially Windows) systems that automatically execute when the media is inserted. Air-gapped systems are not safe from this technique if they have USB ports that have not been turned off with group policy.
This technique can be used at different points of an attack with surprising effectiveness. Initial access may occur through manual manipulation of the removable media or modification of the system that initially formatted it. When this technique occurs during the “lateral movement” phase of an attack, it may occur through malware that is renamed to trick an end user into thinking that the malware is legitimate. Regardless of the attack phase this technique is used in, it may prove to be a determinative factor in the phase’s success.
Real-world examples of replication through removable media
One of the most interesting things about this attack technique is the sheer diversity in how it can be used during an attack. As an information security professional, I would like to say that this technique is nothing more than when malware is present on a USB drive and makes its way onto a PC, but I would be lying. Rather, this technique is an amalgamation of creativity and resourcefulness with an array of methods to carry it out.
Below is a list of notable real-world examples of this attack technique.
Unknown Logger
This publicly-released freeware backdoor is an example of the most basic form of this technique. Known to be used by the attack group that launched the MONSOON campaign, Unknown Logger has the capability to spread to USB-connected devices.
Flame
This sophisticated toolkit has been around since 2010 and like most other examples of this technique, it affects only Windows systems. Flame contains two modules, Autorun Infector and Euphoria, both of which have the capability to infect USB devices and laterally move to other Windows systems by taking advantage of the Autorun feature.
Darkhotel
Darkhotel is an attack group that has been around since about 2004 and targets mainly hotel and business center Wi-Fi connections. This attack group uses a virus named Selective Infector that retrieves all available removable drives on the compromised system and infects all executable files it finds.
CHOPSTICK
CHOPSTICK is a family of modular backdoors that is used by the threat group APT28. CHOPSTICK has the capability to copy itself to USB drives to target air-gapped systems. Once on these air-gapped systems, these files command traffic and transfer information. What’s more, CHOPSTICK’s programming has revealed a flexible and lasting platform that indicates the attack group plans to use it for a long time.
Mitigation
Despite the versatility of this technique, mitigation techniques are readily available.
MITRE has forwarded the following mitigation recommendations:
- Disabling the Autorun feature: If your organization does not need to use the Autorun feature, it should be disabled. This will significantly impede this technique
- Limit hardware installation: The use of removable media and USB drives should be restricted as much as possible if it is not a necessary feature for your organization. This can be performed at the group policy level by disallowing removable media
Detection
Detection is possible for this attack technique. MITRE suggests the following detection measures:
- Monitor removable media file access
- Monitor for processes that execute from removable media after it has been initially mounted
- Actions occurring after this technique has been performed can also be readily detected. Monitor for opening network connections and network/system information discovery
Conclusion
Replication through removable media is a classic attack technique that has been around for decades. Not only can malware and other malicious files and executables be copied to removable media and installed on systems manually, malware and other maladies can insert themselves onto USB drives and sometimes infect other executables to make them malicious as well.
While this is still a serious threat to information security, mitigation and detection techniques are readily available and easy to implement against this age-old menace.
Sources
- Replication Through Removable Media, MITRE
- APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?, FireEye
- The Darkhotel APT: A Story of Unusual Hospitality, Kaspersky Content Hub
- Microsoft Security Intelligence Report Volume 19, Microsoft