Smuggled Raspberry Pis attempt to steal passwords

Andrew Tsonchev, Director of Cyber Analysis | Monday November 27, 2017

Darktrace recently detected two rogue devices on the network of a major healthcare provider. They were brought onto the network by a trusted employee, who – for reasons still unknown – was attempting to harvest user credentials and profile the network’s defenses.

Darktrace’s AI algorithms had built a detailed understanding of the organization’s normal network activity and digital infrastructure. When the two new devices entered the network and sent ‘Redirect Datagram for the host’ messages to the subnet router, Darktrace identified the anomaly and raised an alert in real time. This represented the first of three anomalies:

  1. Two unknown Raspberry Pis are introduced to the network
    Based on the MAC addresses, the newly introduced devices were determined to be two Raspberry Pis. Once on the network, they began acting like gateways, which use remote hosts to send data packets on alternative routes.

    It was initially believed that the insider was using the devices to engage in ARP spoofing. However, the subnet router did not respond to the messages.
  2. The devices attempt to redirect users to a fake security survey
    The second anomaly occurred when the devices began beaconing to a rare external endpoint, which resolved to Amazon cloud services. This activity is typically seen in attempted communications with a command-and-control center, but there was no returning inbound traffic.

    Instead, the rare destination turned out to be a website, which was identical to an internal website being used to host a security survey. Before accessing the survey, employees needed to enter their user credentials.

    In addition to harvesting user credentials, the survey was asking a series of questions that would have been extremely useful for an attacker. The survey included questions designed to learn the status of their anti-virus and firewalls, and whether users were using the same passwords across multiple services.
  3. The insider tries to hide the devices via DHCP allocation requests
    The final anomaly came when one of the devices made a DHCP allocation request for an IP address on a separate subnet. It had the same hostname of the infringing device, but a new MAC address.

    Essentially, the insider was attempting to hide the devices by manually changing their IP addresses through DHCP release and allocation requests.

Each of these anomalies represented a subtle deviation from the organization’s normal ‘pattern of life’. By correlating these weak indicators of threat, Darktrace was able to discover a larger pattern that revealed the whole story: a malicious insider had smuggled Raspberry Pis onto the network to lure users to a fake website, steal their credentials, and test the network’s defenses, all while remaining hidden from network defenses.

By raising alerts in real time, Darktrace helped ensure that no users fell victim to the attack. Soon after, the Pis disappeared from the network. While the culprit was never caught, the organization has yet to experience a similar threat, indicating that the insider either left the organization, or remains in hiding.

Since the incident, the healthcare provider has undergone a restructuring of its network, and they’ve adopted a host of new IoT devices. Darktrace’s algorithms are continuously learning and re-learning normal, so if the malicious insider were to re-emerge, Darktrace would immediately detect their presence on the network.

Andrew Tsonchev

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.