Reading view

There are new articles available, click to refresh the page.

Attack of drones: airborne cybersecurity nightmare

Threat actors could exploit drones for payload delivery, kinetic operations, and even diversion, experts warn.

Original post at

Once a niche technology, drones are about to explode in terms of market growth and enterprise adoption. Naturally, threat actors follow the trend and exploit the technology for surveillance, payload delivery, kinetic operations, and even diversion.

There exists a class of tiny and highly maneuverable devices that introduce a variety of cybersecurity risks you probably haven’t considered before.

Drones currently occupy a unique legal position as they are classified as both aircraft and networked computing devices. From a malicious drone operator perspective, this inherently grants a high level of advantageous legal ambiguity and protection to criminals operating drones as counter-attacking efforts taken by victims may violate protective regulations or laws applicable to aircraft, but also anti-hacking laws meant to provide protections to personal computers, their data, and networks.

This article is going to explore cybersecurity considerations surrounding drone platforms through an initial review of drone market trends, popular drone hacking tools, and general drone hacking techniques that may be used to compromise enterprise drone platforms, including how drone platforms themselves may be used as malicious hacking platforms.

A secondary outcome of this article is to help spur awareness around a once niche space of technology that is about to explode in terms of market growth and enterprise adoption.

Market overview

According to research firm Statista, the global retail drone market is expected to reach $90 billion by 2030, with Defense, Enterprise, and Logistics being the primary industries driving growth. Within the United States alone, nearly 300,000 commercial pilot licenses have been issued as of 2022, compared to nearly 1 million individual drones that have been registered with the Federal Aviation Authority(FAA) per weight and commercial compliance rules2.

This number does not account for drone platforms operated by amateur pilots or hobbyists that do not require professional licensure or those that operate under weight limitation thresholds (typically <250 grams = no licensing/registration requirement.) that require registration with local or federal authorities.

In China, the retail drone market reached $15 billion in 2021, with projections to exceed $22 billion by 2024. Drone pilot licenses issued throughout China exceed the United States, with over 780,000 registered pilots and close to 850,000 registered drones.

These numbers inform of the possibility that a once uncluttered skyline may soon be teeming with millions of drone aircraft, and questions begin to arise regarding the sanctity of enterprise security, privacy, and potential cybersecurity threats sourcing from the sky.

Departing from the general market statistics concerning drones, it is prudent to better understand how a flying laptop poses a threat to enterprise operations. From a cybercriminal perspective, drones are an ideal tool to carry out malicious attacks because they generally provide a greater layer of separation between the bad actor, the aircraft itself, and the actions executed by the physical drone platform.

Laptops or workstations primarily operate in 2D space physically and are more easily associated to an end user whereas a flying, computerized aircraft with a range of 10km can be harder to trace to a specific individual or geographical area. Drones also offer cybercriminals a great degree of flexibility in their usage because they are affordable, highly modifiable, they can operate across a greater range of weather conditions, flight distances, and altitudes versus semi-stationary workstations hackers traditionally operate from.

Aerial trespass

Let’s dive into some examples of how enterprises must account for external drones entering their airspace and cyber threats to drones operated by the enterprise.

An external drone not owned or operated by the enterprise can achieve many objectives useful to cyber criminals wishing to attack an organization. These objectives include but are not limited to site surveillance, photographic reconnaissance, physical or electronic payload delivery, kinetic operations (flying a drone into something for a specific purpose), and as a diversionary tactic.

A prime example is using a drone to fly over a potential target to visually map out physical security barriers prior to a robbery, identifying security guard patrol locations and schedules, or determining if anyone even responds to the aircraft while it is present. Drone platforms are also commonly used globally to smuggle contraband such as drugs, cellphones, or weapons into prisons with an alarming success rate.

Enterprises with sound counter drone programs in place may still be limited in how they respond to external drone threats as it is commonly unlawful to simply shoot them down or capture them. Within the United States for example, operating a drone within Class G, uncontrolled airspace over another entity’s property without advanced notice is legally allowed. Some state and local laws allow property owners and businesses to file trespass claims against operators but the difficulty is often associating the drone platform to its operator and serving them written notice.

