Cloud Storage Means to Exfiltrate Data with Raspberry Pi

The Raspberry Pi, a powerful single-board computer, has become a popular tool for hackers. Designed to snoop on a network and search for vulnerabilities (poor encryption, unpatched servers, etc.) once plugged in, the Pi can sit on a network for months undetected. 

In what's known as its "headless state" the Pi is completely controlled by an external network, likely in a cloud environment.  Using the remote network, the attacker can disguise sessions as typical traffic to plant malware or exfiltrate sensitive files. To assist with the exfiltration process, threat actors often leverage cloud services and open-source tools.

How to prevent data exfiltration:

1. Review network data for unusual data flows - like a machine sending significantly more data than it receives from a server.
    
2. Look for processes utilizing the network that do not normally have network communication or have never been seen before.
    
3. User behavior monitoring to help uncover patterns of suspicious activities across the network. Use rules to automate alerting events triggered by predefined user activity.
    
4. Protect stored data and actively move from network to network or be transferred from a local device to a cloud storage device using data-at-rest and data-in-transit encryption.  Establish rules to ensure that only those with the appropriate key are able to access it.
    
5. Train employees to recognize phishing emails and to dispose of them properly.  Provide tips to help them identify suspicious sites and documents.
    
6. Restrict data leaving the network using firewall egress filtering.  This can prevent leaks of internal data and stop hosts from connecting to their command-and-control servers. 

It's challenging to provide recommendations on preventing attackers from accessing your network and sensitive data when they take advantage of legitimate industry tools and use them with malicious intent.  Continual testing and detection can limit the impact these tools could have on an organization. Adversary emulation is an ideal way to refine techniques to generate an informed test, identify gaps and consider recommendations for how security teams respond to real-life attacks.

Learn more about Raspberry Pis from security consultant Brian Halbach. 

Q: If you do not use USBs to get access to the network, what other tools do you have in your toolkit to access a network port?

Brian: Yeah, so if we don't use USB devices to get onto a network, we do have other options, one of them being a little mini-computer such as a Raspberry Pi, which comes in different form factors. There's also a device called an Arduino or a Beaglebone. These are all just different names of small microcomputers that are flexible and can do lots of different things that we can change and make do what we want as an attacker and leave behind on your network.

Q: How can a Raspberry Pi (mini computer) help you accomplish your goals?

Brian: A Raspberry Pi is just a little mini-computer, kind of about the size of a deck of cards. You can buy them in different form factors, so you can buy slightly bigger ones and buy smaller ones. 

The good thing about them is that they're essentially a little mini-computer, little mini Linux computer that allows us to use them in lots and lots of different ways. So one common thing for attackers is if they break into a building to leave something behind so they can continue to access the network even after they've left or even if they've detonated a malicious payload, they can still leave behind a physical Implant. this is something that advanced adversaries and nation-states also use. So they will have more advanced physical implants that can be plugged into different areas and do different types of attacks, and we try to simulate that with our Red Teaming engagements. 

A Raspberry Pi is a rather cheap device, it only costs about $30 to $35, and it's just this small little board. You can get cases for it, or you can conceal it in different devices so that you could conceal it inside of a bag, or I've seen them concealed inside of Cisco phones, so it looks just like the rest of the phones that a company may use inside, but what they don't realize is that there is a mini-computer that if it can get onto the wireless, or if it can get onto the wired network, can then do a number of different attack techniques that can help us out to try to achieve our goals. One of the greatest things about it is its flexibility. So the ones that we use it can either call back to our cloud servers, control it, or oftentimes we can make it so that the traffic it generates looks exactly like real web traffic. 

So if you're looking for malicious traffic, you may not notice it right away because it looks just like regular web traffic, and then it calls back to us with that regular web traffic, and we can control it that way. So it's a nice flexible device that if we get into a physical place, we can hide it in different areas or conceal it in other devices and put it on the network in hopes that we can do lots of different types of attacks, and that would be our entry point into the network. 

Q: What kind of tools do you develop to help with your pen testing process? 

Brian: Yeah, so besides Raspberry Pis and Arduinos, there's a whole suite of different tools that anybody can go online and buy. For example, a very good pen testing company called Hak5 sells a whole set of gears such as a Plunder Bug, a Packet Squirrel, or a LAN turtle. These are collections of different physical implants that can be plugged into a network to achieve different goals. There's even a cloud service that they sell for remote command and control, so even a low-skilled attacker or a pen tester can then come in and plug in one of these devices and take over the network. 

Q: Why does developing scripts help you accomplish your goals as an ethical hacker? 

Brian: At Red Team Security, we develop different scripts and little tools to help us with our job. It can be something as simple as just writing a bunch of automation to help do something that would manually take a long time, or it can be a whole coding project to make sure that we can evade Antivirus so that we can actively emulate what the real bad guys are doing, so when you hire us, you are getting an accurate representation of what's going on in the wild at this moment. So we will help develop these techniques and then share with our clients all right; how do you stop this? How do you mitigate this? What are ways that even if one detection is bypassed, what are the other ways that we can still find you and stop you? That's what we help them discover and put on their network. 

In addition, you don't need a degree in computer science for a lot of these coding things. It's more just an understanding of systems. How your computer on your desk talks out to the cloud and actually communicates up there, what's going on and then just figuring out alright, how can I make something to intercept that communication, replay that communication, attack that communication, and just getting in the mindset of alright, what would be interesting to a bad guy? Or, how could I abuse an application that's already on this laptop to do something that a bad guy would also want to do? So there are certain cases where we need to make a special tool to do something that doesn't exist yet that we know can happen, or there are other cases where we can reuse existing tools o do malicious things.