A recent leak from the CIA's Vault 7 cache, Brutal Kangaroo, has been deemed a dangerous threat to even air-gapped...
computers not connected to the internet. How does Brutal Kangaroo work?
The information security community continues to learn about previously unknown tools, vulnerabilities and techniques from leaks from U.S. intelligence agencies, such as the NSA and the more recent CIA Vault 7 cache.
Malware authors and threat actors along with enterprise defenders will often analyze these tools to determine how to incorporate the new information into their existing attack tools and techniques. The Brutal Kangaroo hacking tool suite is one of those tools that threat actors could adapt for their own attacks.
As reported by WikiLeaks, Brutal Kangaroo features a malicious USB drive preloaded with custom malware set to auto-run when plugged into a target computer. It could be used to attack a network not connected to the internet by first infecting a system as the target and then infecting every USB device plugged into the compromised system. The reasonable expectation is that, eventually, one of the infected USB devices will be connected to the air-gapped system, infecting that network.
Brutal Kangaroo could abuse auto-run features via Windows or a Windows shell/LNK vulnerability, and can auto-install a malicious driver or infect the local system in another way in which administrative access could be gained through a local privilege escalation vulnerability.
Once the malware runs on the system, it operates much like other malware to completely infect the system; however, it takes another component of the Brutal Kangaroo kit to set up a command-and-control channel and scan the local network.
The previous guidance for protecting against targeted attacks using USB drives could potentially be used to protect against Brutal Kangaroo. If systems don't need USB connections, or if those connections pose risks to high-value systems, then administrators should disable them.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.