“Air gapping,” or isolating certain systems by keeping them disconnected from the public internet, or any other networks, including your own, has for years been a gold-standard cybersecurity technique.
Air gaps keep cybercriminals away from sensitive data and backups safe from ransomware. They isolate operational technology to ensure that data centers stay up and running no matter what is happening on the networks it houses.
But it's time for data center cybersecurity managers to take another look at their air gapped systems and the processes they have set up around them. Air gapping on its own isn’t as bulletproof as it once was.
Even completely isolated networks need to have some contact with the outside world from time to time, and researchers at the cybersecurity firm ESET have found a group of hackers working on malware designed to infiltrate air-gapped networks by hitching rides on legitimate files and devices.
"Despite not being connected, data can be transferred in and out of such a network," Alexis Dorais-Joncas, security intelligence team leader at ESET, told DCK. It’s usually done via “removable drives going back and forth between the air-gapped system and a lower-privileged, fully connected workstation."
Once this particular malware – called “Ramsay” – gets a foothold in an air-gapped system, it will spread to any other systems it may find, Dorais-Joncase said.
ESET researchers found evidence pointing to an advanced cyberespionage group actively working to develop this malware – for example, instances of the malware uploaded to the VirusTotal antivirus testing site.
"We have seen only very few victims, so Ramsay is not used in very widespread, large scale attacks," he said. But that could be because it’s still under development – or because it's used for very stealthy, sophisticated, targeted attacks.
Air Gaps Aren't Just for Spy Agencies
Air gaps are typically used to protect the most sensitive data at the most critical institutions. But even data centers that don't belong to military contractors or intelligence agencies may have air-gapped networks in place.
Isolated backups, for example, ensure there’s are good copies to restore from in case of ransomware attacks. But for a backup to be useful, it must be kept up to date and easily retrievable. That makes such backups attractive targets for hackers.
Since a victim is more likely to pay up if their backups are gone, ransomware groups are likely to invest some time and effort into malware that is smart enough to jump air gaps. After all, it's enough for ransomware code to only travel one way.
Ramsay doesn’t appear to be used to deliver ransomware today. It appears to have been used by a very advanced group of threat actors – of nation-state level. But this can change on a dime.
"When it comes to threats, what nation-states can pull off today, cybercriminals will be able to pull off tomorrow," said Daniel dos Santos, security researcher at Forescout Technologies. "The effect of commoditization of this kind of malware and its increasing propagation means barriers fall."
"If this family of malware finds success I guarantee they start delivering more serious types of malware," agreed McKade Ivancic, senior malware analyst at Optiv Security. "It's small and in development, according to different sources, but it is definitely something to look out for."
Data center operators often isolate operational networks that control power and cooling infrastructure.
A computing facility is vulnerable when a technician needs to do something on such a system, said Satya Gupta, founder and CTO at Virsec Systems.
"A human often goes with their laptop to the operational technology environment and connects the laptop and starts working," he told DCK. "Anything resident on that machine will cause problems in the OT. If they're infected, it's just like COVID-19. It's all about the social distancing."
How to Protect Yourself
ESET's Dorais-Joncas recommended that data centers with air-gapped networks pay close attention to the removable drives that are allowed to be connected. "They are the most obvious way for an attacker to get in," he said.
Security managers should be on the lookout for the malware on other, non-air gapped networks that those removable drives get plugged into. They will be the initial point of infection.
"Put exceptional security measures in place, such as restricting network connectivity, web or email usage, and monitoring endpoint activity with an endpoint detection and response system," Dorais- Joncas said.
All the basic cybersecurity hygiene must be maintained on the air-gapped systems as well.
"Like most cybersecurity attacks, this malware relies on human error," Asher de Metz, security consulting senior manager at Sungard Availability Services, said. That includes lack of patching, lack of hardening, and weak passwords.
Standard precautions alone may not be enough.
For example, the malware uses DLL hijacking, which allows it to bypass endpoint protection software, said Luke Willadsen, security consultant at EmberSec.
DLLs, or dynamic link libraries are pieces of pre-installed Windows code. If a developer isn't careful about where the application looks for them, they could end up running the malicious code.
"If you don’t detect Ramsay’s initial exploitation and installation, you may never catch it, at least until security vendors have been able to successfully signature the malware with a high degree of success,"Willadsen told us.
The Ramsay malware found by ESET has multiple ways of staying hidden and persisting through attempts to clear it out, Dave Shear, senior threat research engineer at Vigilante, said.
"These tactics include phantom DLL hijacking, manipulation of scheduled tasks,” he said. “Later versions of the malware include rootkits to modify system files and remain persistent."
Malware is often discovered when it tries to communicate back to its command and control systems, but this malware doesn't. "It is not currently understood by researchers how the [Ramsay] malware communicates back to the threat actors," he said.
Krishnan Subramanian, a researcher at Menlo Security Labs, said the attackers could be waiting for the initial infection to finish gathering all the files it can and then wait until it gets to a device that connects back to a non-air-gapped network.
"Companies who discover these new malware strains should … ensure that no endpoints that can connect to the internet access the protected air-gapped network," he told DCK.
The malware may be hitchhiking on a legitimate file that can be opened and used as normal. "There is no change to the integrity and runtime behavior of an original document after it has been infected," Subramanian said. That's a sign of the sophistication of this malware.
Ramsay proves that air-gapped networks aren't as air-gapped as we thought, Rui Lopes, director of engineering and technical support at Panda Security, said.
"Shared resources, even through internal networks, should not reach air-gapped systems, because Ramsay has proven it can reach them," he told DCK. "For a truly air-gapped system, data center managers need to isolate those networks entirely. The definition of an air-gapped network needs to become stricter."
It may not be the most efficient use of resources, he added, but it’s the only way to ensure the systems are safe.