Similar laws allowing some degree of aerial trespass exist throughout other international jurisdictions including Australia, Singapore and the United Kingdom with certain limitations. Enterprises are at a further disadvantage as malicious drone platforms cost anywhere from a few hundred to a thousand dollars while Counter Unmanned Aircraft Systems (CUAS) can cost well into the millions of dollars per annum simply just for the software subscription, not the personnel to operate it.

From a risk management perspective, drone mitigation using detective controls such as CUAS are simply non-sustainable for many enterprises as the costs will typically far exceed the inherent risks.


Attacks against enterprise-owned drones

Cyberattacks against drones that an enterprise owns and operates is an entirely different animal. Further considerations must be taken to secure onboard storage of the drone, ensure routes drones travel are relatively safe (i.e., free from obstacles, sparsely populated, etc.) and that Wi-Fi or Radio Frequency (RF) signals used by drone platforms are properly encrypted against eavesdropping or manipulation.

Most drone platforms provide an onboard mini or micro storage disk port for local storage. Common attacks against enterprise drones include platform takeover, where an attacker uses RF, Wi-Fi or a subscription service like Aerial Armor to detect flight paths of a drone in a geographical area, perform de-authentication attacks, take over control of the drone and land the stolen drone in a location of its choosing.

From here, the attacker can physically remove onboard storage and pilfer the contents, depending on the storage configuration or potentially introduce malware via the SD card port, then leave the drone for the owner to find. Cybercriminals may also attempt to poison the geolocation instructions or Return To Home (RTH) coordinates of the drone to intentionally damage the aircraft or use it for other nefarious purposes causing the enterprise monetary damages in lost drone equipment, legal trouble, and reputational harm.

Let’s overview common tools or platforms built specifically to hack drones and see how some of these may assist cybersecurity applications in real world scenarios.



The first tool previewed in this article is Dronesploit, a Command Line Interface (CLI) solution which directly resembles and is similarly structured to the Metasploit Framework. Dronesploit seeks to combine various tools useful for penetration testing specific to drone platforms.

Dronesploit is dependent on Aircrack-ng being installed and fully functional in addition to having an appropriate wireless network adapter capable of sniffing wireless networks and performing packet injection. The first step before launching Dronesploit is to put an available wireless network interface into monitor mode using the “Airmon-ng start wlan0” command. Monitor mode status can be verified before proceeding by issuing the “iwconfig” command.


Once the wireless network interface is placed into Monitor mode, Dronesploit should be launched from a secondary command window while allowing the monitored interface to remain active. Dronesploit is ready to use once all warning messages stop prompting the user to take specific action (such as starting an interface in ‘Monitor’ mode).

Dronesploit is ideal for assessing Wi-fi based drones like DJI Tello or Hobbico drone platforms but has some general-purpose auxiliary modules that are effective across many drone models.


Some of the broadly useful commands reside in Dronesploit’ auxiliary family of modules. Metasploit users will be happy to see that Dronesploit leverages familiar command-lets to select modules, set various options and execute drone attacks.

Below is an example of the “wifi/find_ssids” command, outlining the monitored interface being used, and time out values. Dronesploit can also directly call various elements of aircrack-ng to capture and attempt to crack WPA2 wireless handshakes making it a highly versatile tool.


Danger Drone platform

The next tool the article will preview is the Danger Drone platform, as developed and discussed by penetration testing provider Bishop Fox. Dangerdrone is an affordable, mobile drone platform, leveraging a 3D printed airframe, with a Raspberry Pi small single-board computer.

It is optimized to carry a Wi-Fi pineapple for wireless network auditing and several other USB peripherals like Alfa wireless network interfaces to support aerial penetration testing efforts from a flying drone. Imagine a drone flying onto private property unnoticed, landing on the roof of a building, and performing wireless network attacks against the computers underneath or around it. Scary stuff…

The article will conclude with some more pointed drone pentesting examples using Aircrack-ng itself. Using the monitored interface from the Dronesploit example, aspects of Aircrack-ng can be used to perform several useful drone security tests, including identification of wireless drone networks, de-authentication of connected devices like a drone controller, or cracking of the WEP/WPA keys.

