Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.
Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.
Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.
|M1042||Disable or Remove Feature or Program||
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.
|M1028||Operating System Configuration||
Prevent the creation of new network adapters where possible.
|ID||Data Source||Data Component|
|DS0029||Network Traffic||Network Connection Creation|
|Network Traffic Content|
|Network Traffic Flow|
Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.
Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.