A recent leak from the CIA's Vault 7 cache, Brutal Kangaroo, has been deemed a dangerous threat to even air-gapped computers not connected to the internet. How does Brutal Kangaroo work?
The information security community continues to learn about previously unknown tools, vulnerabilities and techniques from leaks from U.S. intelligence agencies, such as the NSA and the more recent CIA Vault 7 cache.
Malware authors and threat actors along with enterprise defenders will often analyze these tools to determine how to incorporate the new information into their existing attack tools and techniques. The Brutal Kangaroo hacking tool suite is one of those tools that threat actors could adapt for their own attacks.
As reported by WikiLeaks, Brutal Kangaroo features a malicious USB drive preloaded with custom malware set to auto-run when plugged into a target computer. It could be used to attack a network not connected to the internet by first infecting a system as the target and then infecting every USB device plugged into the compromised system. The reasonable expectation is that, eventually, one of the infected USB devices will be connected to the air-gapped system, infecting that network.
Brutal Kangaroo could abuse auto-run features via Windows or a Windows shell/LNK vulnerability, and can auto-install a malicious driver or infect the local system in another way in which administrative access could be gained through a local privilege escalation vulnerability.
Once the malware runs on the system, it operates much like other malware to completely infect the system; however, it takes another component of the Brutal Kangaroo kit to set up a command-and-control channel and scan the local network.
The previous guidance for protecting against targeted attacks using USB drives could potentially be used to protect against Brutal Kangaroo. If systems don't need USB connections, or if those connections pose risks to high-value systems, then administrators should disable them.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Related Q&A from Nick Lewis
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.