Cycldek: Bridging the (air) gap

[btc_angela]

There is a new threat now that has the capability to target air-gap systems. As we all know most of us or at least some recommendations that air-gap wallet is secure. Of course there are ways to infiltrate air gap like Meet USBee, the malware that uses USB drives to covertly jump airgaps.

According to Kaspersky:

Two implants, two clusters - named BlueCore and RedCore

When inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.

Info stealing and lateral movement toolset

During the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools – some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.

As in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.

As already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).

https://securelist.com/cycldek-bridging-the-air-gap/97157/



Base on the article though, it's more of a espionage spy tool. However, I won't be surprised if this is going to delivers to attack cryptocurrency users as well. So we might as well think of air-gap as 'best solution' right now. So everyone should be very careful as hackers are really advancing.

[1715287284]

1715287284

[1715287284]

1715287284

[1715287284]

1715287284

[1715287284]

1715287284

[Baofeng]

There's still a lot of options though, yes air gap wallet is good but we have like

1. Hardware wallet
2. Paper wallet

Not every system is really secure though, but the reasoning is that once you created an air gap wallet then you shouldn't used it or connect online because it will defeat the purpose. But this is an interesting mode of attack, it is very sophisticated, to say the least.

[hatshepsut93]

Of course there are ways to infiltrate air gap like Meet USBee, the malware that uses USB drives to covertly jump airgaps.

All these high-tech spy gadgets are not a threat to regular users. No thief will go through this complicated route of pwning your cold storage if they can just do a $5 wrench attack.

2. Paper wallet

Paper wallet is not a real wallet, you can't send transactions from a piece of paper, in order to do so you'll need to scan the private key and use it with some software wallet.

https://securelist.com/cycldek-bridging-the-air-gap/97157/

Bitcoin cold storage setups use Linux, so it's already less likely to encounter malware, but also they can utilize amnesiac features of OS like Tails to make it impossible for malware to steal private keys, unless there are some serious vulnerabilities in those OS'.

[bob123]

Stealing through USB drives is nothing new, it'd be different it uses audio medium (fan, speaker, etc.) or monitor which usually only happened in movie.

Or even the power supply using probes connected to the PC and the electric control box  

Malware exists for all of these types already (power supply, speaker, hard drive LED's, monitor to emit radio frequency waves, ... )


OP, if you are interested in bridging the air gap, take a look at the ANT-catalog from the NSA (leaked via wikileaks):



  

[bob123]

Use instead QR codes and   optical path to hand it over and you'll be always on the safe  side

No. You are never "always on the safe side".
There are multiple ways to infiltrate an air-gapped system.
And there are even more ways to exfiltrate data from such systems. Using a flash drive is just the easiest one. Using the cable of the monitor to emit radio waves is one example. Those radio waves can be received by any mobile phone with an integrated FM receiver.
Malware does exist to do so. There are PoC's available for that. Studies are being done in this field.

You will never achieve to always be safe.
The goal is to increase the security as much as possible, not to have a completely secure setup. Because that is not possible.

[hatshepsut93]

No. You are never "always on the safe side".
There are multiple ways to infiltrate an air-gapped system.
And there are even more ways to exfiltrate data from such systems. Using a flash drive is just the easiest one. Using the cable of the monitor to emit radio waves is one example. Those radio waves can be received by any mobile phone with an integrated FM receiver.
Malware does exist to do so. There are PoC's available for that. Studies are being done in this field.

You will never achieve to always be safe.
The goal is to increase the security as much as possible, not to have a completely secure setup. Because that is not possible.

It's cool to discuss the theory of things like that, but on practice almost all users will never encounter such attacks. If you have basic security literacy, i.e. not installing untrusted software on your PC, then the odds of getting any malware are already low, and the odds of getting these types of malware that target airgaps are even lower, and then you also need to get a malware on your phone, and all this malare has to be compatible with OS' that you are using.

Users are more likely to lose their coins due to a storage failure, an accident, a robbery and so on. Airgap-jumping malware should be somewhere at the back of the list of things to worry about, together with quantum computers.

[bob123]

All those  " acoustic, seismic, magnetic, thermal" and so on described by Wikipedia   are just conceptual discussions ("gravitational" falls into the same category). I didn't know any practical case related to them. If you know actual case please share it by providing a link.

There are some interesting paper published by Guri Mordechai (and others) covering this topic:

• Guri Mordechai (2018):
  BeatCoin: Leaking Private Keys from Air-Gapped Cryptocurrency Wallets
  
  
• Guri Mordechai, Kedma Gabi, Kachlon Assaf und Elovici Yuval (2014):
  AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies
  
  
• Guri Mordechai, Zadov Boris, Bykhovsky Dima und Elovici Yuval (2018):
  PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power
  Lines.

You're slowly moving to theoretical attack rather than practical attack, no one would do that unless they know you have tons of cryptocurrency or other confidential/valuable data.

Definitely, yes.
There are concepts (and published malware) available. But unless you own an enormous amount of money (and people know that), it is extremely unlikely to ever encounter such an attack.
Institutions, however, should have enough physical security to be protected against such attack vectors.

Aside from using USB drive (and probably install OS/application in secure manner) on air-gapped device, i think user don't need to worry about possible attack vector of their air-gapped system.

I completely agree with you.
All i wanted to point out is, that you never can be completely safe.