U.S. Financial Services Company Targeted by Hackers Using DJI Drones
Unknown threat actors spent as much as $15,000 to carry out a single cyberattack using WiFi pineapple and other pentest tools mounted on two DJI drones.
Unknown threat actors spent as much as $15,000 to carry out a single cyberattack using WiFi pineapple and other pentest tools mounted on a drone. Security researcher Greg Linares described the attack in a Twitter thread last week, counting it as the “third real-world drone-based attack” he encountered in the last two years.
First reported by The Register, the attack was carried out against an East Coast financial services company specializing in private investments. It took place this past summer and was detected after the company noticed some unusual activity on Atlassian Confluence, a collaboration tool used internally by teams or across the organization.
Linares, who told The Register that he wasn’t a part of the incident response but spoke to someone who was, said that the team discovered two DJI drones on the roof of the building. “During the incident response they discovered that the user whose MAC address was used to gain partial access to their WiFi was also logged in from their home several miles away,” Linares said.
“The team deployed embedded WiFi signal tracing and a Fluke system to identify the WiFi device. This led the team to the roof, where a ‘modified DJI Matrice 600’ and a ‘modified DJI Phantom’ series were discovered. The Phantom was carrying a ‘modified WiFi Pineapple Device.’”
A WiFi pineapple is a tool that white hats and security admins leverage to conduct penetration testing to discover any vulnerabilities a system may possess. This particular one was mounted on one of the two drones (DJI Matrice 600). At the same time, the Phantom was fitted with a pentest kit consisting of one Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another WiFi device.
See More: Six Social Engineering Techniques Popular with Scammers
The end goal of the hackers was to sniff around, first within Confluence, for credentials, which would then lead them to other internal company resources. The DJI Phantom was initially used for reconnaissance which successfully intercepted an employee’s credentials and WiFi days before the actual hack. The hackers hardcoded this into the pentesting tools deployed onto the Matrice drone.
However, it is unclear exactly which credentials the threat actor was able to access. Additionally, using an internal MAC address to access a network is a known way not to raise the alarm and evade detection because a device with an unrecognized MAC may be denied access. But getting an internal MAC over WiFi is a long shot unless the wireless key is available.
MAC spoofing is an explanation though its success is based on the device being spoofed not being present in the same network segment.
Another explanation is that the company had undergone some changes before the attack. Linares told The Register, “The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios).”
In any case, details about how the attackers got a hold of credentials and MAC address remains under wraps.
“The attack was a limited success, and it appears that once the attackers were discovered, they accidentally crashed the drone on recovery,” Linares tweeted. The incident response team found the Phantom drone “neatly landed” and was not damaged. On the other hand, the Matrice, which landed near the heating, ventilation, and air conditioning (HVAC) vent, was damaged but still had limited operability.
Another thing to note and as stated – this was a primitive system compared to what is capable – yet it still worked.
Implement regular inspections of areas that can be droned and MAC address wifi security is not enough even for guest or limited access networks.
— Greg Linares (Laughing Mantis) (@Laughing_Mantis) October 10, 2022
The Federal Aviation Administration (FAA) requires all drones weighing more than 0.55 pounds (250 grams) to be registered. All of the Phantom series drones and the Matrice 600 by DJI, a Shenzhen, China-based company, weigh more than the 0.55-pound limit (the DJI Matrice 600 weighs 20.9439 pounds (9.5 kg), though it is unlikely that the threat actors registered it or used their real information to buy the drones.
The attack seems like we are in the early stages of a new attack path.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON CYBERATTACKS
