Peter Bassill from Incident Response firm, Hedgehog Security, relayed to us the following fascinating anatomy of a wireless (aka over-the-air) attack at a UK healthcare organization:
Once in a while, you have a job that puzzles and taxes you. A job that has you thinking about every weird combination of events. This particular job was one of those jobs, and while it was enriching to work on, you had to admire the tactical thinking of the intruders.
On the 16th of May 2021, a new client within the UK Health Care sector contacted Hedgehog Security following the IT department’s certainty that an intrusion had occurred. I was the responder assigned to the job and started the discovery process. The client was 100% certain that there had been an intrusion. The only missing part to the puzzle was that their SIEM had little to no alerts.
During the discovery process, it was apparent that the client had been subjected to a successful “Over the Air” attack. There were no signs of intrusion from any perimeter technology nor any indicators of data exfiltration to an external location. The intruders appeared inside the network and accessed internal systems, aggregated data to a file store, and vanished.
Having attended multiple intrusion events during my career, I was fascinated by this particular job. The attack vectors were fresh, and it was like they teleported in and out if you were to believe the SIEM devices and all the monitoring logs. After considerable time working with the client’s technical teams, it was possible to piece together the attack and paint the picture for the exec team.
The attackers had a good knowledge of the systems and technologies deployed within the client’s enterprise, and their chosen method of ingress was through the smart TV. But not in a manner that you would immediately think. The attackers took advantage of a known vulnerability in the web browser libraries of the smart TVs by creating a HbbTV application stream. We would all know that as the “red button” function that brings interactivity to TV programs. This exploitation was neat in its form and function and provided the attackers with command-line access to the underlying Android operating system.
Once on the systems, the TVs joined adjacent public Wi-Fi hotspots, similar to those in coffee shops worldwide. With easy internet access via these hotspots, the attackers effectively introduced a vast hole in the network that was unmonitored. They could access the client’s network remotely, join devices to their command and control systems and exfiltrate data. All while evading detection. Their only mistake? They moved a single large file between systems, large enough that the SIEM generated a DLP alert.
Following that alert, the IT team were alerted to a disc space utilization issue on a NAS. Then, the IT team found the aggregated data that led to the investigation.
Hedgehog Security has released a 12-page report detailing the storyline, attack path, and ramifications.