Bluetooth Harvesting

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

In 2017, Armis Labs discovered a new attack vector that targeted any Bluetooth device. The attack, named BlueBorne, exploits Bluetooth vulnerabilities that could take control of devices, access networks, bypass air gap defenses and spread malware. These vulnerabilities exist on devices running Android, Linux, Windows and iOS (before iOS 10), regardless of the Bluetooth version in use. These attacks are devastating because they occur over the air without the need for user interaction. After disclosure, vendors immediately went to work to create patches for the vulnerabilities. The patches began rolling out in late 2017/early 2018 and the attack vector faded from attention. Recently, Kaspersky Labs uncovered what is believed to be the first attempt by an advanced persistent threat (APT) group to develop a "Bluetooth harvester". The development has been tied to ScarCruft, a Korean-speaking APT group. The malware appears to be in the initial phases of development and can only identify devices. It does not appear to be capable of finding and exfiltrating data from the devices - yet. A Bluetooth harvesting tool makes sense for a threat group such as ScarCruft. One of the limitations of Bluetooth technology is range, making exploitation attempts most useful in highly-targeted situations. This fits right into the wheelhouse of ScarCruft and some of their more recent espionage activities. The group initially targeted organizations on the Korean peninsula. It has since expanded its target to investment and trading companies in Vietnam and Russia. Most importantly, ScarCruft recently targeted high-value individuals with ties to interests of the Korean Peninsula. The targeting of select individuals is where Bluetooth data collection would be more practical. It may possibly have a higher rate of success than traditional social-engineering or spear phishing campaigns, without requiring user interaction.