cti/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json

{
    "type": "bundle",
    "id": "bundle--e2caa661-a90a-45ad-9dc3-aa245521c6cd",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2024-11-17T13:26:29.167Z",
            "name": "Replication Through Removable Media",
            "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "initial-access"
                },
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "lateral-movement"
                }
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_version": "2.1",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
            "created": "2017-10-25T14:48:23.233Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1458",
                    "external_id": "T1458"
                },
                {
                    "source_name": "Krebs-JuiceJacking",
                    "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.",
                    "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"
                },
                {
                    "source_name": "GoogleProjectZero-OATmeal",
                    "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.",
                    "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html"
                },
                {
                    "source_name": "Lau-Mactans",
                    "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.",
                    "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"
                },
                {
                    "source_name": "Computerworld-iPhoneCracking",
                    "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved November 17, 2024.",
                    "url": "https://www.techcentral.ie/two-vendors-now-sell-iphone-cracking-technology-police-buying/"
                },
                {
                    "source_name": "IBM-NexusUSB",
                    "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.",
                    "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"
                },
                {
                    "source_name": "NIST Mobile Threat Catalogue",
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
                    "external_id": "PHY-1"
                },
                {
                    "source_name": "NIST Mobile Threat Catalogue",
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
                    "external_id": "PHY-2"
                },
                {
                    "source_name": "NIST Mobile Threat Catalogue",
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html",
                    "external_id": "STA-6"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}