New Warshipping Tactic Mails You an Attack at Your Doorstep

New ‘warshipping’ tactic uses your mailman as middleman to deliver attacks directly to corporate offices. The IBM X-Force Red team dubbed the attack and released information on it this week. Warshipping exploits delivery services to hack directly into homes and organizations by shipping malicious devices into packages to infiltrate networks remotely.

Warshipping is the next step of tactics like wardialing and wardriving. Wardailing a technique from the 1980s in which attackers automatically dialed several phone numbers looking for weak spots in modems. Wardriving later build on wardriving; attackers would drive around sniffing weak networks they could exploit. Both wardailing and wardriving have their limitations, which warshipping overcomes. Charles Henderson from IBM said

“These limitations include the amount of time it takes to perform wardialing and the suspicions that arise when a car is detected circling a block hundreds of times with an auspicious antenna and laptop in view.”

In this next generation, of attack, warshipping is uses trojan horse like techniques to hide tiny devices in unsuspecting packages. Once the packages reach their destination, the devices can remotely infiltrate networks. The devices are easy to make, disposable, low costing, and regardless of the threat actor’s location an attack can be launched.

The device costs under $100 dollars to make and the size of a small cell phone. This makes it easy to hide, whether inside a toy or on the bottom of a box. The device is made of a single-board computer (SBC), with a 3G system and remote control abilities. Further, the device runs on a single cellphone battery.

This device does have its own battery limitations but can be easily configured counteract this problem. Researchers at IBM were able to turn the devices off when inactive and turn them back on when needed. Further, they were able to use an IOT modem to keep the device connected in transit and keep communications open when powered on. Additionally, IBM used a command and control (C&C) server to set the device to look “for a specific file on the server to determine if they should stay on or go back to sleep.”

Once packages are delivered, attackers turn on the devices and begin to listen for packets running on the network. IBM was able launch an attack during a handshake, which indicates a network connection, to capture the hash of the process. They then used the backend to crack the preshared key and gain access to the Wi-Fi network. Once on the Wi-Fi they could launch different attacks like a deauthentication attack or a ‘evil twin’ attack. In an evil twin attack, attackers set up a fake Wi-Fi network and wait for the target to connect. Once connected, attackers can capture credentials like usernames and passwords. With these credentials, the malicious actors can further infiltrate the network, exploit vulnerabilities, steal data, and move through the network.

IBM recommends that organizations be cautious of these attacks and to treat packages delivered to them with extra precaution. Further, organizations should use enterprise-grade wireless services within their network. This means using certificates for authentication, virtual private networks (VPN), and multi-factor authentication.


Contact LIFARS right away if your organization has experienced a breach


Image Credits: Security Intelligence