This will be a thread discussing a real world breach involving a drone delivered exploit system that occurred this summer
Some details I am not able to discuss, however for the blue teams & red teams out there I hope this provides a good measure of capability.
๐งต๐ ๐ฎ๐ฅ๏ธ๐ฆ
Some details I am not able to discuss, however for the blue teams & red teams out there I hope this provides a good measure of capability.
๐งต๐ ๐ฎ๐ฅ๏ธ๐ฆ
During this summer an east coast company specializing in private investments detected unusual activity on their internal confluence page that was originating on their own network.
The team isolated the confluence server and began incident response.
The team isolated the confluence server and began incident response.
During the incident response they discovered that the user's who MAC address was used to gain partial access to their WIFI was also logged in from their home several miles away
The team deployed embedded WIFI signal tracing and a Fluke system to identify the WIFI device
The team deployed embedded WIFI signal tracing and a Fluke system to identify the WIFI device
This lead the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered.
The Phatom was carring a 'modified Wifi Pineapple Device'
It appeared neatly landed and was not damaged
The Phatom was carring a 'modified Wifi Pineapple Device'
It appeared neatly landed and was not damaged
While the Matrice was carrying a case containing "A Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another wifi device'
It was located near a HVAC / Vent system and appeared to be damaged or hindered, but still limited operable.
It was located near a HVAC / Vent system and appeared to be damaged or hindered, but still limited operable.
During their investigation they determined that the DJI Phantom drone had originally been used a few days prior to intercept a workers credentials and WIFI.
This data was later hard coded into the tools that was deployed with the Matrice.
This data was later hard coded into the tools that was deployed with the Matrice.
These tools were used to directly target the internal confluence page in order to target other internal devices from credentials stored there.
The attack was limited success, and it appears that once the attackers were discovered they accidentally crashed the drone on recovery.
The attack was limited success, and it appears that once the attackers were discovered they accidentally crashed the drone on recovery.
To summarize this setup was estimated over $15,000 USD for a one time attack scenario.
Attackers are spending this range of budget in order to target your internal devices and are ok with burning it.
This is the 3rd real world drone based attack I have encountered in 2 years
Attackers are spending this range of budget in order to target your internal devices and are ok with burning it.
This is the 3rd real world drone based attack I have encountered in 2 years
To clarify 2 of these were real world offensive actions against a house and a business
And 1 of these was my red team during an engagement
Learn from your attackers
Adapt your capabilities to identify, detect, and mitigate.
This is the reality we live in now.
And 1 of these was my red team during an engagement
Learn from your attackers
Adapt your capabilities to identify, detect, and mitigate.
This is the reality we live in now.
Another thing to note and as stated - this was a primitive system compared to what is capable - yet it still worked.
Implement regular inspections of areas that can be droned and MAC address wifi security is not enough even for guest or limited access networks.
Implement regular inspections of areas that can be droned and MAC address wifi security is not enough even for guest or limited access networks.
For red teams building capabilities I would recommend the Phantom 4 as it can carry approx. 6 pounds and its not insanely expensive.
That can hold a case with @Hak5 and @flipper_zero tools which would be ideal in many attack scenarios.
But i am not a drone expert so YMMV
That can hold a case with @Hak5 and @flipper_zero tools which would be ideal in many attack scenarios.
But i am not a drone expert so YMMV
A few people were asking why the initial drone was not recovered and left there.
Honestly I do not know either, there could have been a plan to recover it later, a failed recovery attempt, weather/battery issues, maybe it was YOLO all the way
Burn that money to get those credz
Honestly I do not know either, there could have been a plan to recover it later, a failed recovery attempt, weather/battery issues, maybe it was YOLO all the way
Burn that money to get those credz
Loading suggestions...