An advanced cyberespionage group is designing malware that can “jump” across air gaps, researchers say.
“Air gapping,” or isolating certain systems by keeping them disconnected from the public internet, or any other networks, including your own, has for years been a gold-standard cybersecurity technique.
Air gaps keep cybercriminals away from sensitive data and backups safe from ransomware. They isolate operational technology to ensure that data centers stay up and running no matter what is happening on the networks it houses.
But it’s time for data center cybersecurity managers to take another look at their air gapped systems and the processes they have set up around them. Air gapping on its own isn’t as bulletproof as it once was.
Even completely isolated networks need to have some contact with the outside world from time to time, and researchers at the cybersecurity firm ESET have found a group of hackers working on malware designed to infiltrate air-gapped networks by hitching rides on legitimate files and devices.
“Despite not being connected, data can be transferred in and out of such a network,” said Alexis Dorais-Joncas, security intelligence team leader at ESET. It is usually done via “removable drives going back and forth between the air-gapped system and a lower-privileged, fully connected workstation.”
Once this particular malware called “Ramsay” gets a foothold in an air-gapped system, it will spread to any other systems it may find, Dorais-Joncase said.
ESET researchers found evidence pointing to an advanced cyberespionage group actively working to develop this malware in instances of the malware uploaded to the VirusTotal antivirus testing site.
“We have seen only very few victims, so Ramsay is not used in very widespread, large scale attacks,” he said. But that could be because it’s still under development – or because it’s used for very stealthy, sophisticated, targeted attacks.
Air Gaps Aren’t Just for Spy Agencies
Air gaps are typically used to protect the most sensitive data at the most critical institutions. But even data centers that don’t belong to military contractors or intelligence agencies may have air-gapped networks in place.
Isolated backups, for example, ensure there’s are good copies to restore from in case of ransomware attacks. But for a backup to be useful, it must be kept up to date and easily retrievable. That makes such backups attractive targets for hackers.
Since a victim is more likely to pay up if their backups are gone, ransomware groups are likely to invest some time and effort into malware that is smart enough to jump air gaps. After all, it’s enough for ransomware code to only travel one way.
Ramsay doesn’t appear to be used to deliver ransomware today. It appears to have been used by a very advanced group of threat actors – of nation-state level. But this can change on a dime.
“When it comes to threats, what nation-states can pull off today, cybercriminals will be able to pull off tomorrow,” said Daniel dos Santos, security researcher at Forescout Technologies. “The effect of commoditization of this kind of malware and its increasing propagation means barriers fall.”
“If this family of malware finds success I guarantee they start delivering more serious types of malware,” agreed McKade Ivancic, senior malware analyst at Optiv Security. “It’s small and in development, according to different sources, but it is definitely something to look out for.”
Data center operators often isolate operational networks that control power and cooling infrastructure.
How to Protect Yourself
ESET’s Dorais-Joncas recommended that data centers with air-gapped networks pay close attention to the removable drives that are allowed to be connected. “They are the most obvious way for an attacker to get in,” he said.
Security managers should be on the lookout for the malware on other, non-air gapped networks that those removable drives get plugged into. They will be the initial point of infection.
All the basic cybersecurity hygiene must be maintained on the air-gapped systems as well.
Standard precautions alone may not be enough. For example, the malware uses DLL hijacking, which allows it to bypass endpoint protection software, said Luke Willadsen, security consultant at EmberSec.
DLLs, or dynamic link libraries are pieces of pre-installed Windows code. If a developer isn’t careful about where the application looks for them, they could end up running the malicious code.
“If you don’t detect Ramsay’s initial exploitation and installation, you may never catch it, at least until security vendors have been able to successfully signature the malware with a high degree of success,”Willadsen said.
The Ramsay malware found by ESET has multiple ways of staying hidden and persisting through attempts to clear it out, Dave Shear, senior threat research engineer at Vigilante said.
“These tactics include phantom DLL hijacking, manipulation of scheduled tasks,” he said. “Later versions of the malware include rootkits to modify system files and remain persistent.”
Malware is often discovered when it tries to communicate back to its command and control systems, but this malware doesn’t. “It is not currently understood by researchers how the [Ramsay] malware communicates back to the threat actors,” said Shear.
The malware may hitch hike on a legitimate file that can be opened and used as normal. Ramsay proves that air-gapped networks aren’t as air-gapped as we thought, Rui Lopes, director of engineering and technical support at Panda Security, said.
“Shared resources, even through internal networks, should not reach air-gapped systems, because Ramsay has proven it can reach them,” continued Lopes. “For a truly air-gapped system, data center managers need to isolate those networks entirely. The definition of an air-gapped network needs to become stricter.”
It may not be the most efficient use of resources, added Lopes, but it’s the only way to ensure the systems are safe. © Data Center Knowledge