A recent leak from the CIA's Vault 7 cache, Brutal Kangaroo, has been deemed a dangerous threat to even air-gapped...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
computers not connected to the internet. How does Brutal Kangaroo work?
The information security community continues to learn about previously unknown tools, vulnerabilities and techniques from leaks from U.S. intelligence agencies, such as the NSA and the more recent CIA Vault 7 cache.
Malware authors and threat actors along with enterprise defenders will often analyze these tools to determine how to incorporate the new information into their existing attack tools and techniques. The Brutal Kangaroo hacking tool suite is one of those tools that threat actors could adapt for their own attacks.
As reported by WikiLeaks, Brutal Kangaroo features a malicious USB drive preloaded with custom malware set to auto-run when plugged into a target computer. It could be used to attack a network not connected to the internet by first infecting a system as the target and then infecting every USB device plugged into the compromised system. The reasonable expectation is that, eventually, one of the infected USB devices will be connected to the air-gapped system, infecting that network.
Brutal Kangaroo could abuse auto-run features via Windows or a Windows shell/LNK vulnerability, and can auto-install a malicious driver or infect the local system in another way in which administrative access could be gained through a local privilege escalation vulnerability.
Once the malware runs on the system, it operates much like other malware to completely infect the system; however, it takes another component of the Brutal Kangaroo kit to set up a command-and-control channel and scan the local network.
The previous guidance for protecting against targeted attacks using USB drives could potentially be used to protect against Brutal Kangaroo. If systems don't need USB connections, or if those connections pose risks to high-value systems, then administrators should disable them.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being ...continue reading
QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks ...continue reading
A OneLogin data breach affected all of the company's U.S. customers after threat actors abused an Amazon Web Services API. Discover what this means ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.