The latest CIA documents released by WikiLeaks as part of the Vault 7 dump explain how a tool suite called Brutal Kangaroo can infect Windows machines on air-gapped networks by using USB drives.
HOW BRUTAL KANGAROO WORKS
A Brutal Kangaroo infection requires multiple steps. First, an Internet-connected computer in the targeted organization must be infected. Brutal Kangaroo utilizes four components to infect isolated computers and execute arbitrary code:
- Drifting Deadline is the thumbdrive infection tool. Advanced configurations provide flexibility and allow tailor-made solutions for cyber operations.
- Shattered Assurance is a server tool that is deployed to the Internet-connected computer and handles automated infection of thumbdrives remotely.
- Shadow is a stage two tool that is distributed across a closed network and acts as a covert command-and-control network and the primary persistence mechanism. Once multiple Shadow instances are installed and share USB drives, tasking and payloads can be sent back and forth.
- Broken Promise is the postprocessor in the back end and used to decrypt the collected data.
The primary execution vector used by the infected thumbdrives is a vulnerability in Windows that can be exploited by hand-crafted link files that load and execute programs without user interaction other than viewing them in Internet Explorer. Older versions of the tool suite used a mechanism called EZCheese, but a newer version called Lachesis/RiverJack seems to use a different link file vulnerability related to Windows' library-ms functionality.
How Brutal Kangaroo spreads
As we mentioned in a previous Vault 7 blog post, WikiLeaks’ Julian Assange promised to work with hardware and software vendors on fixing zero days disclosed in the Vault 7 leak before releasing more information about the flaws. Microsoft’s June Patch Tuesday, which was released nine days before the latest WikiLeaks dump, fixed 94 vulnerabilities, including 18 that were rated critical. One of those vulnerabilities is CVE-2017-8464 – LNK Remote Code Execution Vulnerability. This gave people and organizations time to update their machines before attackers read the CVE, researched the flaw and built a tool that exploited unpatched systems.
The leaked user guide was originally written on May 11, 2015, and revised on Feb. 23, 2016, and it deprecated older tools called EZCheese (a zero-day exploit until March 2015) and Emotional Simian, (available since August 2012), and were detailed in the leaks.
Cybereason Intelligence Group’s takeaways
This tool set combined with security incidents we have seen in recent years - including ones that target critical infrastructure, like the 2015 attack that took down the Ukraine power grid - prove that there is no 100 percent air-gapped network. Every system, including specialized ones, requires updates and patches, and, at some point, information has to be either fed in or pulled from the isolated network. The real challenge is establishing a level of network visibility that provides a highly detailed view of all activity.
Organizations, especially those with air-gapped networks, need to manually install the latest security updates from Microsoft’s June security update. This will prevent attackers from using the vulnerability outlined in the Brutal Kangaroo documents.
WikiLeaks seems to have stuck to its pledge to not release vulnerability details until after it contacted the vendor. A patch for the vulnerability outlined in the Brutal Kangaroo tool set was released 10 days before WikiLeaks publicly shared this information.