Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mr. Robot and Tenable

At Tenable, we’re huge fans of USA’s cable series, Mr. Robot. The show follows Elliot Alderson, a talented, yet troubled, security engineer at Allsafe Cybersecurity who connects with people by “hacking” them. He becomes involved with a hacktivist group, fsociety, whose goal is to cancel all debts by taking down the largest company in the world, Evil Corp. In this blog, we will discuss several of the attacks demonstrated in the show, as well as how Tenable’s products can serve as a method to detect the attacks before or as soon as they happen.

The attacks in Mr. Robot are realistic and can seem intimidating

Episode 2: ones-and-zer0es.mpeg – Malicious mixtape CD

In this episode, a malicious actor from the mysterious Dark Army group pretends to be an aspiring rapper handing out his mixtape on the street corner. Ollie, one of Elliot’s colleagues at Allsafe Cybersecurity, takes the CD home and puts it in his computer, but when he does, his computer freezes up and then ejects the disc. At the end of the scene, the fake rapper is shown monitoring Ollie’s webcam and types into a chat room, “we’re in.”

Both penetration testers and attackers have used this attack for years. A CD is loaded with the malware and is presented as something important—such as new company training material or an important financial document—and then mailed, dropped outside a building, or simply handed to the victim-to-be. As soon as the victim loads the CD and clicks the file, the regular file may run, but so will the malware.

Using SecurityCenter Continuous View™ and the Log Correlation Engine™( LCE®) a custom TASL (Tenable Application Scripting Language) could be written to create a normalized set of events using a combination of several events:

  • Windows-Drive_Removed
  • Windows-LCE_Client_Detected_Attached_USB_Device
  • Windows-LCE_Client_Detected_Removed_USB_Device
  • Windows-LCE_Client_Detected_Attached_Drive
  • Windows-LCE_Client_Detected_Removed_Drive

with the detection of a new External Netflow connection. That new TASL event would be used in an email alert sent to the incident response team for investigation.

Episode 4: da3m0ns.mp4 – Raspberry Pi to control HVAC

In their quest to destroy Evil Corp’s backups at the ultra-secure Steel Mountain data center, Elliott and the fsociety crew penetrate the building and connect a Raspberry Pi to a networked HVAC controller. Once it is connected, the Pi calls back to their headquarters and they are in.

Network implants are a tool commonly used by red teams as a method to establish long-term, covert presence on a network. Due to their often small form factor, they can easily be hidden out of sight and can remain undetected on a network for months.

Using SecurityCenter CV and the Passive Vulnerability Scanner™ (PVS™), PVS can detect when a new system is present on the network and sends a New Mac Address message to LCE. SecurityCenter uses the New Mac Address event and PVS plugin IDs to initiate a scan and to send an email to the IT operations team.

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

Episode 6: br4ve-trave1er.asf – Parking lot USB drop

Facing pressure from drug dealer Shayla’s violent supplier, Elliot is forced to break into the network of the prison where drug supplier Fernando is being held in order to bust him out of prison. To help accomplish this, Elliot recruits fellow fsociety member Darlene to drop USB drives—containing malware—in the prison parking lot to help facilitate the break-out. A guard picks up one of the drives on his way in, plugs it into his workstation, and the executable runs. Even though anti-virus catches the file, Elliot has a shell on the machine until the guard physically unplugs the power.

Attackers can easily trick unsuspecting victims into picking up thumb drives and plugging them into their computers, then compromising them using methods like USB keystroke injection, BadUSB, and backdoored files. For example, in corporate America during the time that annual salary raises are announced, an attacker could drop a thumb drive in the company’s parking lot. The attackers could backdoor a PDF and title it “2015 Annual Salary Raises.” This would entice a naive user to open the file and even potentially distribute it.

    SecurityCenter CV and LCE can easily detect this activity using the method described in the first scenario from Episode 2. In addition, Tenable’s solutions offer additional methods for tracking such malicious behavior:

    • SecurityCenter can audit systems to ensure that USB media is prohibited and to call out systems deviating from this policy.
    • SecurityCenter can detect systems where USB media has been used during the course of normal scanning.
    • Tenable has agents that can detect USB media usage as frequently as in real time.
    • SecurityCenter offers analytics (e.g., "Removable Media and Content Audits") that make it easy to see an organization's exposure to these problems.

    The attacks in Mr. Robot are realistic and can seem intimidating at first, but with proper network monitoring and auditing, as well as user awareness, most can be thwarted.

    Thanks to Cody Dumont and Corey Bodzin for their contributions to this article.