A lot of people ITT don't seem to understand very well what's going on with this attack. The Ars Technica article doesn't seem very well written, but we've had previous discussion[0].
Quick FAQ:
> Haven't we known about USB vulnerabilities forever (agent.btz, BadUSB etc.)?
The fact that USB devices were used to transfer the files is irrelevant to the attack.
The attack doesn't depend on running the malware directly off the USB device, on any kind of auto-run vulnerability, etc. It would have worked out the same way if files had been transferred, for example, by burning them to DVD. The attack only depends on the machines on the non-air-gapped side, being compromised such that the attackers can control what is put onto the USB. But the USB drives themselves are only being used as dumb storage here.
The attack instead primarily depends on social engineering that is helped along by the design of the Windows GUI. On the air-gapped machine, the user sees a "folder" which is actually an executable file. By default, Windows hides the .exe file extension (which it uses to determine executability of the file) in the GUI; and the icon can be customized. Double-clicking thus launches the malware installer when it was only supposed to open a folder. The folder has a name that the user expected to see (modulo the hidden extension).
It appears that the original setup involves hiding[1] (but still copying) the folder that was supposed to be transferred, and then renaming the malware to match. (Presumably, the malware could then arrange for Windows to open the hidden folder "normally", as part of its operation.) Windows can be configured to show "hidden" files (like `ls -a`), but it isn't the default.
Notice that this is social engineering applied only to the process of attempting to view the files - nobody was persuaded to use any storage devices "from outside".
> Isn't that, like, not actually air gapped?
The definition of an air gap generally allows for files to be passed across the air gap. Which is all the attack really depends on. See also "sneakernet". The point is that you can easily monitor and control all the transfers. But this attack is possible in spite of that control, because of the social engineering.
> How is it possible to exfiltrate data this way?
The actual mechanism isn't clearly described in media coverage so far, from what I can tell. But presumably, once malware is set up on the air-gapped machine, it copies the files back onto the USB, hiding them. When the device is transferred back to the non-air-gapped side, malware already present there monitors for the USB being plugged in, retrieves the files and uploads them (via the "GoldenMailer" or "GoldenDrive" components) elsewhere.
[1]: Windows file systems generally don't have an "executable bit" for files, but do have a "hidden bit", rather than relying on a leading-dot filename convention. So it's the opposite of what Linux does.
Quick FAQ:
> Haven't we known about USB vulnerabilities forever (agent.btz, BadUSB etc.)?
The fact that USB devices were used to transfer the files is irrelevant to the attack.
The attack doesn't depend on running the malware directly off the USB device, on any kind of auto-run vulnerability, etc. It would have worked out the same way if files had been transferred, for example, by burning them to DVD. The attack only depends on the machines on the non-air-gapped side, being compromised such that the attackers can control what is put onto the USB. But the USB drives themselves are only being used as dumb storage here.
The attack instead primarily depends on social engineering that is helped along by the design of the Windows GUI. On the air-gapped machine, the user sees a "folder" which is actually an executable file. By default, Windows hides the .exe file extension (which it uses to determine executability of the file) in the GUI; and the icon can be customized. Double-clicking thus launches the malware installer when it was only supposed to open a folder. The folder has a name that the user expected to see (modulo the hidden extension).
It appears that the original setup involves hiding[1] (but still copying) the folder that was supposed to be transferred, and then renaming the malware to match. (Presumably, the malware could then arrange for Windows to open the hidden folder "normally", as part of its operation.) Windows can be configured to show "hidden" files (like `ls -a`), but it isn't the default.
Notice that this is social engineering applied only to the process of attempting to view the files - nobody was persuaded to use any storage devices "from outside".
> Isn't that, like, not actually air gapped?
The definition of an air gap generally allows for files to be passed across the air gap. Which is all the attack really depends on. See also "sneakernet". The point is that you can easily monitor and control all the transfers. But this attack is possible in spite of that control, because of the social engineering.
> How is it possible to exfiltrate data this way?
The actual mechanism isn't clearly described in media coverage so far, from what I can tell. But presumably, once malware is set up on the air-gapped machine, it copies the files back onto the USB, hiding them. When the device is transferred back to the non-air-gapped side, malware already present there monitors for the USB being plugged in, retrieves the files and uploads them (via the "GoldenMailer" or "GoldenDrive" components) elsewhere.
[0] https://www.welivesecurity.com/en/eset-research/mind-air-gap..., via https://news.ycombinator.com/item?id=41779952.
[1]: Windows file systems generally don't have an "executable bit" for files, but do have a "hidden bit", rather than relying on a leading-dot filename convention. So it's the opposite of what Linux does.