New attack allows data exfiltration through network card LEDs

Threat actors could leverage a novel attack technique involving the use of network cards' LED indicators to facilitate data exfiltration from air-gapped systems used in critical infrastructure organizations or weapon control units, according to BleepingComputer. Network-attached storage devices, routers, scanners, printers, and other hardware or peripherals could also be compromised with the new attack method dubbed 'ETHERLED,' which converts blinking LEDs into decipherable Morse code signals, said Israeli researcher Mordechai Guri. Computers targeted with ETHERLED are being installed with malware containing modified network card firmware controlling certain LED attributes, with the malware then compromising the network interface controller's drive for connectivity status modifications or LED modulation. Moreover, hardware functionality could be exploited to alter network connection speeds and Ethernet interface operation. Exfiltrating data using single status LEDs resulted in the generation of Morse code dots and dashes lasting from 100 ms and 300 ms, but leveraging the driver/firmware approach could enhance the Morse code bitrate by up to tenfold, noted Guri. Passwords could be leaked using ETHERLED from 1 second to 1.5 minutes, while private Bitcoin keys and 4096-bit RSA keys could be exposed between 2.5 seconds and 4.2 minutes and between 42 seconds and 1 hour, respectively.