Wi-Fi drones were used by hackers to penetrate a financial firm's network remotely

Cal Jeffrey

Posts: 3,719   +1,168
Staff member
Why it matters: Hackers have a new attack vector they have been toying with over the last couple of years — drone penetration kits. Drones have become much more capable in the last several years, making them a viable option for covertly placing intrusion equipment near a network. Once just a field of theoretical security research, now hacking drones are being found in the wild.

This week, The Register reported on a drone attack that happened over the summer. The compromised private investment firm kept the incident quiet but agreed to speak on it to security researchers under a nondisclosure agreement.

Network administrators discovered the company's internal Confluence page was exhibiting strange behavior within the local area network. Confluence is a web-based remote collaboration software developed by Atlassian.

While investigating the incident, security personnel discovered two drones on the roof of the building. One was a "modified DJI Matrice 600," and the other was a "modified DJI Phantom." The Matrice had crashed but was still operational, and the Phantom had landed safely.

The Matrice was outfitted with a penatration kit (pen kit) consisting of a Raspberry Pi, a GDP mini laptop, a 4G modem, a WiFi device, and several batteries. The Phantom carried a network penetration testing device developed by Hak5 called a WiFi Pineapple.

Security researcher Greg Linares, who spoke to the firm's IT team, said that the bad actors used the Phantom a few days before the attack to intercept an employee's credentials and WiFi. They then coded the stolen information into the Matrice drone's penetration equipment.

The Matrice drone compromised the company's Confluence page from the roof using the employee's MAC address and access credentials. They poked around the Confluence logs attempting to steal more logins to connect to other internal devices but had "limited success."

The admins knew the network was under attack when they noticed the compromised employee's MAC address was logged in locally and from his home several miles away. The security team isolated the WiFi signal and used a Fluke tester to trace and locate the device on the roof.

Linares said this is the third drone-based cyberattack he has seen in the last two years but says the attack vector still needs work. The only reason this one had some success was that the company was on a temporary network that wasn't fully secured.

"The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register.

Even on this weakened network, the attack still required weeks of "internal reconnaissance."

"This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget, and knew their physical security limitations," Linares said.

Security researchers have experimented with drones since as early as 2011. At that time, commercially available drones were too weak to carry the required payloads. Their range was also so limited that the attacker would have to be on-site for an intrusion, defeating the purpose.

Today, drones are much more advanced and powerful, as seen in this example. Continued drone advancements and refinement of this attack vector could make it a more severe threat in the coming years.

Permalink to story.

 

sorten

Posts: 182   +296
TechSpot Elite
Interesting idea. You can skip the trouble and risk of entering the building and heading to a bathroom or the lobby to perform the scans. A drone would be relatively anonymous. But in both scenarios, you're assuming a fairly unsophisticated target where insecure wireless is a problem.
 

Vanderlinde

Posts: 210   +130
You know that most Wifi networks < 6 and below are by default already unsafe? It can be cracked. Anything released and not upgraded to stronger standards is completely unsafe to use.

It's actually genius, using a drone to intercept a Wifi signal.
 

bviktor

Posts: 1,155   +1,686
And this is why most wireless networks are hot garbage.
Why? You can't penetrate a wired network? UTP is impenetrable? All it takes is a wire in the pipe, a cutter, and a crimping tool. Most buildings are easily accessible. If you think turning off WiFi solves the security issues of your LAN, you're in denial.
 

godrilla

Posts: 624   +339
Today exploits and vulnerabilities are an upwards of multi billion dollar business and growing based on revenue made on the highest bidder. If profits are made from entities/ corporations bidding on exploits then these companies are hackers. The default position should be is that everything can be hacked. Wireless can be considered as most vulnerable. Hackers love to exploit convenience. Imo the more convenient something is the more vulnerable it is.