With Warshipping, Hackers Ship Their Exploits Directly To Their Target's Mail Room

Why break into a company's network when you can just walk right in-- literally? From a report: Gone could be the days of having to find a zero-day vulnerability in a target's website, or having to scramble for breached usernames and passwords to break through a company's login pages. And certainly there will be no need to park outside a building and brute-force the Wi-Fi network password. Just drop your exploit in the mail and let your friendly postal worker deliver it to your target's door. This newly named technique -- dubbed "warshipping" -- is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy, or when hackers drove up to TJX stores and stole customer data by breaking into the store's Wi-Fi network.

But security researchers at IBM's X-Force Red say it's a novel and effective way for an attacker to gain an initial foothold on a target's network. "It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal's location," wrote Charles Henderson, who heads up the IBM offensive operations unit.

Re:

[omnichad]

Good.

Some value even just in location

[SuperKendall]

I had to ship some luggage ahead of me for a trip to Japan earlier this year, a small luggage tracking device lasted well over three weeks at the lowest power setting and I could see where it was most of the time, as well as where it ended up.

So I could see if you wanted to know where someone at a company was physically located, you could ship something to some company address for a name you wanted to know about, then the company would forward along the package to the right address...

But just thinking about all of the active network scanning tools you could pack into a box along with wireless connectivity to report back - wow.

Although it seems like similar results could be had parking outside a business in a van, shipping a package in would be lots chapter and a less riskier way to accomplish the same thing. And it could maybe even get up to the executive level area if you did it right.

I wonder if some companies have started scanning packages that arrive for signal emanation.

I was thinking cellular connection here

[SuperKendall]

Doesn't work like that. A sensible sniffer device would remain silent and listen for signals.

I agree, but I was thinking if it had cellular connectivity to talk back to some remote server you could probably detect that from a package (not thinking you could scan for a silent wifi monitor! :-) ).

However even that could be delayed to turn on a few days after delivery...

I was thinking though the longer you wait to turn on transmission of findings, the more risk you have of the package being opened and disposed

Re:

[Anonymous Coward]

Seems like the next evolution would be to build the device into something that looks innocuous - a USB desk fan with the logo of one of their vendors on it, a teddy bear for an admin assistant on Secretary's Day (that's a thing, right?), etc. The USB desk fan would even be a way to get power...though once you have USB access, I guess there's all kind of other attacks you could do.

Re:

[SuperKendall]

Seems like the next evolution would be to build the device into something that looks innocuous

I think that's by far the best idea, that way when the package is eventually opened it's not some freaky looking set of hardware that raises alarm, it's something they might keep around, and as you point out eventually chose to provide constant power for!

Even if it did nothing else to simply make the effort to make the contents look harmless would go a long way to avoid detection of the attempt.

No way this has not

Re:

[arglebargle_xiv]

No way this has not been done already many times over by many government intelligence agonies from probably every nation.

The magic trick in this case is that what's booby-trapped is the package itself, not what's in it. You get the package, you can examine the contents as much as you want but won't find anything, the device does its job, and eventually the packaging gets thrown out, leaving no trace that the device was ever present. That's a very cool, and until now quite nonobvious, way to do this.

Re:

[BringsApples]

No way this has not been done already many times over by many government intelligence agonies from probably every nation.

Here [nytimes.com] is one example from the late 80's. Merely the concept of spying. Spying goes back to ...the first 2 civilizations.

Re:

[bill_mcgonigle]

Send it to the address of an insurance company but addressed to Mary Jones, Jewelry Design and Purchasing, Floor 7.

It should get marked Return to Sender the next day.

Re:

[sjames]

You can have it turn on only when it has findings, quickly transmit, then turn back off (you'll want that anyway to conserve battery).

Optionally, have it do that after hours. The custodial crew is unlikely to notice.

That way, even if it *IS* detected, the findings have already been transmitted.

Re:

[Applehu Akbar]

A sensible sniffer device would remain silent and listen for signals. Then it would broadcast. So not in the mail room.

I would have a nice powerful WiFi node visible to ther mailroom that would lead to a honeypot server for the warshipper to blunder into.

Re:

[CaptainDork]

You make an interesting point. Remember the 2001 anthrax scare?

Our mail room had a dedicated person to open mail. She wore gloves, a mask and I don't remember what all.

Yes that does seem similar...

[SuperKendall]

You make an interesting point. Remember the 2001 anthrax scare?

I remember that also, and an interesting aspect of that is - how many mailrooms take that same precaution anymore?

It seems like so many security precautions are fad based and die away eventually when news of an exploit fades into the past.

Re:

[CaptainDork]

You'll probably remember Y2K.

Re:

[Anonymous Coward]

You could ship a literal "blackbox" to any mail room of any multi-national and gain access to their network.

