Do attackers leverage the corporate network airspace to conduct their nefarious activities such as gaining unauthorized access to the corporate network, hijacking devices and exfiltrating data?
The network airspace is a new attack surface, having been raised by the thousands of devices, uncontrolled by the corporate, and broadcasting into the corporate – aka Antenna for Hire. While it’s possible for an attacker to leverage the corporate airspace to conduct what is called a digital airborne attack, we at AirEye set out to find whether these attacks are really happening. We wanted to know whether Antennae for Hire are a real threat, and find out whether digital airborne attacks are actually trending or simply anecdotal battle stories confined to government agencies.
For this, we turned to the people who know best – Incident Respondents (IR). These are the professionals on the ground that work night and day to get to the root of cyber attacks, be it APT, ransomware or simply spray and pray attacks. These are the people who have the necessary experience and know-how to verify what type of attacks they’re seeing and what is trending.
The results of our IR survey were conclusive- digital airborne attacks are happening in the wild. Furthermore, these are stealthy attacks- while IR professionals indicated they witnessed a digital airborne attack, they were unable to trace the roots of the attack, and they weren’t able to determine the extent of the attack.
Before diving into the survey results, we’d like to thank our IR peers and friends in various cyber security companies and agencies that contributed this data.
Survey Background
We anonymously surveyed IR professionals with various backgrounds – most have more than 10 investigations under their belt. Combined, the surveyed IR professionals had investigated more than 450 incidents across more than 160 companies. Our questions focused around Wi-Fi related-attacks – had they investigated such attacks and how did they handle those investigations.
And the Survey Shows…
Finding #1: 44% of the experienced IR professionals had investigated at least one Wi-Fi related attack.
Takeaway: Plain and simple – digital airborne attacks where attackers leverage the corporate airspace are happening.
Finding #2: Dual-connected devices are involved in wireless attacks. A staggering 80% of respondents that investigated a digital airborne attack stated that the attack involved a device that is connected both to Wi-Fi and wired networks.
Takeaway: Digital airspace provides an opportunity for attackers to get inside secured networks where current network security tools do not provide a solution yet. We perceive phishing emails as a common entry point, but we shouldn’t ignore those wireless-capable devices such as employee and contractor laptops, printers, audio and video equipment which are also connected to the wired corporate network.
Finding #3: EDR logs were not helpful when investigating Wi-Fi related attacks.
Takeaway: Digital airborne attacks do not leave any residual fingerprints on the endpoint until it is too late – understandably this is because they are network security related. Accordingly, no survey respondent said that they used EDR logs in their investigation of a digital airborne attack.
Finding #4: Professionals have witnessed attacks where data was exfiltrated through non-corporate networks.
Takeaway: Hackers know that sending data back through the corporate channels will trigger the security controls such as DLP, so they constantly look for an Antenna for Hire, such as an external unmonitored networks which they can piggy-back on and exfiltrate the data under the radar of the corporate. In fact, the MITRE ATT&CK framework warns about this exfiltration technique, calling it Exfiltration Over Other Network Medium.
Finding #5: Investigators cannot trace back the source of wireless-related attacks:
- 40% of those that investigated wireless attacks, were not able to collect enough forensic data about the airborne part of the attack – clearly because it all happened in an unmonitored medium and launched from antenna for hire, not controlled by the breached organization
- 40% were not sure whether data was exfiltrated or leaked through a non-corporate wireless network.
Takeaway: By leveraging the corporate network airspace, attackers can infiltrate the network, and puff!, leave without a trace of their entry point. It allows them to repeat their attacks over and over – whether replicating a similar attack at the same company or at a different one. Case in point, even one of the more experienced respondents who had investigated more than 10 wireless-related attacks, indicated that it was not possible to trace back a wireless attack to its source through station and network equipment logs.
Summary
Gone are the days that wireless-related attacks were limited just to government agencies, or considered old Hollywood-movie style attacks with disguised people operating from a utility van in the parking lot. Digital airborne attacks have leveled up and attackers are using them right now across their list of enterprise targets. IR professionals have already started to notice these attacks. With no tools in place to give visibility and control of the network airspace, professionals are struggling with detecting and tracing such attacks.
Coupled with well publicized vulnerabilities such as the AWDL zero-click vulnerability, FragAttacks and most recently the Apple string format flaw, we can see the rising trend of digital airborne attacks. These attacks are going to take their toll from enterprises unless actions are taken to secure the corporate network airspace.