The below example shows how the “Airodump-ng wlan0” command is useful for identifying nearby drone wi-fi signals, including the MAC address of the broadcasting device, the network encryption scheme, and the wireless authentication standard used by the drone. In the example below, a hobbyist-level drone from Sanrock using Open Wi-Fi and a DJI drone with enhanced Wi-Fi security protections are identified.


Drones will establish a private Wi-Fi network to allow user interaction between the controller and mobile application for drone operations. The Sanrock drone has an open Wi-fi network standard that doesn’t require authentication, such as use of a Pre-shared key, to connect to it. A quick way to find the IP address of the drone Wi-Fi network in question is to try connecting to the broadcasting SSID from either Kali Linux or another system, like a mobile phone and once connected, running “ipconfig /all” to compare the IP address information to the connection properties of the drone network. Vulnerability scans and various other tools can be directed at this address to uncover other targets and start assessing them for points of entry.


Switching back to Aircrack-ng, a de-authentication attack can be accomplished using airodump-ng in conjunction with aireplay-ng. These attacks are useful for either drone takeover or obtaining the wireless network key for offline cracking. Attackers can successfully sabotage Return to Home (RTH) instructions using geolocation poisoning, where the communications between pilots and the drone platform are interrupted, initiating internal drone safety routines that automatically instruct the drone to navigate to and land in a pre-configured location, allowing physical theft of the platform.

The below command highlights how Airodump-ng is used to first discover a connected station (or client like a mobile device), and send de-authentication frames that disconnect the client. In this case, the Sanrock drone has no Wi-fi authentication mechanism like a WPA pre-shared key to capture, but tests did result in mobile application disconnection and drone takeover.


The second command “airodump-ng -c 1 –bssid 98:C9:7C: -w capture19 wlan0” is used to start a live capture file which is used primarily to capture WEP/WPA pre-shared keys and other useful details. The capture file can be sent to aircrack-ng later to attempt brute force cracking of the pre-shared key but is outside the scope of this article. With the capture running, the “aireplay-ng -0 100 -a 98:C9:7C13:8B:34 -c 3C:2E:FF:BE:9F:03 wlan0” command can be issued which results in de-authentication of the connected client. Notice a high degree of lost ethernet frames, indicating an interrupted connection. Assessments could continue using tools like Nmap and its scripting engine to locate open ports or OpenVAS to perform vulnerability scanning. With this in mind, a common trend begins to emerge showing how similar drone platforms are to mobile computing devices like laptops, and enterprises should consider assessing drone risk in a similar context.



This article doesn’t encourage unauthorized assessment of drone platforms not owned by the reader, nor does it educate the reader on in-depth hacking techniques against such platforms. The article simply demonstrates very basic approaches that may be used to assess enterprise drone security and assist enterprises in formulating defensive strategies based on their risk profile.

The article briefly showcased short-term drone market projections, which reflect the likelihood of drone presence globally. The article covered common malicious use cases enacted by bad actors, such as reconnaissance, some of the tools and platforms available to cybercriminals, and live examples of how these tools may be used maliciously.

Enterprises are accustomed to contending with cyber threats, which operate on the same ground-based playing field as they do. Now, they must be more vigilant than ever, as they must account for cyberattacks sourcing from the sky. It is vital that enterprises understand their position on drone-based risks and ensure appropriate policies, procedures, and that personnel are positioned to respond to these threats accordingly.

About the author: Adam Kohnke, contributor at CyberNews

Original post at

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, drones)

The post <strong>Attack of drones: airborne cybersecurity nightmare</strong> appeared first on Security Affairs.

Cuba Ransomware received over $60M in Ransom payments as of August 2022

Cuba ransomware gang received more than $60 million in ransom payments related to attacks against 100 entities worldwide as of August 2022.

The threat actors behind the Cuba ransomware (aka COLDDRAW, Tropical Scorpius) have demanded over 145 million U.S. Dollars (USD) and received more than $60 million in ransom payments from over 100 victims worldwide as of August 2022, the US government states.