I'm not suggestion this is incredibly doable, but there's a certain level of assumption that needs to exist:
1. That the package will not be stolen in the first place
2. That the package will have 3g/4g/5g access where it goes, many mail rooms are in the basement or warehouse area of a building and thus do not get cell reception
3. That there is WiFi directly connected to the corporate network, in many c

stop outsourcing own the building

[Joe_Dragon]

stop outsourcing own the building as in some cases the BUILDING STAFF has access

Re:

[LostMyAccount]

I think you can probably ship a whole lot of actual computer products to corporate offices and get people to plug them in. Especially if you target branch offices, which in my experience tend to be less structured than corporate offices, as well as often under-resourced and would likely be more accepting of "free" computer stuff or office supplies.

The jackpot would be getting a compromised small switch plugged in. You'd have power, direct ethernet access, probably the ability to sniff PC network traffic.

I

Re:

[Anonymous Coward]

"I wonder if some companies have started scanning packages that arrive for signal emanation."

At the private company where I worked before I retired, for AT LEAST the last 25 years, all incoming mail and packages are routinely scanned both via fluoroscope (like the X-Ray scanner at the airport) and for RF emissions at the receiving bay before they are allowed in the building. Depending on what is found determines the procedures that must be followed to retrieve the mail or package by the addressee.

Re:

[johnsie]

/r/thathappened

Defense in depth...

[Anonymous Coward]

This is a good reason to have defense in depth. If a rogue device is in the mailroom and able to scan for WAPs, it might find out where it is physically located, but that is it. I don't really worry about a Raspberry Pi Zero W with a cell modem as a business crippling threat vector. If it is on Wi-Fi, it is using VPN and using 2FA, so at worst, the bad guy might have another open access point if they break the WPA-Enterprise there, but everything else is either one time passwords, or encrypted with seque

Re:

[Anonymous Coward]

The stupid thing is having your corporate networks on WiFi.

IBM offensive operations unit

[fahrbot-bot]

Also known as HR.

Prediction

[Thelasko]

This new attack vector will have IT security professionals shipping their pants!

Thank you! I'll be here all week!

Try the fish...

I'll show myself out now...

Traceability

[mentil]

Proxying your mail shipments is a little more difficult than proxying network traffic. Otherwise, it's going to be known roughly where the package was shipped from, with you probably being in subpoena-able camera footage at a e.g. UPS Store dropping it off. If you use the USPS at all, you're opening yourself up to mail fraud charges, as well.
Dropping a flash drive in a parking lot has plausible deniability, at the least, and a lower probability of encountering cameras.

Re: Traceability

[Anonymous Coward]

Very good point.

Although, if you use the correct number of stamps on a small enough box you could drive to a rural mailbox with no cameras and put it in there.

Re:

[freeze128]

If you think the only way to ship something is to drop it off at the depot, then you're living in the 80's.

UPS and FedEx both have drop boxes at many businesses that are not under video surveillance.

Extra validity

[SuperKendall]

UPS and FedEx both have drop boxes at many businesses

Also a side point here, you could probably obtain a shipping account number from a large corporation and use that to pay for shipment, no-one would ever notice and payment could not be tied back to you.

It would also lend a lot of authenticity to the package and help ensure it reached the area within the company you were hoping for,

You just use freight forwarders

[rsilvergun]

there's plenty of shady companies that will be happy to "proxy" your mail shipments. They don't ask a lot of questions and are pretty close to untraceable. When I was in sales if somebody asked me to ship to a freight forwarder address we knew to stop then and there, but it wasn't easy to catch them all. Like I said, there's lots of them.

Drats!

[Tablizer]

I knew that free router was too good to be true.

TJX

[sdinfoserv]

True, the TJ max "hack" was sitting in the parking lot - however the company used an un-encrypted wireless network for their point of sale devices...there wasn't any real "breaking" involved... candy from babies...

Re:

[redmid17]

I was going to say, that's barely true. There was a kiosk in the store than had unfettered access to the entire TJX network. It wasn't on a isolated subnet or in a DMZ.

https://www.informationweek.co... [informationweek.com]
They definitely compromised the unsecured WiFi from across the street, not in the parking lot, but 2007 was a different time.

Brilliant, ballsy, and desperate at the same time

[Rick Schumann]

While there is a sort of obvious genius to an exploit like this (and a fair amount of 'FU' to the target), it's also more than a little bit desperate a tactic, I think, because they're sending physical evidence of their attack. You certainly could program the device to brick and completely wipe itself immediately upon performing it's primary function, but the actual device itself could potentially be traced back to the sender.

What's old becomes new

[Only Time Will Tell]

I enjoy the brazenness of this. I'd up the ante by shipping a full PC with a Post-It note saying "Plug me into network for happy fun time!" or just getting a large enough crate and shipping the hacker right into the building. Companies need to continually educate their employees on being on the lookout for suspicious behavior. Receiving a package, or an email, or a phone call, etc. from an unknown person needs to be given wariness that it might be an attack.

Note to self

[Bobberly]

Build mail room inside faraday cage.