The latest leak from the Vault 7 cache of CIA hacking tools could be a threat to air-gapped computers if hackers successfully reverse-engineer it and pull off a USB attack.
According to WikiLeaks, which released details of -- but no code for -- the Brutal Kangaroo USB malware as part of its Vault 7 leaks, the method of compromise used by this tool could be compared to Stuxnet.
"Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumb drives," WikiLeaks wrote in its description. "Brutal Kangaroo components create a custom covert network within the target closed network [by] providing functionality for executing surveys, directory listings, and arbitrary executables."
Jake Williams, founder of consulting firm Rendition InfoSec in Augusta, Ga., studied the released documents and said this USB malware could be quite dangerous.
"Brutal Kangaroo uses a number of different vectors to gain execution, but it's important to note that most do not require the user to open any files. The user only needs to plug in the USB drive and view the contents of the drive in the Windows GUI -- a default action on many machines when a USB is plugged in," Williams told SearchSecurity. "From there, the malware can execute any arbitrary malware that is loaded on the USB, giving the attacker fairly unlimited capabilities wherever the USB is plugged in."
It is unclear what vulnerability or vulnerabilities are exploited by Brutal Kangaroo, but WikiLeaks said an older version of the tool exploited a similar link file vulnerability that Microsoft fixed in the March 2015 Patch Tuesday.
The timing of this announcement also led to speculation regarding a LNK file vulnerability addressed in the June 2017 Patch Tuesday, but Williams said it was unlikely Brutal Kangaroo used this flaw, though a malicious actor could use the patch to craft a similar attack.
"Now that Microsoft has released the patch for this new LNK exploit, nation-state attackers will doubtlessly reverse-engineer the patch and create [a] LNK exploit for their own use," Williams said. "This is especially damaging with an exploit like this one, which will likely be used to target air-gapped machines. Because they are not connected to the internet, these machines cannot automatically download patches, and must be manually patched by administrators."
USB malware delivery
The delivery method of Brutal Kangaroo requires an unsuspecting user to insert an infected USB drive into a target computer. While users are increasingly being taught not to trust strange USB drives, which reduces the danger of widespread use, Williams said USB malware attacks can still be successful more than some might think.
Jake Williamsfounder, Rendition InfoSec
"People want to be helpful in many cases. By inserting the drive, they hope to find something that points them back to the owner. In other cases, they are just curious about what might be on the USB," Williams said. "In the case of air-gapped networks, system admins and network operators have to move data to the air-gapped side, and USB is a common way to do that."
Williams reiterated that Brutal Kangaroo was especially dangerous in this context because, "You don't have to open anything on the USB to be exploited. Just inserting the USB and viewing the file names is enough to get you exploited."
"Organizations should examine their threat models and determine how they will deal with this threat," Williams said. "While most U.S.-based businesses do not need to worry about an infection from Brutal Kangaroo specifically, it is wise to presume that other nation-state actors have similar capabilities, and [to] determine how your organization will defend against this threat."
Learn the truth about USB malware and safety best practices
Find out best practices for implementing an enterprise network air gap system
Get info on the hacking group history connected to the CIA's Vault7