Like other ransomware gangs, Cuba used ‘double extortion’ techniques which means that it exfiltrates data from the target systems before encrypting them and demanding a ransom payment, threatening to publicly release it if payment is not made.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory that provides technical details about the gang’s operations, including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware.

“FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba actors.” reads the report. “Since spring 2022, Cuba ransomware actors have expanded their TTPs. Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.”

Cuba ransomware

Since December 2021 Cuba operators are continuing to target U.S. entities Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

Cuba gang has leveraged multiple techniques to gain initial access into victims’ networks, including the exploitation of nown vulnerabilities in commercial software [T1190], phishing campaigns [T1566], compromised credentials [T1078], legitimate remote desktop protocol (RDP) tools [T1563.002]. 

Once gained initial access, the attackers distributed Cuba ransomware on compromised systems using the Hancitor loader.

Below are the vulnerabilities exploited by the group in its attacks:

  • CVE-2022-24521 – elevation of privilege flaw in Windows Common Log File System (CLFS) Driver
  • CVE-2020-1472 – elevation of privilege flaw in Netlogon remote protocol (aka ZeroLogon)

In May, MalwareHunterTeam found evidence that links Cuba and the Industrial Spy crew.

Since spring 2022, multiple reports also linked RomCom RAT actors to the Cuba gang. 

Additional details are included in the advisory “Alert (AA22-335A) #StopRansomware: Cuba Ransomware.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post Cuba Ransomware received over $60M in Ransom payments as of August 2022 appeared first on Security Affairs.

Hackers Sign Android Malware Apps with Compromised Platform Certificates

Platform certificates used by Android smartphone vendors like Samsung, LG, and MediaTek have been found to be abused to sign malicious apps. The findings were first discovered and reported by Google reverse engineer Łukasz Siewierski on Thursday. "A platform certificate is the application signing certificate used to sign the 'android' application on the system image," a report filed through the

CISA Warns of Multiple Critical Vulnerabilities Affecting Mitsubishi Electric PLCs

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an Industrial Control Systems (ICS) advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software. "Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server

The Value of Old Systems

Old technology solutions – every organization has a few of them tucked away somewhere.  It could be an old and unsupported storage system or a tape library holding the still-functional backups from over 10 years ago.  This is a common scenario with software too. For example, consider an accounting software suite that was extremely expensive when it was purchased. If the vendor eventually went

Researchers Disclose Supply-Chain Flaw Affecting IBM Cloud Databases for PostgreSQL

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code. The privilege escalation flaw (CVSS score: 8.8), dubbed "Hell's Keychain" by cloud security firm Wiz, has been described as a "first-of-its-kind supply-chain attack vector impacting a

Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers

A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua. <!--adsense-->

Android Keyboard Apps with 2 Million downloads can remotely hack your device

Experts found multiple flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone.

Researchers at the Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with cumulatively two million installs that are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone.

Keyboard and mouse apps connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to a remote server.

These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are Keyboard apps available on the official Google Play Store and are used as remote keyboard and mouse.

CyRC experts warn of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps.

“An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.” reads the analysis published by CyRC.

“Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.”

Impacted software are:

  • Telepad versions 1.0.7 and prior
  • PC Keyboard versions 30 and prior
  • Lazy Mouse versions 2.0.1 and prior

Below are the details of the critical vulnerabilities:

Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.

The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.

The vulnerabilities were initially disclosed on August 13, 2022 and the CyRC reached published the advisory because they have yet to receive a response from the development teams behind these apps.

This is the timeline for these vulnerabilities:

  • August 13, 2022: Initial disclosure
  • August 18, 2022: Follow-up communication
  • October 12, 2022: Final follow-up communication
  • November 30, 2022: Advisory published by Synopsys

“The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed.” concludes the report. “The CyRC recommends removing the applications immediately.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android Keyboard)

The post Android Keyboard Apps with 2 Million downloads can remotely hack your device appeared first on Security Affairs.

What the CISA Reporting Rule Means for Your IT Security Protocol

The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and