Data Center Knowledge, June 2, 2020, with comments by Satya Gupta

An advanced cyber-espionage group is designing malware that can “jump” across air gaps, researchers say.

For years, teams have relied on air gapping from the Internet to keep networks protected from cyber criminals and the public Internet.

Being gapped from the Web keeps data in an isolated bubble. This includes even one’s private network. The practice, at least in theory, should protect sensitive operations from hackers and attacks like ransomware, a threat all organizations are battling.

Cracks Appearing in the Air-Gapped Armor

Cybersecurity managers must evaluate their setup and not take for granted that air gapping makes their situation safe. Sometimes air gapping isn’t enough, or it isn’t truly gapped from all outside access. Often it turns out other avenues of contact from outside the network exist and determined seekers can find them.

Researchers at ESET cybersecurity firm have discovered hackers who’ve designed malware that invades air-gapped networks. They hide malware in legitimate files and devices so it goes unnoticed. Data transfer can occur through files on removable drives that are transferred from one air gapped system to another, or via connected workstations.

The malware that’s being developed – Ramsay – starts in one air-gapped system and then spreads to others. An example of this malware was found on VirusTotal antivirus testing site, under development by an advanced group known for cyberespionage.

So far, not a lot of Ramsay victims have surfaced, and it’s not yet seen in large scale attacks. It’s involved in sneaky, advanced targeted attacks. But once it’s out of development, the scope could rapidly expand.

Air Gapping Used for Networks that Need Protecting Most

Critical infrastructure, highly sensitive data centers, intelligence agencies and military defense centers have air-gapped networks where they keep safeguarded backups. These days, such a precaution is especially necessary as a precautionary step in the event a ransomware attack happens.

These backups must be current and easy to access in case they’re needed, which makes them a prime hacker target. In hacker thinking, if backups are gone, ransomware victims are all the more pressured to pay. So malware that can jump an air gap is a handy malware indeed.

At this point in time, Ramsay isn’t transporting ransomware. But these hackers are sophisticated, nation-state level threat actors. And with the appeal of Ransomware-as-a-Service (RaaS) models, making Ramsay deliver ransomware as a feature can be envisioned.

The world’s most sophisticated hacking tools have already been released into the wild, thanks to the Shadow Brokers stealing the tools from the NSA years ago. That pattern has been replaying ever since. When nation states have mastered nefarious attacks, “everyday” cybercriminals have the ability to quickly follow suit.

If the Ramsay malware becomes mainstream, bad actors will be able to deliver even more threatening attacks.

Critical infrastructure Most Vulnerable

Data centers and operational networks in critical infrastructure systems could be especially vulnerable. Their systems are known to be running on dated software and their operations impact the public, typically thousands of people.

“A computing facility is vulnerable when a technician needs to do something on such a system,” said Satya Gupta, founder and CTO at Virsec Systems.

“A human often goes with their laptop to the operational technology environment and connects the laptop and starts working,” he told DCK. “Anything resident on that machine will cause problems in the OT. If they’re infected, it’s just like COVID-19. It’s all about the social distancing.”

What Can Companies Do to Protect Themselves?

ESET researchers recommend that data center operators keep a close eye on their removable drives. Because they can be connected manually to a network, for attackers, they are an obvious means of infiltration.  Security managers must always watch for situations where removable drives could be connected from a non-air gapped device or network. They can very easily transfer malware and infect a network instantly.

Infections happen because of human error. Users can be careless by using guessable passwords, handling transferrable drives, letting patches get out of date, or by getting lured by a phishing email.

If malware enters a system using DLL hijacking, it bypasses endpoint detection software. If it’s not caught then, it may never be until it’s too late. Researchers observed Ramsay malware is very adept at staying hidden and avoiding efforts to eradicate it.

Malware is often discovered when it sends signals back to its control system, but not so in this case. Researchers are still trying to figure out how Ramsay communicates back with its operators. When concerned about malware infections, security managers must make sure their air-gapped network isn’t exposed to endpoints or shared resources with Internet access. Any such connections undermine the purpose of air gapping.

All Systems Normal May Not Be As They Appear

Malware attacks these days have become successful in part because they occur when the system appears to be operating normally. Nothing stands out as being out of the ordinary. Malware can be fileless or it can fly under the radar by hitchhiking into a network on legitimate files.

The malware runs as part of a regular process –  the bad actors leverage normal files and processes, making them components of the attack. This is why so many antivirus and other detection software solutions miss sophisticated malware, including ransomware, completely.

The system runs normally until the malware infection is released, at which point it’s usually too late to prevent damage. Air gapped networks are no longer as safe as they once might have been. If air-gapping doesn’t mean complete isolation, then it’s not safe and shouldn’t be trusted.

Read full New Malware Makes Air-Gapped Data Center Networks Less Bulletproof article.

Further resources:

How the Shadow Brokers Have Permanently Changed the Cyberscape Landscape

Understand virsec in 3 minutes

EternalBlue reaching new heights since WannaCry outbreak

US Treasury Levies Sanctions Against North Korean Group Behind 2017 WannaCry Ransomware

Deep dive into NotPetya

Chinese Hacking Group, Buckeye, Used Stolen NSA Hacking Tools Ahead of Shadow BrokersÕ Leaks