Cybercriminal efforts to threaten IT systems are constantly evolving. Among the techniques that we’ve seen this year are the injection of malicious code in thousands of ecommerce websites in order to to steal personal data and the use of LinkedIn to install spyware. What’s more, these techniques are working; the cost of cybercrime in 2018 was $45 billion.
Warshipping: a new attack vector
Now, researchers at IBM’s X-Force Red have developed a proof of concept (PoC) that could be the next step in cybercrime’s evolution. It is called warshipping, and it combines tech methods with other, somewhat more traditional methods.
How warshipping works
Warshipping uses a disposable, low cost and low power computer to remotely perform close-proximity attacks, regardless of the cybercriminal’s location. It involves mailing a small device containing a modem with a 3G connection to the victim’s office. The modem means that the device can be controlled remotely.
With its onboard wireless chip, the device searches for nearby networks in order to track the package. Charles Henderson, head of IBM offensive operations unit explains: “Once we see that a warship has arrived at the target destination’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively, or actively, attack the target’s wireless access.”
A warshipping attack
Once the warship is physically inside the victim’s organization, the device listens for wireless data packets that it can use to break into the network. It also listens for handshakes, the process of authorizing a user to log onto the Wi-Fi network, and sends this data back to the attacker over the cellular network, so that they can decipher this information and get the Wi-Fi password.
Using this Wi-Fi access, the attacker can navigate through the company’s network, seeking out vulnerable systems, exposed data, as well as stealing sensitive data or user passwords.
A threat with great potential
According to Henderson, this attack could well become a stealthy, effective insider threat: it is cheap, disposable, and can easily go unnoticed by the victim. What’s more, the attacker can orchestrate this threat from a great distance. With the volume of packages that pass through organizations’ mailrooms every day, it is easy to overlook some parcels.
One aspect that makes warshipping particularly dangerous is the fact that it can get around email protections that are in place to stop malware and other attacks getting in via attachments.
Shielding your company against this threat
Given that this is a physical vector over which we have no control, it may seem that there is nothing that we can do to stop this threat. This is one case where taking care with emails and distrusting attachments won’t work. However, there are solutions that can stop it.
The control commands come from the warship itself. This means that it is a process external to the organization’s system. Panda Adaptive Defense automatically stops any unknown process on an IT system. A connection with the C&C server of the attacker using the warship is a process that is unknown for Adaptive Defense. The process will therefore be blocked and the system will be safe.
For now, warshipping is just a proof of concept, and has not been used in any real attacks. However, cybercriminals’ incessant creativity means that it could become a reality.