A new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems has been identified. The exploit is a novel side-channel attack that has been found to leverage radio signals emanated by a device's Random Access Memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks. Air-gapped systems, typically used in mission-critical environments with exceptionally high-security requirements, such as governments, weapon systems, and nuclear power stations, are isolated from the public internet and other networks to prevent malware infections and data theft.
The technique has been codenamed RAMBO by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel. "Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri has said in a newly published research paper. "With software-defined radio (SDR) hardware and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information." Guri says.[1]
The exploit requires that the air-gapped network be first compromised using an insider, poisoned USB drives or a supply chain attack. This allows the malware to trigger the covert data exfiltration channel.
RAMBO is no exception. The malware manipulates RAM to generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted to be received from a distance away. The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.
The technique could leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key. "A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri said. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds... This indicates that the RAMBO covert channel can leak relatively brief information over a short period."
Several defensive and protective measures can be implemented to prevent the RAMBO attack. These countermeasures include enforcing red/black zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.cybersecurityintelligence.com/blog/attackers-can-use-ram-to-steal-data-from-air-gapped-networks-7954.html
Comments