A recent leak from the CIA's Vault 7 cache, Brutal Kangaroo, has been deemed a dangerous threat to even air-gapped computers not connected to the internet. How does Brutal Kangaroo work?
The information security community continues to learn about previously unknown tools, vulnerabilities and techniques from leaks from U.S. intelligence agencies, such as the NSA and the more recent CIA Vault 7 cache.
Malware authors and threat actors along with enterprise defenders will often analyze these tools to determine how to incorporate the new information into their existing attack tools and techniques. The Brutal Kangaroo hacking tool suite is one of those tools that threat actors could adapt for their own attacks.
As reported by WikiLeaks, Brutal Kangaroo features a malicious USB drive preloaded with custom malware set to auto-run when plugged into a target computer. It could be used to attack a network not connected to the internet by first infecting a system as the target and then infecting every USB device plugged into the compromised system. The reasonable expectation is that, eventually, one of the infected USB devices will be connected to the air-gapped system, infecting that network.
Brutal Kangaroo could abuse auto-run features via Windows or a Windows shell/LNK vulnerability, and can auto-install a malicious driver or infect the local system in another way in which administrative access could be gained through a local privilege escalation vulnerability.
Once the malware runs on the system, it operates much like other malware to completely infect the system; however, it takes another component of the Brutal Kangaroo kit to set up a command-and-control channel and scan the local network.
The previous guidance for protecting against targeted attacks using USB drives could potentially be used to protect against Brutal Kangaroo. If systems don't need USB connections, or if those connections pose risks to high-value systems, then administrators should disable them.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)