Editor’s Note: With the growing concerns and challenges associated with data security in mind, the following four extracts on the insidious cyberattack technique called “worshipping” provide an explanation and describe the egregious nature of this attack to infiltrate corporate networks. The extracts and corresponding complete articles may be beneficial for developing a basic knowledge of this evolutionary tactic and helpful in understanding how to spot and protect against warshipping attacks.
Black Hat USA 2019: IBM X-Force Red Reveals New ‘Warshipping’ Hack To Infiltrate Corporate Networks
An extract from an article by Jeb Su (Forbes)
At the annual Black Hat cybersecurity conference happening this week in Las Vegas, Nevada, IBM’s X-Force Red presented in front of more than 19,000 security professionals from roughly 90 countries a new attack technique they’ve nicknamed “warshipping.”
Similar to wardriving, when you cruise a neighborhood scouting for Wi-Fi networks, warshipping allows a hacker to remotely infiltrate corporate networks by simply hiding inside a package a remote-controlled scanning device designed to penetrate the wireless network–of a company or the CEO’s home–and report back to the sender.
“The U.S. Postal Service processes and delivers 484.8 million mailpieces of first-class mail a day—roughly one-and-a-half mailpieces for every person in the U.S.—in a single day,” said Charles Henderson, the head of Big Blue’s offensive security team in a blog post yesterday. “What most people don’t realize is that some packages they receive may be looking to steal personal or confidential information. And the proliferation of e-commerce-related package deliveries is exactly what cybercriminals can exploit with a tactic IBM X-Force Red is calling ‘warshipping’.”
With Warshipping, Hackers Ship Their Exploits Directly to Their Target’s Mail Room
An extract from an article by Zack Whittaker (TechCrunch)
Why break into a company’s network when you can just walk right in — literally?
Gone could be the days of having to find a zero-day vulnerability in a target’s website, or having to scramble for breached usernames and passwords to break through a company’s login pages. And certainly, there will be no need to park outside a building and brute-force the Wi-Fi network password.
Just drop your exploit in the mail and let your friendly postal worker deliver it to your target’s door.
This newly named technique — dubbed “warshipping” — is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy, or when hackers drove up to TJX stores and stole customer data by breaking into the store’s Wi-Fi network. But security researchers at IBM’s X-Force Red say it’s a novel and effective way for an attacker to gain an initial foothold on a target’s network.“
It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal’s location,” wrote Charles Henderson, who heads up the IBM offensive operations unit.
New Threat to Companies: Warshipping
An extract from an article by Linn Foster Freedman (Robinson + Cole)
It is so hard to keep up with the latest ways the bad guys try to infiltrate company data. One new technique is called warshipping, and its implementation is pretty simple and a little old school.
IBM X-Force Red investigated the technique to give its customers an idea of the newest threats to enterprise systems. The warshipping technique gets past the firewall, spam filter, and other tools that are placed on the perimeter of a company’s system because it comes old-school—often in a package delivered to the lobby of your office. So you can have all the sophisticated tools that are available in the market, and this threat sneaks right in through the U.S. mail or via a package delivery company.
The intruder places a tiny, low-cost, low-power, “computer” (essentially a processor chip and a few other electronic components) in a package that is shipped to the company. The device is remote controlled and is powered by a telephone battery. The IBM researchers were able to manipulate the devices so they went off when not in use, and on when in use. They used an IoT modem to follow the devices in transit and to communicate with them when they were on.
Package Delivery! Cybercriminals at Your Doorstep
An extract from an article by Charles Henderson (IBM)
So, What is Warshipping?
Warshipping is the evolution of artifact hacking methods such as wardialing and wardriving. These are all techniques that allow cybercriminals to infiltrate a network remotely. In the 1980s and 1990s, the age of dial-up internet, cybercriminals used wardialing to gain unauthorized access to networks by systematically calling a block of numbers until they landed on a weak system that they then could attack.
More recently, wardialing has been set aside for wardriving, the technique used behind the major TJX breach in 2005. By wardriving, the culprits drove around parking lots of TJX stores in Miami with basic wireless hardware in hand (and a full tank of gas), successfully infiltrating the corporate network and stealing tens of millions of customer data records, ultimately costing the company nearly $2 billion in financial losses associated with the breach.
The wardialing and wardriving techniques have limitations, however. These limitations include the amount of time it takes to perform wardialing and the suspicions that arise when a car is detected circling a block hundreds of times with an auspicious antenna and laptop in view.
Warshipping counters these limitations in many ways by using disposable, low-cost and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal’s location. Adding to that, warshipping increases target accuracy dramatically. An attacker could control the device from the comfort of their home anywhere in the world. All a malicious actor needs to do is hide a tiny device (similar to the size of a small cell phone) in a package and ship it off to their victim to gain access to their network. In fact, they could ship multiple devices to their target location thanks to low build cost. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.
- From De-Identification to Re-Identification: Considering Personal Data Protection
- The SHIELD is Now UP: New Legislation To Protect New Yorkers Against Data Security Breaches